diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh')
19 files changed, 882 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/files/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/files/add-test-support-for-busybox.patch new file mode 100644 index 0000000000..5913597dfd --- /dev/null +++ b/meta/recipes-connectivity/openssh/files/add-test-support-for-busybox.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | Adjust test cases to work with busybox. | ||
2 | |||
3 | - Replace dd parameter "obs" with "bs". | ||
4 | - Replace "head -<num>" with "head -n <num>". | ||
5 | |||
6 | Signed-off-by: Björn Stenberg <bjst@enea.com> | ||
7 | Upstream-status: Pending | ||
8 | |||
9 | --- a/regress/cipher-speed.sh 2012-06-30 07:08:53.000000000 +0200 | ||
10 | +++ b/regress/cipher-speed.sh 2013-02-15 11:30:20.670022055 +0100 | ||
11 | @@ -26,7 +26,7 @@ | ||
12 | echon "$c/$m:\t" | ||
13 | ( ${SSH} -o 'compression no' \ | ||
14 | -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ | ||
15 | - exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
16 | + exec sh -c \'"dd of=/dev/null bs=32k"\' \ | ||
17 | < ${DATA} ) 2>&1 | getbytes | ||
18 | |||
19 | if [ $? -ne 0 ]; then | ||
20 | @@ -42,7 +42,7 @@ | ||
21 | echon "$c:\t" | ||
22 | ( ${SSH} -o 'compression no' \ | ||
23 | -F $OBJ/ssh_proxy -1 -c $c somehost \ | ||
24 | - exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
25 | + exec sh -c \'"dd of=/dev/null bs=32k"\' \ | ||
26 | < ${DATA} ) 2>&1 | getbytes | ||
27 | if [ $? -ne 0 ]; then | ||
28 | fail "ssh -1 failed with cipher $c" | ||
29 | --- a/regress/transfer.sh 2003-09-04 06:54:40.000000000 +0200 | ||
30 | +++ b/regress/transfer.sh 2013-02-15 11:25:34.666411185 +0100 | ||
31 | @@ -18,7 +18,7 @@ | ||
32 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
33 | trace "proto $p dd-size ${s}" | ||
34 | rm -f ${COPY} | ||
35 | - dd if=$DATA obs=${s} 2> /dev/null | \ | ||
36 | + dd if=$DATA bs=${s} 2> /dev/null | \ | ||
37 | ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | ||
38 | if [ $? -ne 0 ]; then | ||
39 | fail "ssh cat $DATA failed" | ||
40 | --- a/regress/yes-head.sh 2005-11-28 06:41:03.000000000 +0100 | ||
41 | +++ b/regress/yes-head.sh 2013-02-15 11:55:11.413715068 +0100 | ||
42 | @@ -4,7 +4,7 @@ | ||
43 | tid="yes pipe head" | ||
44 | |||
45 | for p in 1 2; do | ||
46 | - lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` | ||
47 | + lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)` | ||
48 | if [ $? -ne 0 ]; then | ||
49 | fail "yes|head test failed" | ||
50 | lines = 0; | ||
51 | --- a/regress/key-options.sh 2008-07-04 09:08:58.000000000 +0200 | ||
52 | +++ b/regress/key-options.sh 2013-02-15 12:06:05.109486098 +0100 | ||
53 | @@ -54,7 +54,7 @@ | ||
54 | fi | ||
55 | |||
56 | sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys | ||
57 | - from=`head -1 $authkeys | cut -f1 -d ' '` | ||
58 | + from=`head -n 1 $authkeys | cut -f1 -d ' '` | ||
59 | verbose "key option proto $p $from" | ||
60 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` | ||
61 | if [ "$r" = "true" ]; then | ||
diff --git a/meta/recipes-connectivity/openssh/files/run-ptest b/meta/recipes-connectivity/openssh/files/run-ptest new file mode 100755 index 0000000000..3e725cf282 --- /dev/null +++ b/meta/recipes-connectivity/openssh/files/run-ptest | |||
@@ -0,0 +1,7 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | export TEST_SHELL=sh | ||
4 | |||
5 | cd regress | ||
6 | make -k .OBJDIR=`pwd` .CURDIR=`pwd` tests \ | ||
7 | | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch new file mode 100644 index 0000000000..07af667869 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | Adjust test cases to work with busybox. | ||
2 | |||
3 | - Replace dd parameter "obs" with "bs". | ||
4 | - Replace "head -<num>" with "head -n <num>". | ||
5 | |||
6 | Signed-off-by: Maxin B. John <maxin.john@enea.com> | ||
7 | Upstream-Status: Pending | ||
8 | |||
9 | --- a/regress/cipher-speed.sh 2012-06-30 07:08:53.000000000 +0200 | ||
10 | +++ b/regress/cipher-speed.sh 2013-02-15 11:30:20.670022055 +0100 | ||
11 | @@ -26,7 +26,7 @@ | ||
12 | echon "$c/$m:\t" | ||
13 | ( ${SSH} -o 'compression no' \ | ||
14 | -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ | ||
15 | - exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
16 | + exec sh -c \'"dd of=/dev/null bs=32k"\' \ | ||
17 | < ${DATA} ) 2>&1 | getbytes | ||
18 | |||
19 | if [ $? -ne 0 ]; then | ||
20 | @@ -42,7 +42,7 @@ | ||
21 | echon "$c:\t" | ||
22 | ( ${SSH} -o 'compression no' \ | ||
23 | -F $OBJ/ssh_proxy -1 -c $c somehost \ | ||
24 | - exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
25 | + exec sh -c \'"dd of=/dev/null bs=32k"\' \ | ||
26 | < ${DATA} ) 2>&1 | getbytes | ||
27 | if [ $? -ne 0 ]; then | ||
28 | fail "ssh -1 failed with cipher $c" | ||
