openssh: upgrade 9.7p1 -> 9.8p1

- drop the CVE-2024-6387 [backported patch] - drop systemd notify [backported patch] - fix musl build [backported patch] - fix ptest regression [submited patch] - sshd now had the sshd-session Release notes at https://www.openssh.com/txt/release-9.8 Security ======== This release contains fixes for two security problems, one critical and one minor. 1) Race condition in sshd(8) A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon. Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation. OpenBSD is not vulnerable. We thank the Qualys Security Advisory Team for discovering, reporting and demonstrating exploitability of this problem, and for providing detailed feedback on additional mitigation measures. 2) Logic error in ssh(1) ObscureKeystrokeTiming In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an OpenSSH server version 9.5 or later, a logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective - a passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because both fake and real keystroke packets were being sent unconditionally. This bug was found by Philippos Giavridis and also independently by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the University of Cambridge Computer Lab. Worse, the unconditional sending of both fake and real keystroke packets broke another long-standing timing attack mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for traffic received on TTYs in echo-off mode, such as when entering a password into su(8) or sudo(8). This bug rendered these fake keystroke echoes ineffective and could allow a passive observer of a SSH session to once again detect when echo was off and obtain fairly limited timing information about keystrokes in this situation (20ms granularity by default). This additional implication of the bug was identified by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and we thank them for their detailed analysis. This bug does not affect connections when ObscureKeystrokeTiming was disabled or sessions where no TTY was requested. Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. This release disables DSA by default at compile time. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to- implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. This release, and its deactivation of DSA by default at compile-time, marks the second step in our timeline to finally deprecate DSA. The final step of removing DSA support entirely is planned for the first OpenSSH release of 2025. DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" in Makefile.inc. To enable DSA support in portable OpenSSH, pass the "--enable-dsa-keys" option to configure. Potentially-incompatible changes -------------------------------- * all: as mentioned above, the DSA signature algorithm is now disabled at compile time. * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 * (portable OpenSSH only) Automatically-generated files, such as configure, config.h.in, etc will now be checked in to the portable OpenSSH git release branch (e.g. V_9_8). This should ensure that the contents of the signed release branch exactly match the contents of the signed release tarball. Changes since OpenSSH 9.7 ========================= This release contains mostly bugfixes. New features ------------ * sshd(8): as described above, sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. sshd(8) will now identify situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit bugs in sshd). When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client's address. If this time is above a minimum configurable threshold, then all connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range) until the penalty expire. Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. Address ranges may be fully exempted from penalties, e.g. to guarantee access from a set of trusted management addresses, using the new sshd_config(5) PerSourcePenaltyExemptList option. We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself. This option is enabled by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Bugfixes -------- * misc: fix a number of inaccuracies in the PROTOCOL.* documentation files. GHPR430 GHPR487 * all: switch to strtonum(3) for more robust integer parsing in most places. * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() * ssh-keysign(8): stricter validation of messaging socket fd GHPR492 * sftp(1): flush stdout after writing "sftp>" prompt when not using editline. GHPR480 * sftp-server(8): fix home-directory extension implementation, it previously always returned the current user's home directory contrary to the spec. GHPR477 * ssh-keyscan(1): do not close stdin to prevent error messages when stdin is read multiple times. E.g. echo localhost | ssh-keyscan -f - -f - * regression tests: fix rekey test that was testing the same KEX algorithm repeatedly instead of testing all of them. bz3692 * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive documentation, especially around what is supported vs available. bz3701. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * build: fix OpenSSL ED25519 support detection. An incorrect function signature in configure.ac previously prevented enabling the recently added support for ED25519 private keys in PEM PKCS8 format. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 * build: improve detection of the -fzero-call-used-regs compiler flag. bz3673. * build: relax OpenSSL version check to accept all OpenSSL 3.x versions. * sshd(8): add support for notifying systemd on server listen and reload, using a standalone implementation that doesn't depend on libsystemd. bz2641 (From OE-Core rev: 4e2834f67d32894d1cac5fc9ac5234816765245e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jose Quaresma <quaresma.jose@gmail.com> 2024-07-25 14:23:12 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-07-26 12:28:42 +0100
commit: e78e0cc8225236f8d84ecbc577b55fba23541880 (patch)
tree: 662c8157fd274c8c574f10debdc8401cbe51e15a
parent: 0c03d6aeb7b21c604278cfad272dd7beb1d3e10f (diff)
download: poky-e78e0cc8225236f8d84ecbc577b55fba23541880.tar.gz
7 files changed, 73 insertions, 261 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch
new file mode 100644
index 0000000000..c41642ae10
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch
@@ -0,0 +1,30 @@
+From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Sun, 7 Jul 2024 18:46:19 +1000
+Subject: [PATCH] Cast to sockaddr * in systemd interface.
