diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh')
13 files changed, 583 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/files/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/files/add-test-support-for-busybox.patch new file mode 100644 index 0000000000..5913597dfd --- /dev/null +++ b/meta/recipes-connectivity/openssh/files/add-test-support-for-busybox.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | Adjust test cases to work with busybox. | ||
2 | |||
3 | - Replace dd parameter "obs" with "bs". | ||
4 | - Replace "head -<num>" with "head -n <num>". | ||
5 | |||
6 | Signed-off-by: Björn Stenberg <bjst@enea.com> | ||
7 | Upstream-status: Pending | ||
8 | |||
9 | --- a/regress/cipher-speed.sh 2012-06-30 07:08:53.000000000 +0200 | ||
10 | +++ b/regress/cipher-speed.sh 2013-02-15 11:30:20.670022055 +0100 | ||
11 | @@ -26,7 +26,7 @@ | ||
12 | echon "$c/$m:\t" | ||
13 | ( ${SSH} -o 'compression no' \ | ||
14 | -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ | ||
15 | - exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
16 | + exec sh -c \'"dd of=/dev/null bs=32k"\' \ | ||
17 | < ${DATA} ) 2>&1 | getbytes | ||
18 | |||
19 | if [ $? -ne 0 ]; then | ||
20 | @@ -42,7 +42,7 @@ | ||
21 | echon "$c:\t" | ||
22 | ( ${SSH} -o 'compression no' \ | ||
23 | -F $OBJ/ssh_proxy -1 -c $c somehost \ | ||
24 | - exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
25 | + exec sh -c \'"dd of=/dev/null bs=32k"\' \ | ||
26 | < ${DATA} ) 2>&1 | getbytes | ||
27 | if [ $? -ne 0 ]; then | ||
28 | fail "ssh -1 failed with cipher $c" | ||
29 | --- a/regress/transfer.sh 2003-09-04 06:54:40.000000000 +0200 | ||
30 | +++ b/regress/transfer.sh 2013-02-15 11:25:34.666411185 +0100 | ||
31 | @@ -18,7 +18,7 @@ | ||
32 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
33 | trace "proto $p dd-size ${s}" | ||
34 | rm -f ${COPY} | ||
35 | - dd if=$DATA obs=${s} 2> /dev/null | \ | ||
36 | + dd if=$DATA bs=${s} 2> /dev/null | \ | ||
37 | ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | ||
38 | if [ $? -ne 0 ]; then | ||
39 | fail "ssh cat $DATA failed" | ||
40 | --- a/regress/yes-head.sh 2005-11-28 06:41:03.000000000 +0100 | ||
41 | +++ b/regress/yes-head.sh 2013-02-15 11:55:11.413715068 +0100 | ||
42 | @@ -4,7 +4,7 @@ | ||
43 | tid="yes pipe head" | ||
44 | |||
45 | for p in 1 2; do | ||
46 | - lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` | ||
47 | + lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)` | ||
48 | if [ $? -ne 0 ]; then | ||
49 | fail "yes|head test failed" | ||
50 | lines = 0; | ||
51 | --- a/regress/key-options.sh 2008-07-04 09:08:58.000000000 +0200 | ||
52 | +++ b/regress/key-options.sh 2013-02-15 12:06:05.109486098 +0100 | ||
53 | @@ -54,7 +54,7 @@ | ||
54 | fi | ||
55 | |||
56 | sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys | ||
57 | - from=`head -1 $authkeys | cut -f1 -d ' '` | ||
58 | + from=`head -n 1 $authkeys | cut -f1 -d ' '` | ||
59 | verbose "key option proto $p $from" | ||
60 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` | ||
61 | if [ "$r" = "true" ]; then | ||
diff --git a/meta/recipes-connectivity/openssh/files/run-ptest b/meta/recipes-connectivity/openssh/files/run-ptest new file mode 100755 index 0000000000..3e725cf282 --- /dev/null +++ b/meta/recipes-connectivity/openssh/files/run-ptest | |||
@@ -0,0 +1,7 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | export TEST_SHELL=sh | ||
4 | |||
5 | cd regress | ||
6 | make -k .OBJDIR=`pwd` .CURDIR=`pwd` tests \ | ||
7 | | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/init b/meta/recipes-connectivity/openssh/openssh/init new file mode 100644 index 0000000000..37c8e7b907 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/init | |||
@@ -0,0 +1,113 @@ | |||
1 | #! /bin/sh | ||
2 | set -e | ||
3 | |||
4 | # source function library | ||
5 | . /etc/init.d/functions | ||
6 | |||
7 | # /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon | ||
8 | |||
9 | test -x /usr/sbin/sshd || exit 0 | ||
10 | ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 | ||
11 | |||
12 | # /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS | ||
13 | if test -f /etc/default/ssh; then | ||
14 | . /etc/default/ssh | ||
15 | fi | ||
16 | |||
17 | [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh | ||
