summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh/openssh-6.2p1
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh-6.2p1')
-rw-r--r--meta/recipes-connectivity/openssh/openssh-6.2p1/init92
-rw-r--r--meta/recipes-connectivity/openssh/openssh-6.2p1/nostrip.patch20
-rw-r--r--meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-CVE-2011-4327.patch27
-rw-r--r--meta/recipes-connectivity/openssh/openssh-6.2p1/ssh_config46
-rw-r--r--meta/recipes-connectivity/openssh/openssh-6.2p1/sshd10
-rw-r--r--meta/recipes-connectivity/openssh/openssh-6.2p1/sshd_config119
6 files changed, 314 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/init b/meta/recipes-connectivity/openssh/openssh-6.2p1/init
new file mode 100644
index 0000000000..cde52ef3f4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/init
@@ -0,0 +1,92 @@
1#! /bin/sh
2set -e
3
4# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon
5
6test -x /usr/sbin/sshd || exit 0
7( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
8
9if test -f /etc/default/ssh; then
10 . /etc/default/ssh
11fi
12
13check_for_no_start() {
14 # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
15 if [ -e /etc/ssh/sshd_not_to_be_run ]; then
16 echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
17 exit 0
18 fi
19}
20
21check_privsep_dir() {
22 # Create the PrivSep empty dir if necessary
23 if [ ! -d /var/run/sshd ]; then
24 mkdir /var/run/sshd
25 chmod 0755 /var/run/sshd
26 fi
27}
28
29check_config() {
30 /usr/sbin/sshd -t || exit 1
31}
32
33check_keys() {
34 # create keys if necessary
35 if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
36 echo " generating ssh RSA key..."
37 ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
38 fi
39 if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
40 echo " generating ssh ECDSA key..."
41 ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
42 fi
43 if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
44 echo " generating ssh DSA key..."
45 ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
46 fi
47}
48
49export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
50
51case "$1" in
52 start)
53 check_for_no_start
54 echo "Starting OpenBSD Secure Shell server: sshd"
55 check_keys
56 check_privsep_dir
57 start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS
58 echo "done."
59 ;;
60 stop)
61 echo -n "Stopping OpenBSD Secure Shell server: sshd"
62 start-stop-daemon -K -x /usr/sbin/sshd
63 echo "."
64 ;;
65
66 reload|force-reload)
67 check_for_no_start
68 check_keys
69 check_config
70 echo -n "Reloading OpenBSD Secure Shell server's configuration"
71 start-stop-daemon -K -s 1 -x /usr/sbin/sshd
72 echo "."
73 ;;
74
75 restart)
76 check_keys
77 check_config
78 echo -n "Restarting OpenBSD Secure Shell server: sshd"
79 start-stop-daemon -K -oknodo -x /usr/sbin/sshd
80 check_for_no_start
81 check_privsep_dir
82 sleep 2
83 start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS
84 echo "."
85 ;;
86
87 *)
88 echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
89 exit 1
90esac
91
92exit 0
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/nostrip.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/nostrip.patch
new file mode 100644
index 0000000000..33111f5494
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/nostrip.patch
@@ -0,0 +1,20 @@
1Disable stripping binaries during make install.
2
3Upstream-Status: Inappropriate [configuration]
4
5Build system specific.
6
7Signed-off-by: Scott Garman <scott.a.garman@intel.com>
8
9diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in
10--- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700
11+++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700
12@@ -29,7 +29,7 @@
13 RAND_HELPER=$(libexecdir)/ssh-rand-helper
14 PRIVSEP_PATH=@PRIVSEP_PATH@
15 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
16-STRIP_OPT=@STRIP_OPT@
17+STRIP_OPT=
18
19 PATHS= -DSSHDIR=\"$(sysconfdir)\" \
20 -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-CVE-2011-4327.patch
new file mode 100644
index 0000000000..8489edcc82
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-CVE-2011-4327.patch
@@ -0,0 +1,27 @@
1openssh-CVE-2011-4327
2
3A security flaw was found in the way ssh-keysign,
4a ssh helper program for host based authentication,
5attempted to retrieve enough entropy information on configurations that
6lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
7be executed to retrieve the entropy from the system environment).
8A local attacker could use this flaw to obtain unauthorized access to host keys
9via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
10
11https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
12http://www.openssh.com/txt/portable-keysign-rand-helper.adv
13
14Signed-off-by: Li Wang <li.wang@windriver.com>
15--- a/ssh-keysign.c
16+++ b/ssh-keysign.c
17@@ -170,6 +170,10 @@
18 key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
19 key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
20 key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
21+ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
22+ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
23+ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
24+ fatal("fcntl failed");
25
26 original_real_uid = getuid(); /* XXX readconf.c needs this */
27 if ((pw = getpwuid(original_real_uid)) == NULL)
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/ssh_config b/meta/recipes-connectivity/openssh/openssh-6.2p1/ssh_config
new file mode 100644
index 0000000000..4a4a649ba8
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/ssh_config
@@ -0,0 +1,46 @@
1# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
2
3# This is the ssh client system-wide configuration file. See
4# ssh_config(5) for more information. This file provides defaults for
5# users, and the values can be changed in per-user configuration files
6# or on the command line.
7
8# Configuration data is parsed as follows:
9# 1. command line options
10# 2. user-specific file
11# 3. system-wide file
12# Any configuration value is only changed the first time it is set.