+Fixes build with musl libx.  bz#3707.
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8]
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ openbsd-compat/port-linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 4c024c6d2..8adfec5a7 100644
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...)
+                error_f("socket \"%s\": %s", path, strerror(errno));
+                goto out;
+        }
+-       if (connect(fd, &addr, sizeof(addr)) != 0) {
+       if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
+                error_f("socket \"%s\" connect: %s", path, strerror(errno));
+                goto out;
+        }
+-- 
+2.45.2
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch
deleted file mode 100644
index 4925c969fe..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch
+++ /dev/null
@@ -1,225 +0,0 @@
-From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Wed, 3 Apr 2024 14:40:32 +1100
-Subject: [PATCH] notify systemd on listen and reload
-Standalone implementation that does not depend on libsystemd.
-With assistance from Luca Boccassi, and feedback/testing from Colin
-Watson. bz2641
-Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c]
-Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
- configure.ac                |  1 +
- openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++-
- openbsd-compat/port-linux.h |  5 ++
- platform.c                  | 11 +++++
- platform.h                  |  1 +
- sshd.c                      |  2 +
- 6 files changed, 115 insertions(+), 2 deletions(-)
-diff --git a/configure.ac b/configure.ac
-index 82e8bb7c1..854f92b5b 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
-        AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
-        AC_DEFINE([USE_BTMP])
-        AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
-+       AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
-        inet6_default_4in6=yes
-        case `uname -r` in
-        1.*|2.0.*)
-diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
-index 0457e28d0..df7290246 100644
--- a/openbsd-compat/port-linux.c
-+++ b/openbsd-compat/port-linux.c
-@@ -21,16 +21,23 @@
- 
- #include "includes.h"
- 
-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
-+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \
-+    defined(SYSTEMD_NOTIFY)
-+#include <sys/socket.h>
-+#include <sys/un.h>
-+
- #include <errno.h>
-+#include <inttypes.h>
- #include <stdarg.h>
- #include <string.h>
- #include <stdio.h>
- #include <stdlib.h>
-+#include <time.h>
- 
- #include "log.h"
- #include "xmalloc.h"
- #include "port-linux.h"
-+#include "misc.h"
- 
- #ifdef WITH_SELINUX
- #include <selinux/selinux.h>
-@@ -310,4 +317,90 @@ oom_adjust_restore(void)
-        return;
- }
- #endif /* LINUX_OOM_ADJUST */
-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
-+
-+#ifdef SYSTEMD_NOTIFY
-+
-+static void ssh_systemd_notify(const char *, ...)
-+    __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
-+
-+static void
-+ssh_systemd_notify(const char *fmt, ...)