29 | --- a/regress/transfer.sh 2003-09-04 06:54:40.000000000 +0200 | ||
30 | +++ b/regress/transfer.sh 2013-02-15 11:25:34.666411185 +0100 | ||
31 | @@ -18,7 +18,7 @@ | ||
32 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
33 | trace "proto $p dd-size ${s}" | ||
34 | rm -f ${COPY} | ||
35 | - dd if=$DATA obs=${s} 2> /dev/null | \ | ||
36 | + dd if=$DATA bs=${s} 2> /dev/null | \ | ||
37 | ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | ||
38 | if [ $? -ne 0 ]; then | ||
39 | fail "ssh cat $DATA failed" | ||
40 | --- a/regress/yes-head.sh 2005-11-28 06:41:03.000000000 +0100 | ||
41 | +++ b/regress/yes-head.sh 2013-02-15 11:55:11.413715068 +0100 | ||
42 | @@ -4,7 +4,7 @@ | ||
43 | tid="yes pipe head" | ||
44 | |||
45 | for p in 1 2; do | ||
46 | - lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` | ||
47 | + lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)` | ||
48 | if [ $? -ne 0 ]; then | ||
49 | fail "yes|head test failed" | ||
50 | lines = 0; | ||
51 | --- a/regress/key-options.sh 2008-07-04 09:08:58.000000000 +0200 | ||
52 | +++ b/regress/key-options.sh 2013-02-15 12:06:05.109486098 +0100 | ||
53 | @@ -54,7 +54,7 @@ | ||
54 | fi | ||
55 | |||
56 | sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys | ||
57 | - from=`head -1 $authkeys | cut -f1 -d ' '` | ||
58 | + from=`head -n 1 $authkeys | cut -f1 -d ' '` | ||
59 | verbose "key option proto $p $from" | ||
60 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` | ||
61 | if [ "$r" = "true" ]; then | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch new file mode 100644 index 0000000000..ba13cd1919 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | Subject: auth2-none.c: avoid authenticate empty passwords to mess up with PAM | ||
4 | |||
5 | If UsePAM, PermitEmptyPasswords, PasswordAuthentication are enabled. The ssh daemon | ||
6 | will try to authenticate an empty password, resulting in login failures of any user. | ||
7 | If PAM is enabled, then we should leave the task of password authentication to PAM. | ||
8 | |||
9 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
10 | |||
11 | --- | ||
12 | auth2-none.c | 2 +- | ||
13 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/auth2-none.c b/auth2-none.c | ||
16 | index c8c6c74..b48b2fd 100644 | ||
17 | --- a/auth2-none.c | ||
18 | +++ b/auth2-none.c | ||
19 | @@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt) | ||
20 | { | ||
21 | none_enabled = 0; | ||
22 | packet_check_eom(); | ||
23 | - if (options.permit_empty_passwd && options.password_authentication) | ||
24 | + if (options.permit_empty_passwd && options.password_authentication && !options.use_pam) | ||
25 | return (PRIVSEP(auth_password(authctxt, ""))); | ||
26 | return (0); | ||
27 | } | ||
28 | -- | ||
29 | 1.7.9.5 | ||
30 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/init b/meta/recipes-connectivity/openssh/openssh/init new file mode 100644 index 0000000000..70d4a34659 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/init | |||
@@ -0,0 +1,115 @@ | |||
1 | #! /bin/sh | ||
2 | set -e | ||
3 | |||
4 | PIDFILE=/var/run/sshd.pid | ||
5 | |||
6 | # source function library | ||
7 | . /etc/init.d/functions | ||
8 | |||
9 | # /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon | ||
10 | |||
11 | test -x /usr/sbin/sshd || exit 0 | ||
12 | ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 | ||
13 | |||
14 | # /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS | ||
15 | if test -f /etc/default/ssh; then | ||
16 | . /etc/default/ssh | ||
17 | fi | ||
18 | |||
19 | [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh | ||
20 | mkdir -p $SYSCONFDIR | ||
21 | |||
22 | HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key | ||
23 | HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key | ||
24 | HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key | ||
25 | HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key | ||
26 | |||
27 | check_for_no_start() { | ||
28 | # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists | ||
29 | if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then | ||
30 | echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)" | ||
31 | exit 0 | ||
32 | fi | ||
33 | } | ||
34 | |||
35 | check_privsep_dir() { | ||
36 | # Create the PrivSep empty dir if necessary | ||
37 | if [ ! -d /var/run/sshd ]; then | ||
38 | mkdir /var/run/sshd | ||
39 | chmod 0755 /var/run/sshd | ||
40 | fi | ||
41 | } | ||
42 | |||
43 | check_config() { | ||
44 | /usr/sbin/sshd -t || exit 1 | ||
45 | } | ||
46 | |||
47 | check_keys() { | ||
48 | # create keys if necessary | ||
49 | if [ ! -f $HOST_KEY_RSA ]; then | ||
50 | echo " generating ssh RSA key..." | ||
51 | ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa | ||
52 | fi | ||
53 | if [ ! -f $HOST_KEY_ECDSA ]; then | ||
54 | echo " generating ssh ECDSA key..." | ||
