# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
# $Id: Portfile 92862 2012-05-09 07:01:50Z ryandesign@macports.org $

PortSystem          1.0

name                openssh
version             5.9p1
revision            3
categories          net
platforms           darwin
maintainers         jwa openmaintainer
license             BSD
installs_libs       no

description         OpenSSH secure login server

long_description    OpenSSH is a FREE version of the SSH protocol suite of \
                    network connectivity tools that increasing numbers of people on the \
                    Internet are coming to rely on. Many users of telnet, rlogin, ftp, \
                    and other such programs might not realize that their password is \
                    transmitted across the Internet unencrypted, but it is. OpenSSH \
                    encrypts all traffic (including passwords) to effectively eliminate \
                    eavesdropping, connection hijacking, and other network-level \
                    attacks. Additionally, OpenSSH provides a myriad of secure \
                    tunneling capabilities, as well as a variety of authentication \
                    methods.

homepage            http://www.openbsd.org/openssh/

checksums           ${distfiles} \
                    rmd160  12d92321a2b9f404641a9cdada738784eb30e1cd \
                    sha256  8d3e8b6b6ff04b525a6dfa6fdeb6a99043ccf6c3310cc32eba84c939b07777d5

master_sites        openbsd:OpenSSH/portable \
                    http://mirror.mcs.anl.gov/openssh/portable/ \
                    ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \
                    ftp://reflection.ncsa.uiuc.edu/pub/OpenBSD/OpenSSH/portable/ \
                    ftp://mirror.mcs.anl.gov/pub/openssh/portable/ \
                    ftp://ftp.cse.buffalo.edu/pub/OpenBSD/OpenSSH/portable/ \
                    ftp://openbsd.mirrors.pair.com/ftp/OpenSSH/portable \
                    ftp://openbsd.secsup.org/pub/openbsd/OpenSSH/portable/

depends_lib         port:openssl \
                    port:zlib \
                    port:kerberos5

depends_run         port:xauth

patchfiles          launchd.patch

# Specified -fno-builtin because GCC 3.3 has log() as a builtin
# (from math.h) while OpenSSH has its own log() function
# -- from fink.
configure.cppflags-append -fno-builtin
configure.args      --with-ssl-dir=${prefix} \
                    --sysconfdir=${prefix}/etc/ssh \
                    --with-privsep-path=${prefix}/var/empty \
                    --with-md5-passwords \
                    --with-pid-dir=${prefix}/var/run \
                    --with-tcp-wrappers \
                    --with-pam \
                    --disable-suid-ssh \
                    --with-random=/dev/urandom \
                    --mandir=${prefix}/share/man \
                    --with-zlib=${prefix} \
                    --with-kerberos5=${prefix} \
                    --with-xauth=${prefix}/bin/xauth \
                    --with-libedit

use_parallel_build  yes

destroot.target     install-nokeys

post-destroot {
    destroot.keepdirs ${destroot}${prefix}/var/run ${destroot}${prefix}/var/empty
    reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config
    xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin
    xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1
}

variant no_x11 description "do not include xauth" {
    configure.args-delete   --with-xauth=${prefix}/bin/xauth
    depends_run-delete      port:xauth
}

# For high-performance patch
# re-enable when patch for current version is available
variant hpn description "apply high performance patch" {
    patch_sites-append      http://www.psc.edu/networking/projects/hpn-ssh/:hpn
    patchfiles-append       ${distname}-hpn13v12.diff.gz:hpn
    checksums-append        ${distname}-hpn13v12.diff.gz \
                            rmd160  7ca2c431904b184072302cb3e9ab055ffb0f4024 \
                            sha256  74499c3487a53eaaeaad79d89d8260c23f9a416173d7c256d1f3131677213040 \

    patch.pre_args
    post-patch {
        reinplace "s|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|" ${worksrcpath}/version.h
    }
}

variant gss_api_trust_dns description "Enable GSSAPITrustDNS SSH configuration keyword" {
    patchfiles-append       GSSAPITrustDNS.patch
}

variant gsskex description "Add OpenSSH GSSAPI key exchange patch" {
    set extra_cppflags [concat \
                            "-F/System/Library/Frameworks/OpenDirectory.framework" \
                            "-F/System/Library/Frameworks/CoreFoundation.framework" \
                            "-D_UTMPX_COMPAT -D__APPLE_LAUNCHD__ -D__APPLE_MEMBERSHIP__" \
                            "-D__APPLE_XSAN__"]
    use_autoreconf          yes
    patch.pre_args          -p1
    patchfiles-append       openssh-5.9p1-gsskex-all-20110920.patch \
                            apple-keychain.patch
    configure.args-append   --with-4in6 \
                            --with-audit=bsm \
                            --with-keychain=apple \
                            --disable-utmp \
                            --disable-wtmp \
                            --with-privsep-user=_sshd \
                            CFLAGS="-fPIE -O2" \
                            CPPFLAGS="$extra_cppflags" \
                            LDFLAGS="-Wl,-pie -framework CoreFoundation -framework OpenDirectory"
}

platform darwin {
    # create link to /usr/include/pam because 'security' was renamed to 'pam'
    # in OS X.
    pre-configure {
        xinstall -d ${workpath}/include
        file delete ${workpath}/include/security
        ln -s /usr/include/pam ${workpath}/include/security
    }
}

startupitem.create  yes
startupitem.name    OpenSSH
startupitem.start \
    "if \[ -x ${prefix}/sbin/sshd ]; then
        if \[ ! -f ${prefix}/etc/ssh/ssh_host_key \]; then
            ${prefix}/bin/ssh-keygen -t rsa1 -f \\
            ${prefix}/etc/ssh/ssh_host_key -N \"\" -C `hostname`
        fi
        if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then
            ${prefix}/bin/ssh-keygen -t dsa -f \\
            ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname`
        fi
        if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then
            ${prefix}/bin/ssh-keygen -t rsa -f \\
            ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname`
        fi
        ${prefix}/sbin/sshd
        fi"
startupitem.stop \
    "if \[ -r ${prefix}/var/run/sshd.pid \]; then
        kill `cat ${prefix}/var/run/sshd.pid`
        fi"


livecheck.type      regex
livecheck.url       ${homepage}
livecheck.regex     (5.\[0-9\]p\[0-9\])
