diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh')
14 files changed, 653 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/openssh-6.2p2/add-test-support-for-busybox.patch new file mode 100644 index 0000000000..5913597dfd --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/add-test-support-for-busybox.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | Adjust test cases to work with busybox. | ||
2 | |||
3 | - Replace dd parameter "obs" with "bs". | ||
4 | - Replace "head -<num>" with "head -n <num>". | ||
5 | |||
6 | Signed-off-by: Björn Stenberg <bjst@enea.com> | ||
7 | Upstream-status: Pending | ||
8 | |||
9 | --- a/regress/cipher-speed.sh 2012-06-30 07:08:53.000000000 +0200 | ||
10 | +++ b/regress/cipher-speed.sh 2013-02-15 11:30:20.670022055 +0100 | ||
11 | @@ -26,7 +26,7 @@ | ||
12 | echon "$c/$m:\t" | ||
13 | ( ${SSH} -o 'compression no' \ | ||
14 | -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ | ||
15 | - exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
16 | + exec sh -c \'"dd of=/dev/null bs=32k"\' \ | ||
17 | < ${DATA} ) 2>&1 | getbytes | ||
18 | |||
19 | if [ $? -ne 0 ]; then | ||
20 | @@ -42,7 +42,7 @@ | ||
21 | echon "$c:\t" | ||
22 | ( ${SSH} -o 'compression no' \ | ||
23 | -F $OBJ/ssh_proxy -1 -c $c somehost \ | ||
24 | - exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
25 | + exec sh -c \'"dd of=/dev/null bs=32k"\' \ | ||
26 | < ${DATA} ) 2>&1 | getbytes | ||
27 | if [ $? -ne 0 ]; then | ||
28 | fail "ssh -1 failed with cipher $c" | ||
29 | --- a/regress/transfer.sh 2003-09-04 06:54:40.000000000 +0200 | ||
30 | +++ b/regress/transfer.sh 2013-02-15 11:25:34.666411185 +0100 | ||
31 | @@ -18,7 +18,7 @@ | ||
32 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
33 | trace "proto $p dd-size ${s}" | ||
34 | rm -f ${COPY} | ||
35 | - dd if=$DATA obs=${s} 2> /dev/null | \ | ||
36 | + dd if=$DATA bs=${s} 2> /dev/null | \ | ||
37 | ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | ||
38 | if [ $? -ne 0 ]; then | ||
39 | fail "ssh cat $DATA failed" | ||
40 | --- a/regress/yes-head.sh 2005-11-28 06:41:03.000000000 +0100 | ||
41 | +++ b/regress/yes-head.sh 2013-02-15 11:55:11.413715068 +0100 | ||
42 | @@ -4,7 +4,7 @@ | ||
43 | tid="yes pipe head" | ||
44 | |||
45 | for p in 1 2; do | ||
46 | - lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` | ||
47 | + lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)` | ||
48 | if [ $? -ne 0 ]; then | ||
49 | fail "yes|head test failed" | ||
50 | lines = 0; | ||
51 | --- a/regress/key-options.sh 2008-07-04 09:08:58.000000000 +0200 | ||
52 | +++ b/regress/key-options.sh 2013-02-15 12:06:05.109486098 +0100 | ||
53 | @@ -54,7 +54,7 @@ | ||
54 | fi | ||
55 | |||
56 | sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys | ||
57 | - from=`head -1 $authkeys | cut -f1 -d ' '` | ||
58 | + from=`head -n 1 $authkeys | cut -f1 -d ' '` | ||
59 | verbose "key option proto $p $from" | ||
60 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` | ||
61 | if [ "$r" = "true" ]; then | ||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/init b/meta/recipes-connectivity/openssh/openssh-6.2p2/init new file mode 100644 index 0000000000..266689c2cf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/init | |||
@@ -0,0 +1,108 @@ | |||
1 | #! /bin/sh | ||
2 | set -e | ||
3 | |||
4 | # source function library | ||
5 | . /etc/init.d/functions | ||
6 | |||
7 | # /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon | ||
8 | |||
9 | test -x /usr/sbin/sshd || exit 0 | ||
10 | ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 | ||
11 | |||
12 | # /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS | ||
13 | if test -f /etc/default/ssh; then | ||