-+{
-+       char *s = NULL;
-+       const char *path;
-+       struct stat sb;
-+       struct sockaddr_un addr;
-+       int fd = -1;
-+       va_list ap;
-+
-+       if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0)
-+               return;
-+
-+       va_start(ap, fmt);
-+       xvasprintf(&s, fmt, ap);
-+       va_end(ap);
-+
-+       /* Only AF_UNIX is supported, with path or abstract sockets */
-+       if (path[0] != '/' && path[0] != '@') {
-+               error_f("socket \"%s\" is not compatible with AF_UNIX", path);
-+               goto out;
-+       }
-+
-+       if (path[0] == '/' && stat(path, &sb) != 0) {
-+               error_f("socket \"%s\" stat: %s", path, strerror(errno));
-+               goto out;
-+       }
-+
-+       memset(&addr, 0, sizeof(addr));
-+       addr.sun_family = AF_UNIX;
-+       if (strlcpy(addr.sun_path, path,
-+           sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
-+               error_f("socket path \"%s\" too long", path);
-+               goto out;
-+       }
-+       /* Support for abstract socket */
-+       if (addr.sun_path[0] == '@')
-+               addr.sun_path[0] = 0;
-+       if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
-+               error_f("socket \"%s\": %s", path, strerror(errno));
-+               goto out;
-+       }
-+       if (connect(fd, &addr, sizeof(addr)) != 0) {
-+               error_f("socket \"%s\" connect: %s", path, strerror(errno));
-+               goto out;
-+       }
-+       if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
-+               error_f("socket \"%s\" write: %s", path, strerror(errno));
-+               goto out;
-+       }
-+       debug_f("socket \"%s\" notified %s", path, s);
-+ out:
-+       if (fd != -1)
-+               close(fd);
-+       free(s);
-+}
-+
-+void
-+ssh_systemd_notify_ready(void)
-+{
-+       ssh_systemd_notify("READY=1");
-+}
-+
-+void
-+ssh_systemd_notify_reload(void)
-+{
-+       struct timespec now;
-+
-+       monotime_ts(&now);
-+       if (now.tv_sec < 0 || now.tv_nsec < 0) {
-+               error_f("monotime returned negative value");
-+               ssh_systemd_notify("RELOADING=1");
-+       } else {
-+               ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
-+                   ((uint64_t)now.tv_sec * 1000000ULL) +
-+                   ((uint64_t)now.tv_nsec / 1000ULL));
-+       }
-+}
-+#endif /* SYSTEMD_NOTIFY */
-+
-+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
-index 3c22a854d..14064f87d 100644
--- a/openbsd-compat/port-linux.h
-+++ b/openbsd-compat/port-linux.h
-@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
- void oom_adjust_setup(void);
- #endif
- 
-+#ifdef SYSTEMD_NOTIFY
-+void ssh_systemd_notify_ready(void);
-+void ssh_systemd_notify_reload(void);
-+#endif
-+
- #endif /* ! _PORT_LINUX_H */
-diff --git a/platform.c b/platform.c
-index 4fe8744ee..9cf818153 100644
--- a/platform.c
-+++ b/platform.c
-@@ -44,6 +44,14 @@ platform_pre_listen(void)
- #endif
- }
- 
-+void
-+platform_post_listen(void)
-+{
-+#ifdef SYSTEMD_NOTIFY
-+       ssh_systemd_notify_ready();
-+#endif
-+}
-+
- void
- platform_pre_fork(void)
- {
-@@ -55,6 +63,9 @@ platform_pre_fork(void)
- void
- platform_pre_restart(void)
- {
-+#ifdef SYSTEMD_NOTIFY
-+       ssh_systemd_notify_reload();
-+#endif
- #ifdef LINUX_OOM_ADJUST
-        oom_adjust_restore();
- #endif
-diff --git a/platform.h b/platform.h
-index 7fef8c983..5dec23276 100644
--- a/platform.h
-+++ b/platform.h
-@@ -21,6 +21,7 @@
- void platform_pre_listen(void);
- void platform_pre_fork(void);
- void platform_pre_restart(void);
-+void platform_post_listen(void);
- void platform_post_fork_parent(pid_t child_pid);
- void platform_post_fork_child(void);
- int  platform_privileged_uidswap(void);
-diff --git a/sshd.c b/sshd.c
-index b4f2b9742..865331b46 100644
--- a/sshd.c
-+++ b/sshd.c
-@@ -2077,6 +2077,8 @@ main(int ac, char **av)
-                ssh_signal(SIGTERM, sigterm_handler);
-                ssh_signal(SIGQUIT, sigterm_handler);
- 
-+               platform_post_listen();
-+
-                /*
-                 * Write out the pid file after the sigterm handler
-                 * is setup and the listen sockets are bound
-- 
-2.45.2
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
index 8763f30f4b..f424288e37 100644
--- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -1,4 +1,4 @@
-From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001
+From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001
 From: Mikko Rapeli <mikko.rapeli@linaro.org>
 Date: Mon, 11 Sep 2023 09:55:21 +0100
 Subject: [PATCH] regress/banner.sh: log input and output files on error
@@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
 Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
 Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
 ---
 regress/banner.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/regress/banner.sh b/regress/banner.sh
-index a84feb5a..de84957a 100644
+index a84feb5..de84957 100644
 --- a/regress/banner.sh
 +++ b/regress/banner.sh
 @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
@@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644
 done
 
 trace "test suppress banner (-q)"
-- 
-2.34.1
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
new file mode 100644
index 0000000000..b90cd2e69d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
@@ -0,0 +1,35 @@
+From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001
+From: Jose Quaresma <jose.quaresma@foundries.io>
+Date: Mon, 15 Jul 2024 18:43:08 +0100
+Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env
+The SSHAGENT_BIN was changed in [1] to SSH_BIN but
+the last one don't use the absolute path and consequently
+the function increase_datafile_size can loops forever
+if the binary not found.