18 | mkdir -p $SYSCONFDIR | ||
19 | |||
20 | HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key | ||
21 | HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key | ||
22 | HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key | ||
23 | HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key | ||
24 | |||
25 | check_for_no_start() { | ||
26 | # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists | ||
27 | if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then | ||
28 | echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)" | ||
29 | exit 0 | ||
30 | fi | ||
31 | } | ||
32 | |||
33 | check_privsep_dir() { | ||
34 | # Create the PrivSep empty dir if necessary | ||
35 | if [ ! -d /var/run/sshd ]; then | ||
36 | mkdir /var/run/sshd | ||
37 | chmod 0755 /var/run/sshd | ||
38 | fi | ||
39 | } | ||
40 | |||
41 | check_config() { | ||
42 | /usr/sbin/sshd -t || exit 1 | ||
43 | } | ||
44 | |||
45 | check_keys() { | ||
46 | # create keys if necessary | ||
47 | if [ ! -f $HOST_KEY_RSA ]; then | ||
48 | echo " generating ssh RSA key..." | ||
49 | ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa | ||
50 | fi | ||
51 | if [ ! -f $HOST_KEY_ECDSA ]; then | ||
52 | echo " generating ssh ECDSA key..." | ||
53 | ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa | ||
54 | fi | ||
55 | if [ ! -f $HOST_KEY_DSA ]; then | ||
56 | echo " generating ssh DSA key..." | ||
57 | ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa | ||
58 | fi | ||
59 | if [ ! -f $HOST_KEY_ED25519 ]; then | ||
60 | echo " generating ssh ED25519 key..." | ||
61 | ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 | ||
62 | fi | ||
63 | } | ||
64 | |||
65 | export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" | ||
66 | |||
67 | case "$1" in | ||
68 | start) | ||
69 | check_for_no_start | ||
70 | echo "Starting OpenBSD Secure Shell server: sshd" | ||
71 | check_keys | ||
72 | check_privsep_dir | ||
73 | start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS | ||
74 | echo "done." | ||
75 | ;; | ||
76 | stop) | ||
77 | echo -n "Stopping OpenBSD Secure Shell server: sshd" | ||
78 | start-stop-daemon -K -x /usr/sbin/sshd | ||
79 | echo "." | ||
80 | ;; | ||
81 | |||
82 | reload|force-reload) | ||
83 | check_for_no_start | ||
84 | check_keys | ||
85 | check_config | ||
86 | echo -n "Reloading OpenBSD Secure Shell server's configuration" | ||
87 | start-stop-daemon -K -s 1 -x /usr/sbin/sshd | ||
88 | echo "." | ||
89 | ;; | ||
90 | |||
91 | restart) | ||
92 | check_keys | ||
93 | check_config | ||
94 | echo -n "Restarting OpenBSD Secure Shell server: sshd" | ||
95 | start-stop-daemon -K --oknodo -x /usr/sbin/sshd | ||
96 | check_for_no_start | ||
97 | check_privsep_dir | ||
98 | sleep 2 | ||
99 | start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS | ||
100 | echo "." | ||
101 | ;; | ||
102 | |||
103 | status) | ||
104 | status /usr/sbin/sshd | ||
105 | exit $? | ||
106 | ;; | ||
107 | |||
108 | *) | ||
109 | echo "Usage: /etc/init.d/ssh {start|stop|status|reload|force-reload|restart}" | ||
110 | exit 1 | ||
111 | esac | ||
112 | |||
113 | exit 0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/nostrip.patch b/meta/recipes-connectivity/openssh/openssh/nostrip.patch new file mode 100644 index 0000000000..33111f5494 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/nostrip.patch | |||
@@ -0,0 +1,20 @@ | |||
1 | Disable stripping binaries during make install. | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Build system specific. | ||
6 | |||
7 | Signed-off-by: Scott Garman <scott.a.garman@intel.com> | ||
8 | |||
9 | diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in | ||
10 | --- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700 | ||
11 | +++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700 | ||
12 | @@ -29,7 +29,7 @@ | ||
13 | RAND_HELPER=$(libexecdir)/ssh-rand-helper | ||
14 | PRIVSEP_PATH=@PRIVSEP_PATH@ | ||
15 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ | ||
16 | -STRIP_OPT=@STRIP_OPT@ | ||
17 | +STRIP_OPT= | ||
18 | |||
19 | PATHS= -DSSHDIR=\"$(sysconfdir)\" \ | ||
20 | -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch new file mode 100644 index 0000000000..30c11cf432 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | openssh-CVE-2011-4327 | ||