14 | . /etc/default/ssh | ||
15 | fi | ||
16 | |||
17 | [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh | ||
18 | mkdir -p $SYSCONFDIR | ||
19 | |||
20 | HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key | ||
21 | HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key | ||
22 | HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key | ||
23 | |||
24 | check_for_no_start() { | ||
25 | # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists | ||
26 | if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then | ||
27 | echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)" | ||
28 | exit 0 | ||
29 | fi | ||
30 | } | ||
31 | |||
32 | check_privsep_dir() { | ||
33 | # Create the PrivSep empty dir if necessary | ||
34 | if [ ! -d /var/run/sshd ]; then | ||
35 | mkdir /var/run/sshd | ||
36 | chmod 0755 /var/run/sshd | ||
37 | fi | ||
38 | } | ||
39 | |||
40 | check_config() { | ||
41 | /usr/sbin/sshd -t || exit 1 | ||
42 | } | ||
43 | |||
44 | check_keys() { | ||
45 | # create keys if necessary | ||
46 | if [ ! -f $HOST_KEY_RSA ]; then | ||
47 | echo " generating ssh RSA key..." | ||
48 | ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa | ||
49 | fi | ||
50 | if [ ! -f $HOST_KEY_ECDSA ]; then | ||
51 | echo " generating ssh ECDSA key..." | ||
52 | ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa | ||
53 | fi | ||
54 | if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then | ||
55 | echo " generating ssh DSA key..." | ||
56 | ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa | ||
57 | fi | ||
58 | } | ||
59 | |||
60 | export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" | ||
61 | |||
62 | case "$1" in | ||
63 | start) | ||
64 | check_for_no_start | ||
65 | echo "Starting OpenBSD Secure Shell server: sshd" | ||
66 | check_keys | ||
67 | check_privsep_dir | ||
68 | start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS | ||
69 | echo "done." | ||
70 | ;; | ||
71 | stop) | ||
72 | echo -n "Stopping OpenBSD Secure Shell server: sshd" | ||
73 | start-stop-daemon -K -x /usr/sbin/sshd | ||
74 | echo "." | ||
75 | ;; | ||
76 | |||
77 | reload|force-reload) | ||
78 | check_for_no_start | ||
79 | check_keys | ||
80 | check_config | ||
81 | echo -n "Reloading OpenBSD Secure Shell server's configuration" | ||
82 | start-stop-daemon -K -s 1 -x /usr/sbin/sshd | ||
83 | echo "." | ||
84 | ;; | ||
85 | |||
86 | restart) | ||
87 | check_keys | ||
88 | check_config | ||
89 | echo -n "Restarting OpenBSD Secure Shell server: sshd" | ||
90 | start-stop-daemon -K --oknodo -x /usr/sbin/sshd | ||
91 | check_for_no_start | ||
92 | check_privsep_dir | ||
93 | sleep 2 | ||
94 | start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS | ||
95 | echo "." | ||
96 | ;; | ||
97 | |||
98 | status) | ||
99 | status /usr/sbin/sshd | ||
100 | return $? | ||
101 | ;; | ||
102 | |||
103 | *) | ||
104 | echo "Usage: /etc/init.d/ssh {start|stop|status|reload|force-reload|restart}" | ||
105 | exit 1 | ||
106 | esac | ||
107 | |||
108 | exit 0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch b/meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch new file mode 100644 index 0000000000..69fb69daeb --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | [PATCH] force the MAC output to be 64-bit aligned | ||
2 | |||
3 | Upstream-Status: Backport[anoncvs.mindrot.org/index.cgi/openssh/mac.c?r1=1.27&r2=1.28] | ||
4 | |||
5 | Backport patch to fix segment fault due to unaligned memory access | ||
6 | |||
7 | Wed Jun 5 22:12:37 2013 UTC (7 days, 3 hours ago) by dtucker | ||
8 | Branch: MAIN | ||
9 | CVS Tags: HEAD | ||
10 | Changes since 1.27: +11 -8 lines | ||
11 | Diff to previous 1.27 | ||
12 | |||