+[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818
+Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510]
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ regress/test-exec.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/regress/test-exec.sh b/regress/test-exec.sh
+index 7afc2807..175f554b 100644
+--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
+@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
+ fi
+ 
+ # Path to sshd must be absolute for rexec
+case "$SSH" in
+/*) ;;
+*) SSH=`which $SSH` ;;
+esac
+
+ case "$SSHD" in
+ /*) ;;
+ *) SSHD=`which $SSHD` ;;
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch
deleted file mode 100644
index 3e7c707100..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Description: fix signal handler race condition
-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497
-CVE: CVE-2024-6387
-Upstream-Status: Backport
-https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc
-Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
--- a/log.c
-+++ b/log.c
-@@ -452,12 +452,14 @@ void
- sshsigdie(const char *file, const char *func, int line, int showfunc,
-     LogLevel level, const char *suffix, const char *fmt, ...)
- {
-+#if 0
-        va_list args;
- 
-        va_start(args, fmt);
-        sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
-            suffix, fmt, args);
-        va_end(args);
-+#endif
-        _exit(1);
- }
- 
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
index b2244d725a..c9100f9f37 100755
--- a/meta/recipes-connectivity/openssh/openssh/run-ptest
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,5 +1,6 @@
 #!/bin/sh
+export TEST_SSH_SSH=ssh
 export TEST_SHELL=sh
 export SKIP_UNIT=1
diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb
index 4680d12be5..9554b4783f 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb
@@ -23,11 +23,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://volatiles.99_sshd \
           file://run-ptest \
           file://sshd_check_keys \
+           file://0001-Cast-to-sockaddr-in-systemd-interface.patch \
           file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
-           file://0001-notify-systemd-on-listen-and-reload.patch \
+           file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
-           file://CVE-2024-6387.patch \
           "
-SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd"
+SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3"
 CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
@@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1"
 PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
 FILES:${PN}-scp = "${bindir}/scp.${BPN}"
 FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
-FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
+FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
 FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
 FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
 FILES:${PN}-sftp = "${bindir}/sftp"
author	Jose Quaresma <quaresma.jose@gmail.com>	2024-07-25 14:23:12 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-07-26 12:28:42 +0100
commit	e78e0cc8225236f8d84ecbc577b55fba23541880 (patch)
tree	662c8157fd274c8c574f10debdc8401cbe51e15a
parent	0c03d6aeb7b21c604278cfad272dd7beb1d3e10f (diff)
download	poky-e78e0cc8225236f8d84ecbc577b55fba23541880.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch new file mode 100644 index 0000000000..c41642ae10 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch
@@ -0,0 +1,30 @@
		1	From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001
		2	From: Darren Tucker <dtucker@dtucker.net>
		3	Date: Sun, 7 Jul 2024 18:46:19 +1000
		4	Subject: [PATCH] Cast to sockaddr * in systemd interface.
		5
		6	Fixes build with musl libx. bz#3707.
		7
		8	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8]
		9
		10	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
		11	---
		12	openbsd-compat/port-linux.c \| 2 +-
		13	1 file changed, 1 insertion(+), 1 deletion(-)
		14
		15	diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
		16	index 4c024c6d2..8adfec5a7 100644
		17	--- a/openbsd-compat/port-linux.c
		18	+++ b/openbsd-compat/port-linux.c
		19	@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...)