55 | ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa | ||
56 | fi | ||
57 | if [ ! -f $HOST_KEY_DSA ]; then | ||
58 | echo " generating ssh DSA key..." | ||
59 | ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa | ||
60 | fi | ||
61 | if [ ! -f $HOST_KEY_ED25519 ]; then | ||
62 | echo " generating ssh ED25519 key..." | ||
63 | ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 | ||
64 | fi | ||
65 | } | ||
66 | |||
67 | export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" | ||
68 | |||
69 | case "$1" in | ||
70 | start) | ||
71 | check_for_no_start | ||
72 | echo "Starting OpenBSD Secure Shell server: sshd" | ||
73 | check_keys | ||
74 | check_privsep_dir | ||
75 | start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS | ||
76 | echo "done." | ||
77 | ;; | ||
78 | stop) | ||
79 | echo -n "Stopping OpenBSD Secure Shell server: sshd" | ||
80 | start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd | ||
81 | echo "." | ||
82 | ;; | ||
83 | |||
84 | reload|force-reload) | ||
85 | check_for_no_start | ||
86 | check_keys | ||
87 | check_config | ||
88 | echo -n "Reloading OpenBSD Secure Shell server's configuration" | ||
89 | start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd | ||
90 | echo "." | ||
91 | ;; | ||
92 | |||
93 | restart) | ||
94 | check_keys | ||
95 | check_config | ||
96 | echo -n "Restarting OpenBSD Secure Shell server: sshd" | ||
97 | start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd | ||
98 | check_for_no_start | ||
99 | check_privsep_dir | ||
100 | sleep 2 | ||
101 | start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS | ||
102 | echo "." | ||
103 | ;; | ||
104 | |||
105 | status) | ||
106 | status /usr/sbin/sshd | ||
107 | exit $? | ||
108 | ;; | ||
109 | |||
110 | *) | ||
111 | echo "Usage: /etc/init.d/ssh {start|stop|status|reload|force-reload|restart}" | ||
112 | exit 1 | ||
113 | esac | ||
114 | |||
115 | exit 0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/nostrip.patch b/meta/recipes-connectivity/openssh/openssh/nostrip.patch new file mode 100644 index 0000000000..33111f5494 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/nostrip.patch | |||
@@ -0,0 +1,20 @@ | |||
1 | Disable stripping binaries during make install. | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Build system specific. | ||
6 | |||
7 | Signed-off-by: Scott Garman <scott.a.garman@intel.com> | ||
8 | |||
9 | diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in | ||
10 | --- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700 | ||
11 | +++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700 | ||
12 | @@ -29,7 +29,7 @@ | ||
13 | RAND_HELPER=$(libexecdir)/ssh-rand-helper | ||
14 | PRIVSEP_PATH=@PRIVSEP_PATH@ | ||
15 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ | ||
16 | -STRIP_OPT=@STRIP_OPT@ | ||
17 | +STRIP_OPT= | ||
18 | |||
19 | PATHS= -DSSHDIR=\"$(sysconfdir)\" \ | ||
20 | -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch new file mode 100644 index 0000000000..30c11cf432 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | openssh-CVE-2011-4327 | ||
2 | |||
3 | A security flaw was found in the way ssh-keysign, | ||
4 | a ssh helper program for host based authentication, | ||
5 | attempted to retrieve enough entropy information on configurations that | ||
6 | lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would | ||
7 | be executed to retrieve the entropy from the system environment). | ||
8 | A local attacker could use this flaw to obtain unauthorized access to host keys | ||
9 | via ptrace(2) process trace attached to the 'ssh-rand-helper' program. | ||
10 | |||
11 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 | ||
12 | http://www.openssh.com/txt/portable-keysign-rand-helper.adv | ||
13 | |||
14 | Upstream-Status: Pending | ||
15 | |||
16 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
17 | --- a/ssh-keysign.c | ||
18 | +++ b/ssh-keysign.c | ||
19 | @@ -170,6 +170,10 @@ | ||
20 | key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); | ||
21 | key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); | ||
22 | key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); | ||
23 | + if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 || | ||
24 | + fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 || | ||
25 | + fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0) | ||
26 | + fatal("fcntl failed"); | ||
27 | |||
28 | original_real_uid = getuid(); /* XXX readconf.c needs this */ | ||
29 | if ((pw = getpwuid(original_real_uid)) == NULL) | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2532.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2532.patch new file mode 100644 index 0000000000..3deaf3f0e9 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2532.patch | |||
@@ -0,0 +1,22 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Fix for CVE-2014-2532 | ||