13 | - dtucker@cvs.openbsd.org 2013/06/03 00:03:18 | ||
14 | [mac.c] | ||
15 | force the MAC output to be 64-bit aligned so umac won't see | ||
16 | unaligned | ||
17 | accesses on strict-alignment architectures. bz#2101, patch from | ||
18 | tomas.kuthan at oracle.com, ok djm@ | ||
19 | --- | ||
20 | mac.c | 18 +++++++++++------- | ||
21 | 1 file changed, 11 insertions(+), 7 deletions(-) | ||
22 | |||
23 | diff --git a/mac.c b/mac.c | ||
24 | index 3f2dc6f..a5a80d3 100644 | ||
25 | --- a/mac.c | ||
26 | +++ b/mac.c | ||
27 | @@ -152,12 +152,16 @@ mac_init(Mac *mac) | ||
28 | u_char * | ||
29 | mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) | ||
30 | { | ||
31 | - static u_char m[EVP_MAX_MD_SIZE]; | ||
32 | + static union { | ||
33 | + u_char m[EVP_MAX_MD_SIZE]; | ||
34 | + u_int64_t for_align; | ||
35 | + } u; | ||
36 | + | ||
37 | u_char b[4], nonce[8]; | ||
38 | |||
39 | - if (mac->mac_len > sizeof(m)) | ||
40 | + if (mac->mac_len > sizeof(u)) | ||
41 | fatal("mac_compute: mac too long %u %lu", | ||
42 | - mac->mac_len, (u_long)sizeof(m)); | ||
43 | + mac->mac_len, (u_long)sizeof(u)); | ||
44 | |||
45 | switch (mac->type) { | ||
46 | case SSH_EVP: | ||
47 | @@ -166,22 +170,22 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) | ||
48 | HMAC_Init(&mac->evp_ctx, NULL, 0, NULL); | ||
49 | HMAC_Update(&mac->evp_ctx, b, sizeof(b)); | ||
50 | HMAC_Update(&mac->evp_ctx, data, datalen); | ||
51 | - HMAC_Final(&mac->evp_ctx, m, NULL); | ||
52 | + HMAC_Final(&mac->evp_ctx, u.m, NULL); | ||
53 | break; | ||
54 | case SSH_UMAC: | ||
55 | put_u64(nonce, seqno); | ||
56 | umac_update(mac->umac_ctx, data, datalen); | ||
57 | - umac_final(mac->umac_ctx, m, nonce); | ||
58 | + umac_final(mac->umac_ctx, u.m, nonce); | ||
59 | break; | ||
60 | case SSH_UMAC128: | ||
61 | put_u64(nonce, seqno); | ||
62 | umac128_update(mac->umac_ctx, data, datalen); | ||
63 | - umac128_final(mac->umac_ctx, m, nonce); | ||
64 | + umac128_final(mac->umac_ctx, u.m, nonce); | ||
65 | break; | ||
66 | default: | ||
67 | fatal("mac_compute: unknown MAC type"); | ||
68 | } | ||
69 | - return (m); | ||
70 | + return (u.m); | ||
71 | } | ||
72 | |||
73 | void | ||
74 | -- | ||
75 | 1.7.9.5 | ||
76 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch b/meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch new file mode 100644 index 0000000000..33111f5494 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch | |||
@@ -0,0 +1,20 @@ | |||
1 | Disable stripping binaries during make install. | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Build system specific. | ||
6 | |||
7 | Signed-off-by: Scott Garman <scott.a.garman@intel.com> | ||
8 | |||
9 | diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in | ||
10 | --- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700 | ||
11 | +++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700 | ||
12 | @@ -29,7 +29,7 @@ | ||
13 | RAND_HELPER=$(libexecdir)/ssh-rand-helper | ||
14 | PRIVSEP_PATH=@PRIVSEP_PATH@ | ||
15 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ | ||
16 | -STRIP_OPT=@STRIP_OPT@ | ||
17 | +STRIP_OPT= | ||
18 | |||
19 | PATHS= -DSSHDIR=\"$(sysconfdir)\" \ | ||
20 | -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ | ||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch new file mode 100644 index 0000000000..30c11cf432 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | openssh-CVE-2011-4327 | ||
2 | |||
3 | A security flaw was found in the way ssh-keysign, | ||
4 | a ssh helper program for host based authentication, | ||
5 | attempted to retrieve enough entropy information on configurations that | ||
6 | lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would | ||