		20	error_f("socket \"%s\": %s", path, strerror(errno));
		21	goto out;
		22	}
		23	- if (connect(fd, &addr, sizeof(addr)) != 0) {
		24	+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
		25	error_f("socket \"%s\" connect: %s", path, strerror(errno));
		26	goto out;
		27	}
		28	--
		29	2.45.2
		30


diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch deleted file mode 100644 index 4925c969fe..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch +++ /dev/null
@@ -1,225 +0,0 @@
1	From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001
2	From: Damien Miller <djm@mindrot.org>
3	Date: Wed, 3 Apr 2024 14:40:32 +1100
4	Subject: [PATCH] notify systemd on listen and reload
5
6	Standalone implementation that does not depend on libsystemd.
7	With assistance from Luca Boccassi, and feedback/testing from Colin
8	Watson. bz2641
9
10	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c]
11
12	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
13	---
14	configure.ac \| 1 +
15	openbsd-compat/port-linux.c \| 97 ++++++++++++++++++++++++++++++++++++-
16	openbsd-compat/port-linux.h \| 5 ++
17	platform.c \| 11 +++++
18	platform.h \| 1 +
19	sshd.c \| 2 +
20	6 files changed, 115 insertions(+), 2 deletions(-)
21
22	diff --git a/configure.ac b/configure.ac
23	index 82e8bb7c1..854f92b5b 100644
24	--- a/configure.ac
25	+++ b/configure.ac
26	@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
27	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
28	AC_DEFINE([USE_BTMP])
29	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
30	+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
31	inet6_default_4in6=yes
32	case `uname -r` in
33	1.\|2.0.)
34	diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
35	index 0457e28d0..df7290246 100644
36	--- a/openbsd-compat/port-linux.c
37	+++ b/openbsd-compat/port-linux.c
38	@@ -21,16 +21,23 @@
39
40	#include "includes.h"
41
42	-#if defined(WITH_SELINUX) \|\| defined(LINUX_OOM_ADJUST)
43	+#if defined(WITH_SELINUX) \|\| defined(LINUX_OOM_ADJUST) \|\| \
44	+ defined(SYSTEMD_NOTIFY)
45	+#include <sys/socket.h>
46	+#include <sys/un.h>
47	+
48	#include <errno.h>
49	+#include <inttypes.h>
50	#include <stdarg.h>
51	#include <string.h>
52	#include <stdio.h>
53	#include <stdlib.h>
54	+#include <time.h>
55
56	#include "log.h"
57	#include "xmalloc.h"
58	#include "port-linux.h"
59	+#include "misc.h"
60
61	#ifdef WITH_SELINUX
62	#include <selinux/selinux.h>
63	@@ -310,4 +317,90 @@ oom_adjust_restore(void)
64	return;
65	}
66	#endif /* LINUX_OOM_ADJUST */
67	-#endif /* WITH_SELINUX \|\| LINUX_OOM_ADJUST */
68	+
69	+#ifdef SYSTEMD_NOTIFY
70	+
71	+static void ssh_systemd_notify(const char *, ...)
72	+ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
73	+
74	+static void
75	+ssh_systemd_notify(const char *fmt, ...)
76	+{
77	+ char *s = NULL;
78	+ const char *path;
79	+ struct stat sb;
80	+ struct sockaddr_un addr;
81	+ int fd = -1;
82	+ va_list ap;
83	+
84	+ if ((path = getenv("NOTIFY_SOCKET")) == NULL \|\| strlen(path) == 0)
85	+ return;
86	+
87	+ va_start(ap, fmt);
88	+ xvasprintf(&s, fmt, ap);
89	+ va_end(ap);
90	+
91	+ /* Only AF_UNIX is supported, with path or abstract sockets */
92	+ if (path[0] != '/' && path[0] != '@') {
93	+ error_f("socket \"%s\" is not compatible with AF_UNIX", path);
94	+ goto out;
95	+ }
96	+
97	+ if (path[0] == '/' && stat(path, &sb) != 0) {
98	+ error_f("socket \"%s\" stat: %s", path, strerror(errno));
99	+ goto out;
100	+ }
101	+
102	+ memset(&addr, 0, sizeof(addr));
103	+ addr.sun_family = AF_UNIX;
104	+ if (strlcpy(addr.sun_path, path,
105	+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
106	+ error_f("socket path \"%s\" too long", path);
107	+ goto out;
108	+ }
109	+ /* Support for abstract socket */
110	+ if (addr.sun_path[0] == '@')
111	+ addr.sun_path[0] = 0;
112	+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
113	+ error_f("socket \"%s\": %s", path, strerror(errno));
114	+ goto out;
115	+ }
116	+ if (connect(fd, &addr, sizeof(addr)) != 0) {
117	+ error_f("socket \"%s\" connect: %s", path, strerror(errno));
118	+ goto out;
119	+ }
120	+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
121	+ error_f("socket \"%s\" write: %s", path, strerror(errno));
122	+ goto out;
123	+ }
124	+ debug_f("socket \"%s\" notified %s", path, s);
125	+ out:
126	+ if (fd != -1)
127	+ close(fd);
128	+ free(s);
129	+}
130	+
131	+void
132	+ssh_systemd_notify_ready(void)
133	+{
134	+ ssh_systemd_notify("READY=1");
135	+}
136	+
137	+void
138	+ssh_systemd_notify_reload(void)
139	+{
140	+ struct timespec now;
141	+
142	+ monotime_ts(&now);
143	+ if (now.tv_sec < 0 \|\| now.tv_nsec < 0) {