4 | |||
5 | Backported from openssh-6.6p1.tar.gz | ||
6 | |||
7 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
8 | --- | ||
9 | --- a/session.c | ||
10 | +++ b/session.c | ||
11 | @@ -955,6 +955,11 @@ | ||
12 | u_int envsize; | ||
13 | u_int i, namelen; | ||
14 | |||
15 | + if (strchr(name, '=') != NULL) { | ||
16 | + error("Invalid environment variable \"%.100s\"", name); | ||
17 | + return; | ||
18 | + } | ||
19 | + | ||
20 | /* | ||
21 | * If we're passed an uninitialized list, allocate a single null | ||
22 | * entry before continuing. | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch new file mode 100644 index 0000000000..674d186044 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch | |||
@@ -0,0 +1,114 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | This CVE could be removed if openssh is upgrade to 6.6 or higher. | ||
4 | Below are some details. | ||
5 | |||
6 | Attempt SSHFP lookup even if server presents a certificate | ||
7 | |||
8 | Reference: | ||
9 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 | ||
10 | |||
11 | If an ssh server presents a certificate to the client, then the client | ||
12 | does not check the DNS for SSHFP records. This means that a malicious | ||
13 | server can essentially disable DNS-host-key-checking, which means the | ||
14 | client will fall back to asking the user (who will just say "yes" to | ||
15 | the fingerprint, sadly). | ||
16 | |||
17 | This patch means that the ssh client will, if necessary, extract the | ||
18 | server key from the proffered certificate, and attempt to verify it | ||
19 | against the DNS. The patch was written by Mark Wooding | ||
20 | <mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed | ||
21 | it, and tested it. | ||
22 | |||
23 | Signed-off-by: Matthew Vernon <matthew@debian.org> | ||
24 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
25 | --- | ||
26 | --- a/sshconnect.c | ||
27 | +++ b/sshconnect.c | ||
28 | @@ -1210,36 +1210,63 @@ fail: | ||
29 | return -1; | ||
30 | } | ||
31 | |||
32 | +static int | ||
33 | +check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key) | ||
34 | +{ | ||
35 | + int rc = -1; | ||
36 | + int flags = 0; | ||
37 | + Key *raw_key = NULL; | ||
38 | + | ||
39 | + if (!options.verify_host_key_dns) | ||
40 | + goto done; | ||
41 | + | ||
42 | + /* XXX certs are not yet supported for DNS; try looking the raw key | ||
43 | + * up in the DNS anyway. | ||
44 | + */ | ||
45 | + if (key_is_cert(host_key)) { | ||
46 | + debug2("Extracting key from cert for SSHFP lookup"); | ||
47 | + raw_key = key_from_private(host_key); | ||
48 | + if (key_drop_cert(raw_key)) | ||
49 | + fatal("Couldn't drop certificate"); | ||
50 | + host_key = raw_key; | ||
51 | + } | ||
52 | + | ||
53 | + if (verify_host_key_dns(host, hostaddr, host_key, &flags)) | ||
54 | + goto done; | ||
55 | + | ||
56 | + if (flags & DNS_VERIFY_FOUND) { | ||
57 | + | ||
58 | + if (options.verify_host_key_dns == 1 && | ||
59 | + flags & DNS_VERIFY_MATCH && | ||
60 | + flags & DNS_VERIFY_SECURE) { | ||
61 | + rc = 0; | ||
62 | + } else if (flags & DNS_VERIFY_MATCH) { | ||
63 | + matching_host_key_dns = 1; | ||
64 | + } else { | ||
65 | + warn_changed_key(host_key); | ||
66 | + error("Update the SSHFP RR in DNS with the new " | ||
67 | + "host key to get rid of this message."); | ||
68 | + } | ||
69 | + } | ||
70 | + | ||
71 | +done: | ||
72 | + if (raw_key) | ||
73 | + key_free(raw_key); | ||
74 | + return rc; | ||
75 | +} | ||
76 | + | ||
77 | /* returns 0 if key verifies or -1 if key does NOT verify */ | ||
78 | int | ||
79 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | ||
80 | { | ||
81 | - int flags = 0; | ||
82 | char *fp; | ||
83 | |||
84 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); | ||
85 | debug("Server host key: %s %s", key_type(host_key), fp); | ||
86 | free(fp); | ||
87 | |||
88 | - /* XXX certs are not yet supported for DNS */ | ||
89 | - if (!key_is_cert(host_key) && options.verify_host_key_dns && | ||
90 | - verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { | ||
91 | - if (flags & DNS_VERIFY_FOUND) { | ||
92 | - | ||
93 | - if (options.verify_host_key_dns == 1 && | ||
94 | - flags & DNS_VERIFY_MATCH && | ||
95 | - flags & DNS_VERIFY_SECURE) | ||
96 | - return 0; | ||
97 | - | ||
98 | - if (flags & DNS_VERIFY_MATCH) { | ||
99 | - matching_host_key_dns = 1; | ||
100 | - } else { | ||
101 | - warn_changed_key(host_key); | ||
102 | - error("Update the SSHFP RR in DNS with the new " | ||
103 | - "host key to get rid of this message."); | ||
104 | - } | ||
105 | - } | ||
106 | - } | ||
107 | + if (check_host_key_sshfp(host, hostaddr, host_key) == 0) | ||
108 | + return 0; | ||
109 | |||
110 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, | ||
111 | options.user_hostfiles, options.num_user_hostfiles, | ||
112 | -- | ||
