Add: Workflow for debian packages (#6)

- Create Server package
- Create Client package
- Automatic deployment

.github/build.sh

@@ -7,7 +7,7 @@ export INSTALL_DIR=${DEFAULT_INSTALL_DIR}
 export OPENSSH_BUILD_OPTIONS=""
 cd /opt
 git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs
-git clone --depth 1 --branch OQS-v8 https://github.com/open-quantum-safe/openssh ossh-src
+git clone --depth 1 --branch OQS-v8 https://github.com/enclaive/buckypaper-openssh ossh-src
 cd /opt/liboqs
 mkdir build-static && cd build-static && cmake .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_BUILD_TYPE=${LIBOQS_BUILD_TYPE} -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX=/opt/ossh-src/oqs && make ${MAKE_DEFINES} && make install
 cd /opt/ossh-src

.github/build_debian_pkg.sh

@@ -0,0 +1,46 @@
+#/bin/sh
+set -ex
+
+## Prerequisites
+mkdir /assets/
+ls /opt/ossh-src/debian/openssh-pq-server/etc
+
+##Building the Client
+mkdir -p /opt/ossh-src/debian/openssh-pq-client/etc/ssh/ssh_config.d
+mv /opt/ossh-src/ssh_config /opt/ossh-src/debian/openssh-pq-client/etc/ssh/ssh_config
+
+mv /opt/ossh-src/scp /opt/ossh-src/debian/openssh-pq-client/usr/bin/scp
+mv /opt/ossh-src/sftp /opt/ossh-src/debian/openssh-pq-client/usr/bin/sftp
+
+mv /opt/ossh-src/ssh /opt/ossh-src/debian/openssh-pq-client/usr/bin/ssh
+mv /opt/ossh-src/ssh-add /opt/ossh-src/debian/openssh-pq-client/usr/bin/ssh-add 
+mv /opt/ossh-src/ssh-agent /opt/ossh-src/debian/openssh-pq-client/usr/bin/ssh-agent
+mv /opt/ossh-src/ssh-keygen /opt/ossh-src/debian/openssh-pq-client/usr/bin/ssh-keygen
+mv /opt/ossh-src/ssh-keyscan /opt/ossh-src/debian/openssh-pq-client/usr/bin/ssh-keyscan
+
+mv /opt/ossh-src/ssh-keysign /opt/ossh-src/debian/openssh-pq-client/usr/lib/openssh/ssh-keysign 
+mv /opt/ossh-src/ssh-pkcs11-helper /opt/ossh-src/debian/openssh-pq-client/usr/lib/openssh/ssh-pkcs11-helper
+mv /opt/ossh-src/ssh-sk-helper /opt/ossh-src/debian/openssh-pq-client/usr/lib/openssh/ssh-sk-helper
+
+mkdir /opt/ossh-src/debian/openssh-pq-client/usr/lib/systemd/user/graphical-session-pre.target.wants
+ln -sf /opt/ossh-src/debian/openssh-pq-client/usr/lib/systemd/user/ssh-agent.service /opt/ossh-src/debian/openssh-pq-client/usr/lib/systemd/user/graphical-session-pre.target.wants
+ln -sf /opt/ossh-src/debian/openssh-pq-client/usr/bin/ssh /opt/ossh-src/debian/openssh-pq-client/usr/bin/slogin
+
+cd /opt/ossh-src/debian/ && dpkg-deb --build openssh-pq-client
+mv /opt/ossh-src/debian/openssh-pq-client.deb /assets/
+
+
+## Building the Server
+mkdir -p /opt/ossh-src/debian/openssh-pq-server/etc/runit/runsvdir/default
+mkdir -p /opt/ossh-src/debian/openssh-pq-server/etc/ssh/sshd_config.d
+mkdir -p /opt/ossh-src/debian/openssh-pq-server/sbin
+mkdir -p /opt/ossh-src/debian/openssh-pq-server/var/log/runit/ssh
+mkdir -p /opt/ossh-src/debian/openssh-pq-server/usr/share/openssh
+
+mv /opt/ossh-src/sshd_config /opt/ossh-src/debian/openssh-pq-server/usr/share/openssh
+
+mv /opt/ossh-src/sshd /opt/ossh-src/debian/openssh-pq-server/sbin/sshd
+ln -sf /opt/ossh-src/debian/openssh-pq-server/usr/share/doc/openssh-client /opt/ossh-src/debian/openssh-pq-server/usr/share/doc/openssh-server
+
+cd /opt/ossh-src/debian/ && dpkg-deb --build openssh-pq-server
+mv /opt/ossh-src/debian/openssh-pq-server.deb /assets/

.github/install-dependencies.sh

@@ -3,7 +3,10 @@ set -ex
 sudo apt-get update && sudo apt-get install --no-install-recommends --no-install-suggests -y \
     autoconf \
     automake \
+    build-essential \
     cmake \
+    debhelper \
+    devscripts \
     gcc \
     libtool \
     libssl-dev \