7 | be executed to retrieve the entropy from the system environment). | ||
8 | A local attacker could use this flaw to obtain unauthorized access to host keys | ||
9 | via ptrace(2) process trace attached to the 'ssh-rand-helper' program. | ||
10 | |||
11 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 | ||
12 | http://www.openssh.com/txt/portable-keysign-rand-helper.adv | ||
13 | |||
14 | Upstream-Status: Pending | ||
15 | |||
16 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
17 | --- a/ssh-keysign.c | ||
18 | +++ b/ssh-keysign.c | ||
19 | @@ -170,6 +170,10 @@ | ||
20 | key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); | ||
21 | key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); | ||
22 | key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); | ||
23 | + if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 || | ||
24 | + fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 || | ||
25 | + fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0) | ||
26 | + fatal("fcntl failed"); | ||
27 | |||
28 | original_real_uid = getuid(); /* XXX readconf.c needs this */ | ||
29 | if ((pw = getpwuid(original_real_uid)) == NULL) | ||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/run-ptest b/meta/recipes-connectivity/openssh/openssh-6.2p2/run-ptest new file mode 100755 index 0000000000..3e725cf282 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/run-ptest | |||
@@ -0,0 +1,7 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | export TEST_SHELL=sh | ||
4 | |||
5 | cd regress | ||
6 | make -k .OBJDIR=`pwd` .CURDIR=`pwd` tests \ | ||
7 | | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' | ||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config new file mode 100644 index 0000000000..4a4a649ba8 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config | |||
@@ -0,0 +1,46 @@ | |||
1 | # $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $ | ||
2 | |||
3 | # This is the ssh client system-wide configuration file. See | ||
4 | # ssh_config(5) for more information. This file provides defaults for | ||
5 | # users, and the values can be changed in per-user configuration files | ||
6 | # or on the command line. | ||
7 | |||
8 | # Configuration data is parsed as follows: | ||
9 | # 1. command line options | ||
10 | # 2. user-specific file | ||
11 | # 3. system-wide file | ||
12 | # Any configuration value is only changed the first time it is set. | ||
13 | # Thus, host-specific definitions should be at the beginning of the | ||
14 | # configuration file, and defaults at the end. | ||
15 | |||
16 | # Site-wide defaults for some commonly used options. For a comprehensive | ||
17 | # list of available options, their meanings and defaults, please see the | ||
18 | # ssh_config(5) man page. | ||
19 | |||
20 | Host * | ||
21 | ForwardAgent yes | ||
22 | ForwardX11 yes | ||
23 | # RhostsRSAAuthentication no | ||
24 | # RSAAuthentication yes | ||
25 | # PasswordAuthentication yes | ||
26 | # HostbasedAuthentication no | ||
27 | # GSSAPIAuthentication no | ||
28 | # GSSAPIDelegateCredentials no | ||
29 | # BatchMode no | ||
30 | # CheckHostIP yes | ||
31 | # AddressFamily any | ||
32 | # ConnectTimeout 0 | ||
33 | # StrictHostKeyChecking ask | ||
34 | # IdentityFile ~/.ssh/identity | ||
35 | # IdentityFile ~/.ssh/id_rsa | ||
36 | # IdentityFile ~/.ssh/id_dsa | ||
37 | # Port 22 | ||
38 | # Protocol 2,1 | ||
39 | # Cipher 3des | ||
40 | # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc | ||
41 | # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 | ||
42 | # EscapeChar ~ | ||
43 | # Tunnel no | ||
44 | # TunnelDevice any:any | ||
45 | # PermitLocalCommand no | ||