144	+ error_f("monotime returned negative value");
145	+ ssh_systemd_notify("RELOADING=1");
146	+ } else {
147	+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
148	+ ((uint64_t)now.tv_sec * 1000000ULL) +
149	+ ((uint64_t)now.tv_nsec / 1000ULL));
150	+ }
151	+}
152	+#endif /* SYSTEMD_NOTIFY */
153	+
154	+#endif /* WITH_SELINUX \|\| LINUX_OOM_ADJUST \|\| SYSTEMD_NOTIFY */
155	diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
156	index 3c22a854d..14064f87d 100644
157	--- a/openbsd-compat/port-linux.h
158	+++ b/openbsd-compat/port-linux.h
159	@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
160	void oom_adjust_setup(void);
161	#endif
162
163	+#ifdef SYSTEMD_NOTIFY
164	+void ssh_systemd_notify_ready(void);
165	+void ssh_systemd_notify_reload(void);
166	+#endif
167	+
168	#endif /* ! _PORT_LINUX_H */
169	diff --git a/platform.c b/platform.c
170	index 4fe8744ee..9cf818153 100644
171	--- a/platform.c
172	+++ b/platform.c
173	@@ -44,6 +44,14 @@ platform_pre_listen(void)
174	#endif
175	}
176
177	+void
178	+platform_post_listen(void)
179	+{
180	+#ifdef SYSTEMD_NOTIFY
181	+ ssh_systemd_notify_ready();
182	+#endif
183	+}
184	+
185	void
186	platform_pre_fork(void)
187	{
188	@@ -55,6 +63,9 @@ platform_pre_fork(void)
189	void
190	platform_pre_restart(void)
191	{
192	+#ifdef SYSTEMD_NOTIFY
193	+ ssh_systemd_notify_reload();
194	+#endif
195	#ifdef LINUX_OOM_ADJUST
196	oom_adjust_restore();
197	#endif
198	diff --git a/platform.h b/platform.h
199	index 7fef8c983..5dec23276 100644
200	--- a/platform.h
201	+++ b/platform.h
202	@@ -21,6 +21,7 @@
203	void platform_pre_listen(void);
204	void platform_pre_fork(void);
205	void platform_pre_restart(void);
206	+void platform_post_listen(void);
207	void platform_post_fork_parent(pid_t child_pid);
208	void platform_post_fork_child(void);
209	int platform_privileged_uidswap(void);
210	diff --git a/sshd.c b/sshd.c
211	index b4f2b9742..865331b46 100644
212	--- a/sshd.c
213	+++ b/sshd.c
214	@@ -2077,6 +2077,8 @@ main(int ac, char **av)
215	ssh_signal(SIGTERM, sigterm_handler);
216	ssh_signal(SIGQUIT, sigterm_handler);
217
218	+ platform_post_listen();
219	+
220	/*
221	* Write out the pid file after the sigterm handler
222	* is setup and the listen sockets are bound
223	--
224	2.45.2
225


diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch index 8763f30f4b..f424288e37 100644 --- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -1,4 +1,4 @@
1	From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001	1	From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001
2	From: Mikko Rapeli <mikko.rapeli@linaro.org>	2	From: Mikko Rapeli <mikko.rapeli@linaro.org>
3	Date: Mon, 11 Sep 2023 09:55:21 +0100	3	Date: Mon, 11 Sep 2023 09:55:21 +0100
4	Subject: [PATCH] regress/banner.sh: log input and output files on error	4	Subject: [PATCH] regress/banner.sh: log input and output files on error
@@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
37	Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]	37	Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
38		38
39	Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>	39	Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
		40	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
40	---	41	---
41	regress/banner.sh \| 4 +++-	42	regress/banner.sh \| 4 +++-
42	1 file changed, 3 insertions(+), 1 deletion(-)	43	1 file changed, 3 insertions(+), 1 deletion(-)
43		44
44	diff --git a/regress/banner.sh b/regress/banner.sh	45	diff --git a/regress/banner.sh b/regress/banner.sh
45	index a84feb5a..de84957a 100644	46	index a84feb5..de84957 100644
46	--- a/regress/banner.sh	47	--- a/regress/banner.sh
47	+++ b/regress/banner.sh	48	+++ b/regress/banner.sh
48	@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do	49	@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
@@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644
56	done	57	done
57		58
58	trace "test suppress banner (-q)"	59	trace "test suppress banner (-q)"
59	--
60	2.34.1
61


diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch new file mode 100644 index 0000000000..b90cd2e69d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
@@ -0,0 +1,35 @@
		1	From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001
		2	From: Jose Quaresma <jose.quaresma@foundries.io>
		3	Date: Mon, 15 Jul 2024 18:43:08 +0100
		4	Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env
		5
		6	The SSHAGENT_BIN was changed in [1] to SSH_BIN but
		7	the last one don't use the absolute path and consequently
		8	the function increase_datafile_size can loops forever
		9	if the binary not found.