2 | |||
3 | A security flaw was found in the way ssh-keysign, | ||
4 | a ssh helper program for host based authentication, | ||
5 | attempted to retrieve enough entropy information on configurations that | ||
6 | lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would | ||
7 | be executed to retrieve the entropy from the system environment). | ||
8 | A local attacker could use this flaw to obtain unauthorized access to host keys | ||
9 | via ptrace(2) process trace attached to the 'ssh-rand-helper' program. | ||
10 | |||
11 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 | ||
12 | http://www.openssh.com/txt/portable-keysign-rand-helper.adv | ||
13 | |||
14 | Upstream-Status: Pending | ||
15 | |||
16 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
17 | --- a/ssh-keysign.c | ||
18 | +++ b/ssh-keysign.c | ||
19 | @@ -170,6 +170,10 @@ | ||
20 | key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); | ||
21 | key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); | ||
22 | key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); | ||
23 | + if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 || | ||
24 | + fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 || | ||
25 | + fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0) | ||
26 | + fatal("fcntl failed"); | ||
27 | |||
28 | original_real_uid = getuid(); /* XXX readconf.c needs this */ | ||
29 | if ((pw = getpwuid(original_real_uid)) == NULL) | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config new file mode 100644 index 0000000000..4a4a649ba8 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config | |||
@@ -0,0 +1,46 @@ | |||
1 | # $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $ | ||
2 | |||
3 | # This is the ssh client system-wide configuration file. See | ||
4 | # ssh_config(5) for more information. This file provides defaults for | ||
5 | # users, and the values can be changed in per-user configuration files | ||
6 | # or on the command line. | ||
7 | |||
8 | # Configuration data is parsed as follows: | ||
9 | # 1. command line options | ||
10 | # 2. user-specific file | ||
11 | # 3. system-wide file | ||
12 | # Any configuration value is only changed the first time it is set. | ||
13 | # Thus, host-specific definitions should be at the beginning of the | ||
14 | # configuration file, and defaults at the end. | ||
15 | |||
16 | # Site-wide defaults for some commonly used options. For a comprehensive | ||
17 | # list of available options, their meanings and defaults, please see the | ||
18 | # ssh_config(5) man page. | ||
19 | |||
20 | Host * | ||
21 | ForwardAgent yes | ||
22 | ForwardX11 yes | ||
23 | # RhostsRSAAuthentication no | ||
24 | # RSAAuthentication yes | ||
25 | # PasswordAuthentication yes | ||
26 | # HostbasedAuthentication no | ||
27 | # GSSAPIAuthentication no | ||
28 | # GSSAPIDelegateCredentials no | ||
29 | # BatchMode no | ||
30 | # CheckHostIP yes | ||
31 | # AddressFamily any | ||
32 | # ConnectTimeout 0 | ||
33 | # StrictHostKeyChecking ask | ||
34 | # IdentityFile ~/.ssh/identity | ||
35 | # IdentityFile ~/.ssh/id_rsa | ||
36 | # IdentityFile ~/.ssh/id_dsa | ||
37 | # Port 22 | ||
38 | # Protocol 2,1 | ||
39 | # Cipher 3des | ||
40 | # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc | ||
41 | # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 | ||
42 | # EscapeChar ~ | ||
43 | # Tunnel no | ||
44 | # TunnelDevice any:any | ||
45 | # PermitLocalCommand no | ||
46 | # VisualHostKey no | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd b/meta/recipes-connectivity/openssh/openssh/sshd new file mode 100644 index 0000000000..4882e58b48 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd | |||
@@ -0,0 +1,10 @@ | |||
1 | #%PAM-1.0 | ||
2 | |||
3 | auth include common-auth | ||
4 | account required pam_nologin.so | ||
5 | account include common-account | ||
6 | password include common-password | ||
7 | session optional pam_keyinit.so force revoke | ||
8 | session include common-session | ||
9 | session required pam_loginuid.so | ||
10 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket new file mode 100644 index 0000000000..12c39b26b5 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket | |||
@@ -0,0 +1,10 @@ | |||
