diff options
| author | Dan McGregor <dan.mcgregor@usask.ca> | 2015-01-15 15:11:00 -0600 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-02-03 14:53:54 +0000 |
| commit | e4dc8fe86c6b503cc3e55a2a466a65a1313501a1 (patch) | |
| tree | bbbccb8d7332ded9a47cab38fd72677a7766aa5e /meta | |
| parent | 93842f0ec96b6e0f7863441f6ae02febe8a24a62 (diff) | |
| download | poky-e4dc8fe86c6b503cc3e55a2a466a65a1313501a1.tar.gz | |
openssh: configuration updates
Rebase sshd_config and ssh_config with openssh upstream.
Check for the ed25519 key in the systemd keygen service.
(From OE-Core rev: 046dd5567d9de0596023846e7f0c6df7f01a9f5b)
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
3 files changed, 26 insertions, 9 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config index 4a4a649ba8..9e919156d3 100644 --- a/meta/recipes-connectivity/openssh/openssh/ssh_config +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $ | 1 | # $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ |
| 2 | 2 | ||
| 3 | # This is the ssh client system-wide configuration file. See | 3 | # This is the ssh client system-wide configuration file. See |
| 4 | # ssh_config(5) for more information. This file provides defaults for | 4 | # ssh_config(5) for more information. This file provides defaults for |
| @@ -44,3 +44,5 @@ Host * | |||
| 44 | # TunnelDevice any:any | 44 | # TunnelDevice any:any |
| 45 | # PermitLocalCommand no | 45 | # PermitLocalCommand no |
| 46 | # VisualHostKey no | 46 | # VisualHostKey no |
| 47 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | ||
| 48 | # RekeyLimit 1G 1h | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config index 4f9b626fbd..3553669aa0 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd_config +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config | |||
| @@ -15,9 +15,7 @@ | |||
| 15 | #ListenAddress 0.0.0.0 | 15 | #ListenAddress 0.0.0.0 |
| 16 | #ListenAddress :: | 16 | #ListenAddress :: |
| 17 | 17 | ||
| 18 | # Disable legacy (protocol version 1) support in the server for new | 18 | # The default requires explicit activation of protocol 1 |
| 19 | # installations. In future the default will change to require explicit | ||
| 20 | # activation of protocol 1 | ||
| 21 | Protocol 2 | 19 | Protocol 2 |
| 22 | 20 | ||
| 23 | # HostKey for protocol version 1 | 21 | # HostKey for protocol version 1 |
| @@ -25,11 +23,16 @@ Protocol 2 | |||
| 25 | # HostKeys for protocol version 2 | 23 | # HostKeys for protocol version 2 |
| 26 | #HostKey /etc/ssh/ssh_host_rsa_key | 24 | #HostKey /etc/ssh/ssh_host_rsa_key |
| 27 | #HostKey /etc/ssh/ssh_host_dsa_key | 25 | #HostKey /etc/ssh/ssh_host_dsa_key |
| 26 | #HostKey /etc/ssh/ssh_host_ecdsa_key | ||
| 27 | #HostKey /etc/ssh/ssh_host_ed25519_key | ||
| 28 | 28 | ||
| 29 | # Lifetime and size of ephemeral version 1 server key | 29 | # Lifetime and size of ephemeral version 1 server key |
| 30 | #KeyRegenerationInterval 1h | 30 | #KeyRegenerationInterval 1h |
| 31 | #ServerKeyBits 1024 | 31 | #ServerKeyBits 1024 |
| 32 | 32 | ||
| 33 | # Ciphers and keying | ||
| 34 | #RekeyLimit default none | ||
| 35 | |||
| 33 | # Logging | 36 | # Logging |
| 34 | # obsoletes QuietMode and FascistLogging | 37 | # obsoletes QuietMode and FascistLogging |
| 35 | #SyslogFacility AUTH | 38 | #SyslogFacility AUTH |
| @@ -45,7 +48,15 @@ Protocol 2 | |||
| 45 | 48 | ||
| 46 | #RSAAuthentication yes | 49 | #RSAAuthentication yes |
| 47 | #PubkeyAuthentication yes | 50 | #PubkeyAuthentication yes |
| 48 | #AuthorizedKeysFile .ssh/authorized_keys | 51 | |
| 52 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | ||
| 53 | # but this is overridden so installations will only check .ssh/authorized_keys | ||