		10
		11	[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818
		12
		13	Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510]
		14
		15	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
		16	---
		17	regress/test-exec.sh \| 5 +++++
		18	1 file changed, 5 insertions(+)
		19
		20	diff --git a/regress/test-exec.sh b/regress/test-exec.sh
		21	index 7afc2807..175f554b 100644
		22	--- a/regress/test-exec.sh
		23	+++ b/regress/test-exec.sh
		24	@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
		25	fi
		26
		27	# Path to sshd must be absolute for rexec
		28	+case "$SSH" in
		29	+/*) ;;
		30	+*) SSH=`which $SSH` ;;
		31	+esac
		32	+
		33	case "$SSHD" in
		34	/*) ;;
		35	*) SSHD=`which $SSHD` ;;


diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch deleted file mode 100644 index 3e7c707100..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch +++ /dev/null
@@ -1,27 +0,0 @@
1	Description: fix signal handler race condition
2	Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497
3
4	CVE: CVE-2024-6387
5
6	Upstream-Status: Backport
7	https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc
8
9	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
10
11	--- a/log.c
12	+++ b/log.c
13	@@ -452,12 +452,14 @@ void
14	sshsigdie(const char file, const char func, int line, int showfunc,
15	LogLevel level, const char suffix, const char fmt, ...)
16	{
17	+#if 0
18	va_list args;
19
20	va_start(args, fmt);
21	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
22	suffix, fmt, args);
23	va_end(args);
24	+#endif
25	_exit(1);
26	}
27


diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest index b2244d725a..c9100f9f37 100755 --- a/meta/recipes-connectivity/openssh/openssh/run-ptest +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,5 +1,6 @@
1	#!/bin/sh	1	#!/bin/sh
2		2
		3	export TEST_SSH_SSH=ssh
3	export TEST_SHELL=sh	4	export TEST_SHELL=sh
4	export SKIP_UNIT=1	5	export SKIP_UNIT=1
5		6


diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb index 4680d12be5..9554b4783f 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb
@@ -23,11 +23,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
23	file://volatiles.99_sshd \	23	file://volatiles.99_sshd \
24	file://run-ptest \	24	file://run-ptest \
25	file://sshd_check_keys \	25	file://sshd_check_keys \
		26	file://0001-Cast-to-sockaddr-in-systemd-interface.patch \
26	file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \	27	file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
27	file://0001-notify-systemd-on-listen-and-reload.patch \	28	file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
28	file://CVE-2024-6387.patch \
29	"	29	"
30	SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd"	30	SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3"
31		31
32	CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."	32	CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
33		33
@@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1"
195	PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"	195	PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
196	FILES:${PN}-scp = "${bindir}/scp.${BPN}"	196	FILES:${PN}-scp = "${bindir}/scp.${BPN}"
197	FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"	197	FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
198	FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"	198	FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
199	FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"	199	FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
200	FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"	200	FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
201	FILES:${PN}-sftp = "${bindir}/sftp"	201	FILES:${PN}-sftp = "${bindir}/sftp"