113 | 1.7.9.5 | ||
114 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-ptest-fix-sshconnect.patch b/meta/recipes-connectivity/openssh/openssh/openssh-ptest-fix-sshconnect.patch new file mode 100644 index 0000000000..091370129a --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/openssh-ptest-fix-sshconnect.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | Fixed openssh ptest | ||
2 | |||
3 | ptests for openssh, apart from a lot of .sh scripts, also | ||
4 | require 2 executables to be cross-compiled for the target | ||
5 | and deployed there, that will be called from the test | ||
6 | scripts. | ||
7 | |||
8 | Those 2 files were not built when cross-compiling | ||
9 | (Makefile target all:), so I added them to the build, | ||
10 | under the target all_test. | ||
11 | |||
12 | This new make target is intended to be run from | ||
13 | do_compile_ptest(), that builds everything needed for | ||
14 | performing the ptests. | ||
15 | |||
16 | Because both these 2 executables required for ptest | ||
17 | are linked with libssh (LDFLAGS += -lssh), I also | ||
18 | added it as dependency for each of them. | ||
19 | |||
20 | Upstream-status: Inappropriate | ||
21 | |||
22 | Signed-off-by: Liviu Gheorghisan <liviu.gheorghisan@enea.com> | ||
23 | --- | ||
24 | --- a/Makefile.in 2014-12-10 16:19:37.513373454 +0100 | ||
25 | +++ b/Makefile.in 2014-12-10 16:25:23.262764227 +0100 | ||
26 | @@ -130,6 +130,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fix | ||
27 | |||
28 | all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) | ||
29 | |||
30 | +all_test: regress/modpipe$(EXEEXT) regress/setuid-allowed$(EXEEXT) | ||
31 | + | ||
32 | $(LIBSSH_OBJS): Makefile.in config.h | ||
33 | $(SSHOBJS): Makefile.in config.h | ||
34 | $(SSHDOBJS): Makefile.in config.h | ||
35 | @@ -394,18 +396,18 @@ uninstall: | ||
36 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | ||
37 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | ||
38 | |||
39 | -regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c | ||
40 | +regress/modpipe$(EXEEXT): libssh.a | ||
41 | [ -d `pwd`/regress ] || mkdir -p `pwd`/regress | ||
42 | [ -f `pwd`/regress/Makefile ] || \ | ||
43 | ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile | ||
44 | - $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ | ||
45 | + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \ | ||
46 | $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) | ||
47 | |||
48 | -regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c | ||
49 | +regress/setuid-allowed$(EXEEXT): libssh.a | ||
50 | [ -d `pwd`/regress ] || mkdir -p `pwd`/regress | ||
51 | [ -f `pwd`/regress/Makefile ] || \ | ||
52 | ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile | ||
53 | - $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ | ||
54 | + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/setuid-allowed.c \ | ||
55 | $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) | ||
56 | |||
57 | tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$(EXEEXT) | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest new file mode 100755 index 0000000000..3e725cf282 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest | |||
@@ -0,0 +1,7 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | export TEST_SHELL=sh | ||
4 | |||
5 | cd regress | ||
6 | make -k .OBJDIR=`pwd` .CURDIR=`pwd` tests \ | ||
7 | | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config new file mode 100644 index 0000000000..4a4a649ba8 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config | |||
@@ -0,0 +1,46 @@ | |||
1 | # $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $ | ||
2 | |||
3 | # This is the ssh client system-wide configuration file. See | ||
4 | # ssh_config(5) for more information. This file provides defaults for | ||
5 | # users, and the values can be changed in per-user configuration files | ||
6 | # or on the command line. | ||
7 | |||
8 | # Configuration data is parsed as follows: | ||
9 | # 1. command line options | ||
10 | # 2. user-specific file | ||
11 | # 3. system-wide file | ||
12 | # Any configuration value is only changed the first time it is set. | ||
13 | # Thus, host-specific definitions should be at the beginning of the | ||
14 | # configuration file, and defaults at the end. | ||
15 | |||
16 | # Site-wide defaults for some commonly used options. For a comprehensive | ||
17 | # list of available options, their meanings and defaults, please see the | ||
18 | # ssh_config(5) man page. | ||
19 | |||
20 | Host * | ||
21 | ForwardAgent yes | ||
22 | ForwardX11 yes | ||
23 | # RhostsRSAAuthentication no | ||
24 | # RSAAuthentication yes | ||
25 | # PasswordAuthentication yes | ||
26 | # HostbasedAuthentication no | ||
27 | # GSSAPIAuthentication no | ||
28 | # GSSAPIDelegateCredentials no | ||
29 | # BatchMode no | ||