46 | # VisualHostKey no | ||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd new file mode 100644 index 0000000000..4882e58b48 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd | |||
@@ -0,0 +1,10 @@ | |||
1 | #%PAM-1.0 | ||
2 | |||
3 | auth include common-auth | ||
4 | account required pam_nologin.so | ||
5 | account include common-account | ||
6 | password include common-password | ||
7 | session optional pam_keyinit.so force revoke | ||
8 | session include common-session | ||
9 | session required pam_loginuid.so | ||
10 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd.socket b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd.socket new file mode 100644 index 0000000000..d19ab2ac43 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd.socket | |||
@@ -0,0 +1,11 @@ | |||
1 | [Unit] | ||
2 | Conflicts=sshd.service | ||
3 | |||
4 | [Socket] | ||
5 | ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd | ||
6 | ListenStream=22 | ||
7 | Accept=yes | ||
8 | |||
9 | [Install] | ||
10 | WantedBy=sockets.target | ||
11 | Also=sshdgenkeys.service | ||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd@.service b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd@.service new file mode 100644 index 0000000000..64e009ff00 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd@.service | |||
@@ -0,0 +1,9 @@ | |||
1 | [Unit] | ||
2 | Description=OpenSSH Per-Connection Daemon | ||
3 | After=sshdgenkeys.service | ||
4 | |||
5 | [Service] | ||
6 | ExecStart=-@SBINDIR@/sshd -i | ||
7 | ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID | ||
8 | StandardInput=socket | ||
9 | StandardError=syslog | ||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config new file mode 100644 index 0000000000..4f9b626fbd --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | |||
@@ -0,0 +1,119 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ | ||
2 | |||
3 | # This is the sshd server system-wide configuration file. See | ||
4 | # sshd_config(5) for more information. | ||
5 | |||
6 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | ||
7 | |||
8 | # The strategy used for options in the default sshd_config shipped with | ||
9 | # OpenSSH is to specify options with their default value where | ||
10 | # possible, but leave them commented. Uncommented options change a | ||
11 | # default value. | ||
12 | |||
13 | #Port 22 | ||
14 | #AddressFamily any | ||
15 | #ListenAddress 0.0.0.0 | ||
16 | #ListenAddress :: | ||
17 | |||
18 | # Disable legacy (protocol version 1) support in the server for new | ||
19 | # installations. In future the default will change to require explicit | ||
20 | # activation of protocol 1 | ||
21 | Protocol 2 | ||
22 | |||
23 | # HostKey for protocol version 1 | ||
24 | #HostKey /etc/ssh/ssh_host_key | ||
25 | # HostKeys for protocol version 2 | ||
26 | #HostKey /etc/ssh/ssh_host_rsa_key | ||
27 | #HostKey /etc/ssh/ssh_host_dsa_key | ||
28 | |||
29 | # Lifetime and size of ephemeral version 1 server key | ||
30 | #KeyRegenerationInterval 1h | ||
31 | #ServerKeyBits 1024 | ||
32 | |||
33 | # Logging | ||
34 | # obsoletes QuietMode and FascistLogging | ||
35 | #SyslogFacility AUTH | ||
36 | #LogLevel INFO | ||
37 | |||
38 | # Authentication: | ||
39 | |||
40 | #LoginGraceTime 2m | ||
41 | #PermitRootLogin yes | ||
42 | #StrictModes yes | ||
43 | #MaxAuthTries 6 | ||
44 | #MaxSessions 10 | ||
45 | |||
46 | #RSAAuthentication yes | ||
47 | #PubkeyAuthentication yes | ||
48 | #AuthorizedKeysFile .ssh/authorized_keys | ||
49 | |||
50 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | ||
51 | #RhostsRSAAuthentication no | ||
52 | # similar for protocol version 2 | ||
53 | #HostbasedAuthentication no | ||
54 | # Change to yes if you don't trust ~/.ssh/known_hosts for | ||