| 54 | AuthorizedKeysFile .ssh/authorized_keys | ||
| 55 | |||
| 56 | #AuthorizedPrincipalsFile none | ||
| 57 | |||
| 58 | #AuthorizedKeysCommand none | ||
| 59 | #AuthorizedKeysCommandUser nobody | ||
| 49 | 60 | ||
| 50 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | 61 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
| 51 | #RhostsRSAAuthentication no | 62 | #RhostsRSAAuthentication no |
| @@ -74,8 +85,8 @@ Protocol 2 | |||
| 74 | #GSSAPIAuthentication no | 85 | #GSSAPIAuthentication no |
| 75 | #GSSAPICleanupCredentials yes | 86 | #GSSAPICleanupCredentials yes |
| 76 | 87 | ||
| 77 | # Set this to 'yes' to enable PAM authentication, account processing, | 88 | # Set this to 'yes' to enable PAM authentication, account processing, |
| 78 | # and session processing. If this is enabled, PAM authentication will | 89 | # and session processing. If this is enabled, PAM authentication will |
| 79 | # be allowed through the ChallengeResponseAuthentication and | 90 | # be allowed through the ChallengeResponseAuthentication and |
| 80 | # PasswordAuthentication. Depending on your PAM configuration, | 91 | # PasswordAuthentication. Depending on your PAM configuration, |
| 81 | # PAM authentication via ChallengeResponseAuthentication may bypass | 92 | # PAM authentication via ChallengeResponseAuthentication may bypass |
| @@ -91,20 +102,22 @@ Protocol 2 | |||
| 91 | #X11Forwarding no | 102 | #X11Forwarding no |
| 92 | #X11DisplayOffset 10 | 103 | #X11DisplayOffset 10 |
| 93 | #X11UseLocalhost yes | 104 | #X11UseLocalhost yes |
| 105 | #PermitTTY yes | ||
| 94 | #PrintMotd yes | 106 | #PrintMotd yes |
| 95 | #PrintLastLog yes | 107 | #PrintLastLog yes |
| 96 | #TCPKeepAlive yes | 108 | #TCPKeepAlive yes |
| 97 | #UseLogin no | 109 | #UseLogin no |
| 98 | UsePrivilegeSeparation yes | 110 | UsePrivilegeSeparation sandbox # Default for new installations. |
| 99 | #PermitUserEnvironment no | 111 | #PermitUserEnvironment no |
| 100 | Compression no | 112 | Compression no |
| 101 | ClientAliveInterval 15 | 113 | ClientAliveInterval 15 |
| 102 | ClientAliveCountMax 4 | 114 | ClientAliveCountMax 4 |
| 103 | #UseDNS yes | 115 | #UseDNS yes |
| 104 | #PidFile /var/run/sshd.pid | 116 | #PidFile /var/run/sshd.pid |
| 105 | #MaxStartups 10 | 117 | #MaxStartups 10:30:100 |
| 106 | #PermitTunnel no | 118 | #PermitTunnel no |
| 107 | #ChrootDirectory none | 119 | #ChrootDirectory none |
| 120 | #VersionAddendum none | ||
| 108 | 121 | ||
| 109 | # no default banner path | 122 | # no default banner path |
| 110 | #Banner none | 123 | #Banner none |
| @@ -116,4 +129,5 @@ Subsystem sftp /usr/libexec/sftp-server | |||
| 116 | #Match User anoncvs | 129 | #Match User anoncvs |
| 117 | # X11Forwarding no | 130 | # X11Forwarding no |
| 118 | # AllowTcpForwarding no | 131 | # AllowTcpForwarding no |
| 132 | # PermitTTY no | ||
| 119 | # ForceCommand cvs server | 133 | # ForceCommand cvs server |
diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service index c21d70baf0..d65086fc8a 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service | |||
| @@ -3,6 +3,7 @@ Description=OpenSSH Key Generation | |||
| 3 | ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key | 3 | ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key |
| 4 | ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key | 4 | ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key |
| 5 | ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key | 5 | ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key |
| 6 | ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key | ||
| 6 | 7 | ||
| 7 | [Service] | 8 | [Service] |
| 8 | ExecStart=@BINDIR@/ssh-keygen -A | 9 | ExecStart=@BINDIR@/ssh-keygen -A |