30 | # CheckHostIP yes | ||
31 | # AddressFamily any | ||
32 | # ConnectTimeout 0 | ||
33 | # StrictHostKeyChecking ask | ||
34 | # IdentityFile ~/.ssh/identity | ||
35 | # IdentityFile ~/.ssh/id_rsa | ||
36 | # IdentityFile ~/.ssh/id_dsa | ||
37 | # Port 22 | ||
38 | # Protocol 2,1 | ||
39 | # Cipher 3des | ||
40 | # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc | ||
41 | # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 | ||
42 | # EscapeChar ~ | ||
43 | # Tunnel no | ||
44 | # TunnelDevice any:any | ||
45 | # PermitLocalCommand no | ||
46 | # VisualHostKey no | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd b/meta/recipes-connectivity/openssh/openssh/sshd new file mode 100644 index 0000000000..4882e58b48 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd | |||
@@ -0,0 +1,10 @@ | |||
1 | #%PAM-1.0 | ||
2 | |||
3 | auth include common-auth | ||
4 | account required pam_nologin.so | ||
5 | account include common-account | ||
6 | password include common-password | ||
7 | session optional pam_keyinit.so force revoke | ||
8 | session include common-session | ||
9 | session required pam_loginuid.so | ||
10 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket new file mode 100644 index 0000000000..12c39b26b5 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket | |||
@@ -0,0 +1,10 @@ | |||
1 | [Unit] | ||
2 | Conflicts=sshd.service | ||
3 | |||
4 | [Socket] | ||
5 | ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd | ||
6 | ListenStream=22 | ||
7 | Accept=yes | ||
8 | |||
9 | [Install] | ||
10 | WantedBy=sockets.target | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service new file mode 100644 index 0000000000..bb2d68e96a --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service | |||
@@ -0,0 +1,11 @@ | |||
1 | [Unit] | ||
2 | Description=OpenSSH Per-Connection Daemon | ||
3 | Wants=sshdgenkeys.service | ||
4 | After=sshdgenkeys.service | ||
5 | |||
6 | [Service] | ||
7 | ExecStart=-@SBINDIR@/sshd -i | ||
8 | ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID | ||
9 | StandardInput=socket | ||
10 | StandardError=syslog | ||
11 | KillMode=process | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config new file mode 100644 index 0000000000..4f9b626fbd --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config | |||
@@ -0,0 +1,119 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ | ||
2 | |||
3 | # This is the sshd server system-wide configuration file. See | ||
4 | # sshd_config(5) for more information. | ||
5 | |||
6 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | ||
7 | |||
8 | # The strategy used for options in the default sshd_config shipped with | ||
9 | # OpenSSH is to specify options with their default value where | ||
10 | # possible, but leave them commented. Uncommented options change a | ||
11 | # default value. | ||
12 | |||
13 | #Port 22 | ||
14 | #AddressFamily any | ||
15 | #ListenAddress 0.0.0.0 | ||
16 | #ListenAddress :: | ||
17 | |||
18 | # Disable legacy (protocol version 1) support in the server for new | ||
19 | # installations. In future the default will change to require explicit | ||
20 | # activation of protocol 1 | ||
21 | Protocol 2 | ||
22 | |||
23 | # HostKey for protocol version 1 | ||
24 | #HostKey /etc/ssh/ssh_host_key | ||
25 | # HostKeys for protocol version 2 | ||
26 | #HostKey /etc/ssh/ssh_host_rsa_key | ||
27 | #HostKey /etc/ssh/ssh_host_dsa_key | ||
28 | |||
29 | # Lifetime and size of ephemeral version 1 server key | ||
30 | #KeyRegenerationInterval 1h | ||
31 | #ServerKeyBits 1024 | ||
32 | |||
33 | # Logging | ||
34 | # obsoletes QuietMode and FascistLogging | ||
35 | #SyslogFacility AUTH | ||
36 | #LogLevel INFO | ||
37 | |||
38 | # Authentication: | ||
39 | |||
40 | #LoginGraceTime 2m | ||
41 | #PermitRootLogin yes | ||
42 | #StrictModes yes | ||
43 | #MaxAuthTries 6 | ||
44 | #MaxSessions 10 | ||
45 | |||
46 | #RSAAuthentication yes | ||
47 | #PubkeyAuthentication yes | ||
48 | #AuthorizedKeysFile .ssh/authorized_keys | ||
49 | |||
50 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | ||
51 | #RhostsRSAAuthentication no | ||
52 | # similar for protocol version 2 | ||
53 | #HostbasedAuthentication no | ||
54 | # Change to yes if you don't trust ~/.ssh/known_hosts for | ||
55 | # RhostsRSAAuthentication and HostbasedAuthentication | ||
56 | #IgnoreUserKnownHosts no | ||
57 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
58 | #IgnoreRhosts yes | ||
59 | |||
60 | # To disable tunneled clear text passwords, change to no here! | ||
61 | #PasswordAuthentication yes | ||
62 | #PermitEmptyPasswords no | ||
63 | |||
64 | # Change to no to disable s/key passwords | ||
65 | #ChallengeResponseAuthentication yes | ||
66 | |||
67 | # Kerberos options | ||
68 | #KerberosAuthentication no | ||
69 | #KerberosOrLocalPasswd yes | ||
70 | #KerberosTicketCleanup yes | ||