55 | # RhostsRSAAuthentication and HostbasedAuthentication | ||
56 | #IgnoreUserKnownHosts no | ||
57 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
58 | #IgnoreRhosts yes | ||
59 | |||
60 | # To disable tunneled clear text passwords, change to no here! | ||
61 | #PasswordAuthentication yes | ||
62 | #PermitEmptyPasswords no | ||
63 | |||
64 | # Change to no to disable s/key passwords | ||
65 | #ChallengeResponseAuthentication yes | ||
66 | |||
67 | # Kerberos options | ||
68 | #KerberosAuthentication no | ||
69 | #KerberosOrLocalPasswd yes | ||
70 | #KerberosTicketCleanup yes | ||
71 | #KerberosGetAFSToken no | ||
72 | |||
73 | # GSSAPI options | ||
74 | #GSSAPIAuthentication no | ||
75 | #GSSAPICleanupCredentials yes | ||
76 | |||
77 | # Set this to 'yes' to enable PAM authentication, account processing, | ||
78 | # and session processing. If this is enabled, PAM authentication will | ||
79 | # be allowed through the ChallengeResponseAuthentication and | ||
80 | # PasswordAuthentication. Depending on your PAM configuration, | ||
81 | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
82 | # the setting of "PermitRootLogin without-password". | ||
83 | # If you just want the PAM account and session checks to run without | ||
84 | # PAM authentication, then enable this but set PasswordAuthentication | ||
85 | # and ChallengeResponseAuthentication to 'no'. | ||
86 | #UsePAM no | ||
87 | |||
88 | #AllowAgentForwarding yes | ||
89 | #AllowTcpForwarding yes | ||
90 | #GatewayPorts no | ||
91 | #X11Forwarding no | ||
92 | #X11DisplayOffset 10 | ||
93 | #X11UseLocalhost yes | ||
94 | #PrintMotd yes | ||
95 | #PrintLastLog yes | ||
96 | #TCPKeepAlive yes | ||
97 | #UseLogin no | ||
98 | UsePrivilegeSeparation yes | ||
99 | #PermitUserEnvironment no | ||
100 | Compression no | ||
101 | ClientAliveInterval 15 | ||
102 | ClientAliveCountMax 4 | ||
103 | #UseDNS yes | ||
104 | #PidFile /var/run/sshd.pid | ||
105 | #MaxStartups 10 | ||
106 | #PermitTunnel no | ||
107 | #ChrootDirectory none | ||
108 | |||
109 | # no default banner path | ||
110 | #Banner none | ||
111 | |||
112 | # override default of no subsystems | ||
113 | Subsystem sftp /usr/libexec/sftp-server | ||
114 | |||
115 | # Example of overriding settings on a per-user basis | ||
116 | #Match User anoncvs | ||
117 | # X11Forwarding no | ||
118 | # AllowTcpForwarding no | ||
119 | # ForceCommand cvs server | ||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshdgenkeys.service new file mode 100644 index 0000000000..2fd8a9aaf2 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshdgenkeys.service | |||
@@ -0,0 +1,10 @@ | |||
1 | [Unit] | ||
2 | Description=SSH Key Generation | ||
3 | |||
4 | [Service] | ||
5 | ExecStart=@BINDIR@/ssh-keygen -A | ||
6 | Type=oneshot | ||
7 | RemainAfterExit=yes | ||
8 | |||
9 | [Install] | ||
10 | WantedBy=multi-user.target | ||
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/volatiles.99_sshd b/meta/recipes-connectivity/openssh/openssh-6.2p2/volatiles.99_sshd new file mode 100644 index 0000000000..122320a719 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/volatiles.99_sshd | |||
@@ -0,0 +1 @@ | |||
d root root 0755 /var/run/sshd none | |||
diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb new file mode 100644 index 0000000000..8d0de8da93 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb | |||
@@ -0,0 +1,146 @@ | |||
1 | SUMMARY = "Secure rlogin/rsh/rcp/telnet replacement" | ||
2 | DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ | ||
3 | Ssh (Secure Shell) is a program for logging into a remote machine \ | ||
4 | and for executing commands on a remote machine." | ||
5 | HOMEPAGE = "http://openssh.org" | ||