1 | [Unit] | ||
2 | Conflicts=sshd.service | ||
3 | |||
4 | [Socket] | ||
5 | ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd | ||
6 | ListenStream=22 | ||
7 | Accept=yes | ||
8 | |||
9 | [Install] | ||
10 | WantedBy=sockets.target | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service new file mode 100644 index 0000000000..4eda6592f5 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service | |||
@@ -0,0 +1,10 @@ | |||
1 | [Unit] | ||
2 | Description=OpenSSH Per-Connection Daemon | ||
3 | Wants=sshdgenkeys.service | ||
4 | After=sshdgenkeys.service | ||
5 | |||
6 | [Service] | ||
7 | ExecStart=-@SBINDIR@/sshd -i | ||
8 | ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID | ||
9 | StandardInput=socket | ||
10 | StandardError=syslog | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config new file mode 100644 index 0000000000..4f9b626fbd --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config | |||
@@ -0,0 +1,119 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ | ||
2 | |||
3 | # This is the sshd server system-wide configuration file. See | ||
4 | # sshd_config(5) for more information. | ||
5 | |||
6 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | ||
7 | |||
8 | # The strategy used for options in the default sshd_config shipped with | ||
9 | # OpenSSH is to specify options with their default value where | ||
10 | # possible, but leave them commented. Uncommented options change a | ||
11 | # default value. | ||
12 | |||
13 | #Port 22 | ||
14 | #AddressFamily any | ||
15 | #ListenAddress 0.0.0.0 | ||
16 | #ListenAddress :: | ||
17 | |||
18 | # Disable legacy (protocol version 1) support in the server for new | ||
19 | # installations. In future the default will change to require explicit | ||
20 | # activation of protocol 1 | ||
21 | Protocol 2 | ||
22 | |||
23 | # HostKey for protocol version 1 | ||
24 | #HostKey /etc/ssh/ssh_host_key | ||
25 | # HostKeys for protocol version 2 | ||
26 | #HostKey /etc/ssh/ssh_host_rsa_key | ||
27 | #HostKey /etc/ssh/ssh_host_dsa_key | ||
28 | |||
29 | # Lifetime and size of ephemeral version 1 server key | ||
30 | #KeyRegenerationInterval 1h | ||
31 | #ServerKeyBits 1024 | ||
32 | |||
33 | # Logging | ||
34 | # obsoletes QuietMode and FascistLogging | ||
35 | #SyslogFacility AUTH | ||
36 | #LogLevel INFO | ||
37 | |||
38 | # Authentication: | ||
39 | |||
40 | #LoginGraceTime 2m | ||
41 | #PermitRootLogin yes | ||
42 | #StrictModes yes | ||
43 | #MaxAuthTries 6 | ||
44 | #MaxSessions 10 | ||
45 | |||
46 | #RSAAuthentication yes | ||
47 | #PubkeyAuthentication yes | ||
48 | #AuthorizedKeysFile .ssh/authorized_keys | ||
49 | |||
50 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | ||
51 | #RhostsRSAAuthentication no | ||
52 | # similar for protocol version 2 | ||
53 | #HostbasedAuthentication no | ||
54 | # Change to yes if you don't trust ~/.ssh/known_hosts for | ||
55 | # RhostsRSAAuthentication and HostbasedAuthentication | ||
56 | #IgnoreUserKnownHosts no | ||
57 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
58 | #IgnoreRhosts yes | ||
59 | |||
60 | # To disable tunneled clear text passwords, change to no here! | ||
61 | #PasswordAuthentication yes | ||
62 | #PermitEmptyPasswords no | ||
63 | |||
64 | # Change to no to disable s/key passwords | ||
65 | #ChallengeResponseAuthentication yes | ||
66 | |||
67 | # Kerberos options | ||
68 | #KerberosAuthentication no | ||
69 | #KerberosOrLocalPasswd yes | ||
70 | #KerberosTicketCleanup yes | ||
71 | #KerberosGetAFSToken no | ||
72 | |||
73 | # GSSAPI options | ||
74 | #GSSAPIAuthentication no | ||
75 | #GSSAPICleanupCredentials yes | ||
76 | |||
77 | # Set this to 'yes' to enable PAM authentication, account processing, | ||
78 | # and session processing. If this is enabled, PAM authentication will | ||
79 | # be allowed through the ChallengeResponseAuthentication and | ||
80 | # PasswordAuthentication. Depending on your PAM configuration, | ||
81 | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
82 | # the setting of "PermitRootLogin without-password". | ||
83 | # If you just want the PAM account and session checks to run without | ||
84 | # PAM authentication, then enable this but set PasswordAuthentication | ||
85 | # and ChallengeResponseAuthentication to 'no'. | ||