71 | #KerberosGetAFSToken no | ||
72 | |||
73 | # GSSAPI options | ||
74 | #GSSAPIAuthentication no | ||
75 | #GSSAPICleanupCredentials yes | ||
76 | |||
77 | # Set this to 'yes' to enable PAM authentication, account processing, | ||
78 | # and session processing. If this is enabled, PAM authentication will | ||
79 | # be allowed through the ChallengeResponseAuthentication and | ||
80 | # PasswordAuthentication. Depending on your PAM configuration, | ||
81 | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
82 | # the setting of "PermitRootLogin without-password". | ||
83 | # If you just want the PAM account and session checks to run without | ||
84 | # PAM authentication, then enable this but set PasswordAuthentication | ||
85 | # and ChallengeResponseAuthentication to 'no'. | ||
86 | #UsePAM no | ||
87 | |||
88 | #AllowAgentForwarding yes | ||
89 | #AllowTcpForwarding yes | ||
90 | #GatewayPorts no | ||
91 | #X11Forwarding no | ||
92 | #X11DisplayOffset 10 | ||
93 | #X11UseLocalhost yes | ||
94 | #PrintMotd yes | ||
95 | #PrintLastLog yes | ||
96 | #TCPKeepAlive yes | ||
97 | #UseLogin no | ||
98 | UsePrivilegeSeparation yes | ||
99 | #PermitUserEnvironment no | ||
100 | Compression no | ||
101 | ClientAliveInterval 15 | ||
102 | ClientAliveCountMax 4 | ||
103 | #UseDNS yes | ||
104 | #PidFile /var/run/sshd.pid | ||
105 | #MaxStartups 10 | ||
106 | #PermitTunnel no | ||
107 | #ChrootDirectory none | ||
108 | |||
109 | # no default banner path | ||
110 | #Banner none | ||
111 | |||
112 | # override default of no subsystems | ||
113 | Subsystem sftp /usr/libexec/sftp-server | ||
114 | |||
115 | # Example of overriding settings on a per-user basis | ||
116 | #Match User anoncvs | ||
117 | # X11Forwarding no | ||
118 | # AllowTcpForwarding no | ||
119 | # ForceCommand cvs server | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service new file mode 100644 index 0000000000..c21d70baf0 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service | |||
@@ -0,0 +1,10 @@ | |||
1 | [Unit] | ||
2 | Description=OpenSSH Key Generation | ||
3 | ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key | ||
4 | ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key | ||
5 | ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key | ||
6 | |||
7 | [Service] | ||
8 | ExecStart=@BINDIR@/ssh-keygen -A | ||
9 | Type=oneshot | ||
10 | RemainAfterExit=yes | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd new file mode 100644 index 0000000000..a0d2af3c65 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd | |||
@@ -0,0 +1,2 @@ | |||
1 | d root root 0755 /var/run/sshd none | ||
2 | f root root 0644 /var/log/lastlog none | ||
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb new file mode 100644 index 0000000000..f575665e4c --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb | |||
@@ -0,0 +1,151 @@ | |||
1 | SUMMARY = "Secure rlogin/rsh/rcp/telnet replacement" | ||
2 | DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ | ||
3 | Ssh (Secure Shell) is a program for logging into a remote machine \ | ||
4 | and for executing commands on a remote machine." | ||
5 | HOMEPAGE = "http://openssh.org" | ||
6 | SECTION = "console/network" | ||
7 | LICENSE = "BSD" | ||
8 | LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" | ||
9 | |||
10 | DEPENDS = "zlib openssl" | ||
11 | DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" | ||
12 | |||
13 | SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ | ||
14 | file://nostrip.patch \ | ||
15 | file://sshd_config \ | ||
16 | file://ssh_config \ | ||
17 | file://init \ | ||
18 | file://openssh-CVE-2011-4327.patch \ | ||
19 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | ||
20 | file://sshd.socket \ | ||
21 | file://sshd@.service \ | ||
22 | file://sshdgenkeys.service \ | ||
23 | file://volatiles.99_sshd \ | ||
24 | file://add-test-support-for-busybox.patch \ | ||
25 | file://run-ptest \ | ||
26 | file://openssh-CVE-2014-2532.patch \ | ||
27 | file://openssh-CVE-2014-2653.patch \ | ||
28 | file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch" | ||
29 | |||
30 | PAM_SRC_URI = "file://sshd" | ||
31 | |||
32 | SRC_URI[md5sum] = "3e9800e6bca1fbac0eea4d41baa7f239" | ||
33 | SRC_URI[sha256sum] = "48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb" | ||
34 | |||
35 | inherit useradd update-rc.d update-alternatives systemd | ||
36 | |||
37 | USERADD_PACKAGES = "${PN}-sshd" | ||
38 | USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" | ||
39 | INITSCRIPT_PACKAGES = "${PN}-sshd" | ||
40 | INITSCRIPT_NAME_${PN}-sshd = "sshd" | ||
41 | INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" | ||
42 | |||
43 | SYSTEMD_PACKAGES = "${PN}-sshd" | ||
44 | SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" | ||
45 | |||
46 | PACKAGECONFIG ??= "tcp-wrappers" | ||