.github/workflows/release.yml

@@ -16,26 +16,16 @@ jobs:
       - name: build
         run: |
           sh .github/build.sh
-      - run: mkdir assets/
-      - run: mv /opt/ossh-src/scp assets/
-      - run: mv /opt/ossh-src/sftp assets/
-      - run: mv /opt/ossh-src/sftp-server assets/
-      - run: mv /opt/ossh-src/ssh assets/
-      - run: mv /opt/ossh-src/ssh-add assets/
-      - run: mv /opt/ossh-src/ssh-agent assets/
-      - run: mv /opt/ossh-src/sshd assets/
-      - run: mv /opt/ossh-src/ssh-keygen assets/
-      - run: mv /opt/ossh-src/ssh-keyscan assets/
-      - run: mv /opt/ossh-src/ssh-keysign assets/
-      - run: mv /opt/ossh-src/ssh-pkcs11-helper assets/
-      - run: mv /opt/ossh-src/ssh-sk-helper assets/
-      - name: Release
-        id: create_release
-        uses: "marvinpinto/action-automatic-releases@latest"
-        with:
-          repo_token: "${{ secrets.GITHUB_TOKEN }}"
-          automatic_release_tag: "latest"
-          prerelease: true
-          title: "Development Build"
-          files: |
-            assets/*
+      - name: build debian
+        run: |
+          sh .github/build_debian_pkg.sh
+     - name: Release
+       id: create_release
+       uses: "marvinpinto/action-automatic-releases@latest"
+       with:
+         repo_token: "${{ secrets.GITHUB_TOKEN }}"
+         automatic_release_tag: "latest"
+         prerelease: true
+         title: "Development Build"
+         files: |
+           /assets/*

.gitignore

@@ -41,3 +41,7 @@ oqs-scripts/tmp
 oqs/
 *.dSYM
 __pycache__
+
+# Debian
+!debian/openssh-pq-server/*/*/*
+!debian/openssh-pq-server/etc/*

debian/openssh-pq-client/DEBIAN/conffiles

@@ -0,0 +1 @@
+/etc/ssh/ssh_config

debian/openssh-pq-client/DEBIAN/control

@@ -0,0 +1,7 @@
+Package: opensshpq-client
+Version: 1.0.0
+Section: net
+Priority: optional
+Architecture: any
+Maintainer: Enclaive
+Description: PQ-safe version of OpenSSH

debian/openssh-pq-client/DEBIAN/postinst

@@ -0,0 +1,52 @@
+#!/bin/sh
+# Copyright Debian OpenSSH Maintainers
+set -e
+
+action="$1"
+
+umask 022
+
+
+update_ssh_group_name() {
+	# The _ssh group used to be called ssh, but that could clash with
+	# locally-created user accounts.  Since this only exists as an
+	# otherwise-empty group to which ssh-agent is installed setgid, it's
+	# easy to rename.
+	if getent group ssh >/dev/null && ! getent group _ssh >/dev/null; then
+		groupmod -n _ssh ssh
+	fi
+}
+
+set_ssh_agent_permissions() {
+	if ! getent group _ssh >/dev/null; then
+		addgroup --system --quiet --force-badname _ssh
+	fi
+	if ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null; then
+		chgrp _ssh /usr/bin/ssh-agent
+		chmod 2755 /usr/bin/ssh-agent
+	fi
+}
+
+remove_obsolete_alternatives() {
+	update-alternatives --remove rcp /usr/bin/scp
+	update-alternatives --remove rlogin /usr/bin/slogin
+	update-alternatives --remove rsh /usr/bin/ssh
+}
+
+
+if [ "$action" = configure ]; then
+	if dpkg --compare-versions "$2" lt-nl 1:8.4p1-6~; then
+		update_ssh_group_name
+	fi
+	set_ssh_agent_permissions
+	if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~; then
+		remove_obsolete_alternatives
+	fi
+fi
+
+# Automatically added by dh_installdeb/13.11.4
+dpkg-maintscript-helper rm_conffile /etc/ssh/moduli 1:7.9p1-8\~ -- "$@"
+# End automatically added section
+
+
+exit 0

debian/openssh-pq-client/DEBIAN/postrm

@@ -0,0 +1,26 @@
+#!/bin/sh
+# Copyright Debian OpenSSH Maintainers
+set -e
+
+# Automatically added by dh_installdeb/13.11.4
+dpkg-maintscript-helper rm_conffile /etc/ssh/moduli 1.0.0\~ -- "$@"
+# End automatically added section
+
+
+case $1 in
+	purge)
+		# Remove all non-conffiles that ssh might create, so that we
+		# can smoothly remove /etc/ssh if and only if the user
+		# hasn't dropped some other files in there. Conffiles have
+		# already been removed at this point.
+		rm -f /etc/ssh/moduli /etc/ssh/primes
+		rm -f /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+		[ ! -d /etc/ssh ] || rmdir --ignore-fail-on-non-empty /etc/ssh
+
+		if command -v delgroup >/dev/null 2>&1; then
+			delgroup --quiet ssh > /dev/null || true
+		fi
+		;;
+esac
+
+exit 0

debian/openssh-pq-client/DEBIAN/preinst

@@ -0,0 +1,6 @@
+#!/bin/sh
+# Copyright Debian OpenSSH Maintainers
+set -e
+# Automatically added by dh_installdeb/13.11.4
+dpkg-maintscript-helper rm_conffile /etc/ssh/moduli 1:7.9p1-8\~ -- "$@"
+# End automatically added section

debian/openssh-pq-client/DEBIAN/prerm

@@ -0,0 +1,6 @@
+#!/bin/sh
+# Copyright Debian OpenSSH Maintainers
+set -e
+# Automatically added by dh_installdeb/13.11.4
+dpkg-maintscript-helper rm_conffile /etc/ssh/moduli 1:7.9p1-8\~ -- "$@"
+# End automatically added section

debian/openssh-pq-client/usr/bin/ssh-argv0

@@ -0,0 +1,31 @@
+#! /bin/sh
+set -e
+
+# Copyright (c) 2001 Natalie Amery.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+if [ "${0##*/}" = "ssh-argv0" ]
+then
+  echo 'ssh-argv0: This script should not be run like this, see ssh-argv0(1) for details' 1>&2
+  exit 1
+fi
+exec ssh "${0##*/}" "$@"