86 | #UsePAM no | ||
87 | |||
88 | #AllowAgentForwarding yes | ||
89 | #AllowTcpForwarding yes | ||
90 | #GatewayPorts no | ||
91 | #X11Forwarding no | ||
92 | #X11DisplayOffset 10 | ||
93 | #X11UseLocalhost yes | ||
94 | #PrintMotd yes | ||
95 | #PrintLastLog yes | ||
96 | #TCPKeepAlive yes | ||
97 | #UseLogin no | ||
98 | UsePrivilegeSeparation yes | ||
99 | #PermitUserEnvironment no | ||
100 | Compression no | ||
101 | ClientAliveInterval 15 | ||
102 | ClientAliveCountMax 4 | ||
103 | #UseDNS yes | ||
104 | #PidFile /var/run/sshd.pid | ||
105 | #MaxStartups 10 | ||
106 | #PermitTunnel no | ||
107 | #ChrootDirectory none | ||
108 | |||
109 | # no default banner path | ||
110 | #Banner none | ||
111 | |||
112 | # override default of no subsystems | ||
113 | Subsystem sftp /usr/libexec/sftp-server | ||
114 | |||
115 | # Example of overriding settings on a per-user basis | ||
116 | #Match User anoncvs | ||
117 | # X11Forwarding no | ||
118 | # AllowTcpForwarding no | ||
119 | # ForceCommand cvs server | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service new file mode 100644 index 0000000000..c21d70baf0 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service | |||
@@ -0,0 +1,10 @@ | |||
1 | [Unit] | ||
2 | Description=OpenSSH Key Generation | ||
3 | ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key | ||
4 | ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key | ||
5 | ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key | ||
6 | |||
7 | [Service] | ||
8 | ExecStart=@BINDIR@/ssh-keygen -A | ||
9 | Type=oneshot | ||
10 | RemainAfterExit=yes | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd new file mode 100644 index 0000000000..122320a719 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd | |||
@@ -0,0 +1 @@ | |||
d root root 0755 /var/run/sshd none | |||
diff --git a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb new file mode 100644 index 0000000000..a1a2503843 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb | |||
@@ -0,0 +1,147 @@ | |||
1 | SUMMARY = "Secure rlogin/rsh/rcp/telnet replacement" | ||
2 | DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ | ||
3 | Ssh (Secure Shell) is a program for logging into a remote machine \ | ||
4 | and for executing commands on a remote machine." | ||
5 | HOMEPAGE = "http://openssh.org" | ||
6 | SECTION = "console/network" | ||
7 | LICENSE = "BSD" | ||
8 | LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" | ||
9 | |||
10 | |||
11 | DEPENDS = "zlib openssl" | ||
12 | DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" | ||
13 | |||
14 | RPROVIDES_${PN}-ssh = "ssh" | ||
15 | RPROVIDES_${PN}-sshd = "sshd" | ||
16 | |||
17 | RCONFLICTS_${PN} = "dropbear" | ||
18 | RCONFLICTS_${PN}-sshd = "dropbear" | ||
19 | RCONFLICTS_${PN}-keygen = "ssh-keygen" | ||
20 | |||
21 | SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ | ||
22 | file://nostrip.patch \ | ||
23 | file://sshd_config \ | ||
24 | file://ssh_config \ | ||
25 | file://init \ | ||
26 | file://openssh-CVE-2011-4327.patch \ | ||
27 | file://add-test-support-for-busybox.patch \ | ||
28 | file://run-ptest \ | ||
29 | ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | ||
30 | file://sshd.socket \ | ||
31 | file://sshd@.service \ | ||
32 | file://sshdgenkeys.service \ | ||
33 | file://volatiles.99_sshd " | ||
34 | |||
35 | PAM_SRC_URI = "file://sshd" | ||
36 | |||
37 | SRC_URI[md5sum] = "a084e7272b8cbd25afe0f5dce4802fef" | ||
38 | SRC_URI[sha256sum] = "a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027" | ||
39 | |||
40 | inherit useradd update-rc.d update-alternatives systemd ptest | ||
41 | |||
42 | USERADD_PACKAGES = "${PN}-sshd" | ||
43 | USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" | ||
44 | INITSCRIPT_PACKAGES = "${PN}-sshd" | ||
45 | INITSCRIPT_NAME_${PN}-sshd = "sshd" | ||
46 | INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" | ||
47 | |||
48 | SYSTEMD_PACKAGES = "${PN}-sshd" | ||
49 | SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" | ||
50 | |||
51 | PACKAGECONFIG ??= "tcp-wrappers" | ||
52 | PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers" | ||
53 | |||
54 | inherit autotools-brokensep | ||
55 | |||
56 | # LFS support: | ||
57 | CFLAGS += "-D__FILE_OFFSET_BITS=64" | ||