13# Thus, host-specific definitions should be at the beginning of the
14# configuration file, and defaults at the end.
15
16# Site-wide defaults for some commonly used options. For a comprehensive
17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page.
19
20Host *
21 ForwardAgent yes
22 ForwardX11 yes
23# RhostsRSAAuthentication no
24# RSAAuthentication yes
25# PasswordAuthentication yes
26# HostbasedAuthentication no
27# GSSAPIAuthentication no
28# GSSAPIDelegateCredentials no
29# BatchMode no
30# CheckHostIP yes
31# AddressFamily any
32# ConnectTimeout 0
33# StrictHostKeyChecking ask
34# IdentityFile ~/.ssh/identity
35# IdentityFile ~/.ssh/id_rsa
36# IdentityFile ~/.ssh/id_dsa
37# Port 22
38# Protocol 2,1
39# Cipher 3des
40# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
41# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
42# EscapeChar ~
43# Tunnel no
44# TunnelDevice any:any
45# PermitLocalCommand no
46# VisualHostKey no
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/sshd b/meta/recipes-connectivity/openssh/openssh-6.2p1/sshd
new file mode 100644
index 0000000000..4882e58b48
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/sshd
@@ -0,0 +1,10 @@
1#%PAM-1.0
2
3auth include common-auth
4account required pam_nologin.so
5account include common-account
6password include common-password
7session optional pam_keyinit.so force revoke
8session include common-session
9session required pam_loginuid.so
10
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p1/sshd_config
new file mode 100644
index 0000000000..4f9b626fbd
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/sshd_config
@@ -0,0 +1,119 @@
1# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
2
3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information.
5
6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8# The strategy used for options in the default sshd_config shipped with
9# OpenSSH is to specify options with their default value where
10# possible, but leave them commented. Uncommented options change a
11# default value.
12
13#Port 22
14#AddressFamily any
15#ListenAddress 0.0.0.0
16#ListenAddress ::
17
18# Disable legacy (protocol version 1) support in the server for new
19# installations. In future the default will change to require explicit
20# activation of protocol 1
21Protocol 2
22
23# HostKey for protocol version 1
24#HostKey /etc/ssh/ssh_host_key
25# HostKeys for protocol version 2
26#HostKey /etc/ssh/ssh_host_rsa_key
27#HostKey /etc/ssh/ssh_host_dsa_key
28
29# Lifetime and size of ephemeral version 1 server key
30#KeyRegenerationInterval 1h
31#ServerKeyBits 1024
32
33# Logging
34# obsoletes QuietMode and FascistLogging
35#SyslogFacility AUTH
36#LogLevel INFO
37
38# Authentication:
39
40#LoginGraceTime 2m
41#PermitRootLogin yes
42#StrictModes yes
43#MaxAuthTries 6
44#MaxSessions 10
45
46#RSAAuthentication yes
47#PubkeyAuthentication yes
48#AuthorizedKeysFile .ssh/authorized_keys
49
50# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
51#RhostsRSAAuthentication no
52# similar for protocol version 2
53#HostbasedAuthentication no
54# Change to yes if you don't trust ~/.ssh/known_hosts for
55# RhostsRSAAuthentication and HostbasedAuthentication
56#IgnoreUserKnownHosts no
57# Don't read the user's ~/.rhosts and ~/.shosts files
58#IgnoreRhosts yes
59
60# To disable tunneled clear text passwords, change to no here!
61#PasswordAuthentication yes
62#PermitEmptyPasswords no
63
64# Change to no to disable s/key passwords
65#ChallengeResponseAuthentication yes
66
67# Kerberos options
68#KerberosAuthentication no
69#KerberosOrLocalPasswd yes
70#KerberosTicketCleanup yes
71#KerberosGetAFSToken no
72
73# GSSAPI options
74#GSSAPIAuthentication no
75#GSSAPICleanupCredentials yes
76
77# Set this to 'yes' to enable PAM authentication, account processing,
78# and session processing. If this is enabled, PAM authentication will
79# be allowed through the ChallengeResponseAuthentication and
80# PasswordAuthentication. Depending on your PAM configuration,
81# PAM authentication via ChallengeResponseAuthentication may bypass
82# the setting of "PermitRootLogin without-password".
83# If you just want the PAM account and session checks to run without
84# PAM authentication, then enable this but set PasswordAuthentication
85# and ChallengeResponseAuthentication to 'no'.
86#UsePAM no
87
88#AllowAgentForwarding yes
89#AllowTcpForwarding yes
90#GatewayPorts no
91#X11Forwarding no
92#X11DisplayOffset 10
93#X11UseLocalhost yes
94#PrintMotd yes
95#PrintLastLog yes
96#TCPKeepAlive yes
97#UseLogin no
98UsePrivilegeSeparation yes
99#PermitUserEnvironment no
100Compression no
101ClientAliveInterval 15
102ClientAliveCountMax 4
103#UseDNS yes
104#PidFile /var/run/sshd.pid
105#MaxStartups 10
106#PermitTunnel no
107#ChrootDirectory none
108
109# no default banner path
110#Banner none
111
112# override default of no subsystems
113Subsystem sftp /usr/libexec/sftp-server
114
115# Example of overriding settings on a per-user basis
116#Match User anoncvs
117# X11Forwarding no
118# AllowTcpForwarding no
119# ForceCommand cvs server