47 | PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers" | ||
48 | |||
49 | inherit autotools-brokensep ptest | ||
50 | |||
51 | # LFS support: | ||
52 | CFLAGS += "-D__FILE_OFFSET_BITS=64" | ||
53 | |||
54 | # login path is hardcoded in sshd | ||
55 | EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ | ||
56 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ | ||
57 | --without-zlib-version-check \ | ||
58 | --with-privsep-path=/var/run/sshd \ | ||
59 | --sysconfdir=${sysconfdir}/ssh \ | ||
60 | --with-xauth=/usr/bin/xauth" | ||
61 | |||
62 | # Since we do not depend on libbsd, we do not want configure to use it | ||
63 | # just because it finds libutil.h. But, specifying --disable-libutil | ||
64 | # causes compile errors, so... | ||
65 | CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" | ||
66 | |||
67 | # passwd path is hardcoded in sshd | ||
68 | CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" | ||
69 | |||
70 | # This is a workaround for uclibc because including stdio.h | ||
71 | # pulls in pthreads.h and causes conflicts in function prototypes. | ||
72 | # This results in compilation failure, so unless this is fixed, | ||
73 | # disable pam for uclibc. | ||
74 | EXTRA_OECONF_append_libc-uclibc=" --without-pam" | ||
75 | |||
76 | do_configure_prepend () { | ||
77 | export LD="${CC}" | ||
78 | install -m 0644 ${WORKDIR}/sshd_config ${B}/ | ||
79 | install -m 0644 ${WORKDIR}/ssh_config ${B}/ | ||
80 | if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then | ||
81 | cp aclocal.m4 acinclude.m4 | ||
82 | fi | ||
83 | } | ||
84 | |||
85 | do_install_append () { | ||
86 | if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then | ||
87 | install -D -m 0755 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd | ||
88 | sed -i -e 's:#UsePAM no:UsePAM yes:' ${WORKDIR}/sshd_config ${D}${sysconfdir}/ssh/sshd_config | ||
89 | fi | ||
90 | |||
91 | install -d ${D}${sysconfdir}/init.d | ||
92 | install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd | ||
93 | rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin | ||
94 | rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} | ||
95 | install -d ${D}/${sysconfdir}/default/volatiles | ||
96 | install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd | ||
97 | install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} | ||
98 | |||
99 | # Create config files for read-only rootfs | ||
100 | install -d ${D}${sysconfdir}/ssh | ||
101 | install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
102 | sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
103 | echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
104 | echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
105 | echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
106 | |||
107 | install -d ${D}${systemd_unitdir}/system | ||
108 | install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system | ||
109 | install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system | ||
110 | install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system | ||
111 | sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ | ||
112 | -e 's,@SBINDIR@,${sbindir},g' \ | ||
113 | -e 's,@BINDIR@,${bindir},g' \ | ||
114 | ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service | ||
115 | } | ||
116 | |||
117 | do_install_ptest () { | ||
118 | sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libdir}/${PN}/sftp-server|" regress/test-exec.sh | ||
119 | cp -r regress ${D}${PTEST_PATH} | ||
120 | } | ||
121 | |||
122 | ALLOW_EMPTY_${PN} = "1" | ||
123 | |||
124 | PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" | ||
125 | FILES_${PN}-scp = "${bindir}/scp.${BPN}" | ||
126 | FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" | ||
127 | FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" | ||
128 | FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" | ||
129 | FILES_${PN}-sftp = "${bindir}/sftp" | ||
130 | FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" | ||
131 | FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" | ||
132 | FILES_${PN}-keygen = "${bindir}/ssh-keygen" | ||
133 | |||
134 | RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" | ||
135 | RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" | ||
136 | RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make" | ||
137 | |||
138 | RPROVIDES_${PN}-ssh = "ssh" | ||
139 | RPROVIDES_${PN}-sshd = "sshd" | ||
140 | |||
141 | RCONFLICTS_${PN} = "dropbear" | ||
142 | RCONFLICTS_${PN}-sshd = "dropbear" | ||
143 | RCONFLICTS_${PN}-keygen = "ssh-keygen" | ||
144 | |||
145 | CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" | ||
146 | CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" | ||
147 | |||
148 | ALTERNATIVE_PRIORITY = "90" | ||
149 | ALTERNATIVE_${PN}-scp = "scp" | ||
150 | ALTERNATIVE_${PN}-ssh = "ssh" | ||
151 | |||