58 | export LD = "${CC}" | ||
59 | |||
60 | EXTRA_OECONF = "${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ | ||
61 | --without-zlib-version-check \ | ||
62 | --with-privsep-path=/var/run/sshd \ | ||
63 | --sysconfdir=${sysconfdir}/ssh \ | ||
64 | --with-xauth=/usr/bin/xauth" | ||
65 | |||
66 | # Since we do not depend on libbsd, we do not want configure to use it | ||
67 | # just because it finds libutil.h. But, specifying --disable-libutil | ||
68 | # causes compile errors, so... | ||
69 | # | ||
70 | CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" | ||
71 | |||
72 | # This is a workaround for uclibc because including stdio.h | ||
73 | # pulls in pthreads.h and causes conflicts in function prototypes. | ||
74 | # This results in compilation failure, so unless this is fixed, | ||
75 | # disable pam for uclibc. | ||
76 | EXTRA_OECONF_append_libc-uclibc=" --without-pam" | ||
77 | |||
78 | do_configure_prepend () { | ||
79 | if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then | ||
80 | cp aclocal.m4 acinclude.m4 | ||
81 | fi | ||
82 | } | ||
83 | |||
84 | do_compile_append () { | ||
85 | install -m 0644 ${WORKDIR}/sshd_config ${S}/ | ||
86 | install -m 0644 ${WORKDIR}/ssh_config ${S}/ | ||
87 | } | ||
88 | |||
89 | do_install_append () { | ||
90 | if [ "${@base_contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then | ||
91 | install -D -m 0755 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd | ||
92 | sed -i -e 's:#UsePAM no:UsePAM yes:' ${WORKDIR}/sshd_config ${D}${sysconfdir}/ssh/sshd_config | ||
93 | fi | ||
94 | |||
95 | install -d ${D}${sysconfdir}/init.d | ||
96 | install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd | ||
97 | rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin | ||
98 | rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} | ||
99 | install -d ${D}/${sysconfdir}/default/volatiles | ||
100 | install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd | ||
101 | |||
102 | # Create config files for read-only rootfs | ||
103 | install -d ${D}${sysconfdir}/ssh | ||
104 | install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
105 | sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
106 | echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
107 | echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
108 | echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
109 | |||
110 | install -d ${D}${systemd_unitdir}/system | ||
111 | install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system | ||
112 | install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system | ||
113 | install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system | ||
114 | sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ | ||
115 | -e 's,@SBINDIR@,${sbindir},g' \ | ||
116 | -e 's,@BINDIR@,${bindir},g' \ | ||
117 | ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service | ||
118 | } | ||
119 | |||
120 | do_install_ptest () { | ||
121 | sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libdir}/${PN}/sftp-server|" regress/test-exec.sh | ||
122 | cp -r regress ${D}${PTEST_PATH} | ||
123 | } | ||
124 | |||
125 | ALLOW_EMPTY_${PN} = "1" | ||
126 | |||
127 | PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" | ||
128 | FILES_${PN}-scp = "${bindir}/scp.${BPN}" | ||
129 | FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" | ||
130 | FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" | ||
131 | FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" | ||
132 | FILES_${PN}-sftp = "${bindir}/sftp" | ||
133 | FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" | ||
134 | FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" | ||
135 | FILES_${PN}-keygen = "${bindir}/ssh-keygen" | ||
136 | |||
137 | RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" | ||
138 | RDEPENDS_${PN}-sshd += "${PN}-keygen ${@base_contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" | ||
139 | RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make" | ||
140 | |||
141 | CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" | ||
142 | CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" | ||
143 | |||
144 | ALTERNATIVE_PRIORITY = "90" | ||
145 | ALTERNATIVE_${PN}-scp = "scp" | ||
146 | ALTERNATIVE_${PN}-ssh = "ssh" | ||
147 | |||