6 | SECTION = "console/network" | ||
7 | LICENSE = "BSD" | ||
8 | LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" | ||
9 | |||
10 | PR = "r0" | ||
11 | |||
12 | DEPENDS = "zlib openssl" | ||
13 | DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" | ||
14 | |||
15 | RPROVIDES_${PN}-ssh = "ssh" | ||
16 | RPROVIDES_${PN}-sshd = "sshd" | ||
17 | |||
18 | RCONFLICTS_${PN} = "dropbear" | ||
19 | RCONFLICTS_${PN}-sshd = "dropbear" | ||
20 | RCONFLICTS_${PN}-keygen = "ssh-keygen" | ||
21 | |||
22 | SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ | ||
23 | file://nostrip.patch \ | ||
24 | file://sshd_config \ | ||
25 | file://ssh_config \ | ||
26 | file://init \ | ||
27 | file://openssh-CVE-2011-4327.patch \ | ||
28 | file://add-test-support-for-busybox.patch \ | ||
29 | file://run-ptest \ | ||
30 | file://mac.patch \ | ||
31 | ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | ||
32 | file://sshd.socket \ | ||
33 | file://sshd@.service \ | ||
34 | file://sshdgenkeys.service \ | ||
35 | file://volatiles.99_sshd " | ||
36 | |||
37 | PAM_SRC_URI = "file://sshd" | ||
38 | |||
39 | SRC_URI[md5sum] = "be46174dcbb77ebb4ea88ef140685de1" | ||
40 | SRC_URI[sha256sum] = "7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b" | ||
41 | |||
42 | inherit useradd update-rc.d update-alternatives systemd ptest | ||
43 | |||
44 | USERADD_PACKAGES = "${PN}-sshd" | ||
45 | USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" | ||
46 | INITSCRIPT_PACKAGES = "${PN}-sshd" | ||
47 | INITSCRIPT_NAME_${PN}-sshd = "sshd" | ||
48 | INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" | ||
49 | |||
50 | SYSTEMD_PACKAGES = "${PN}-sshd" | ||
51 | SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket sshd@.service sshdgenkeys.service" | ||
52 | |||
53 | PACKAGECONFIG ??= "tcp-wrappers" | ||
54 | PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers" | ||
55 | |||
56 | inherit autotools | ||
57 | |||
58 | # LFS support: | ||
59 | CFLAGS += "-D__FILE_OFFSET_BITS=64" | ||
60 | export LD = "${CC}" | ||
61 | |||
62 | EXTRA_OECONF = "--with-rand-helper=no \ | ||
63 | ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ | ||
64 | --without-zlib-version-check \ | ||
65 | --with-privsep-path=/var/run/sshd \ | ||
66 | --sysconfdir=${sysconfdir}/ssh \ | ||
67 | --with-xauth=/usr/bin/xauth" | ||
68 | |||
69 | # This is a workaround for uclibc because including stdio.h | ||
70 | # pulls in pthreads.h and causes conflicts in function prototypes. | ||
71 | # This results in compilation failure, so unless this is fixed, | ||
72 | # disable pam for uclibc. | ||
73 | EXTRA_OECONF_append_libc-uclibc=" --without-pam" | ||
74 | |||
75 | do_configure_prepend () { | ||
76 | if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then | ||
77 | cp aclocal.m4 acinclude.m4 | ||
78 | fi | ||
79 | } | ||
80 | |||
81 | do_compile_append () { | ||
82 | install -m 0644 ${WORKDIR}/sshd_config ${S}/ | ||
83 | install -m 0644 ${WORKDIR}/ssh_config ${S}/ | ||
84 | } | ||
85 | |||
86 | do_install_append () { | ||
87 | for i in ${DISTRO_FEATURES}; | ||
88 | do | ||
89 | if [ ${i} = "pam" ]; then | ||
90 | install -d ${D}${sysconfdir}/pam.d | ||
91 | install -m 0755 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd | ||
92 | fi | ||
93 | done | ||
94 | install -d ${D}${sysconfdir}/init.d | ||
95 | install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd | ||
96 | rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin | ||
97 | rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} | ||
98 | install -d ${D}/${sysconfdir}/default/volatiles | ||
99 | install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd | ||
100 | |||
101 | # Create config files for read-only rootfs | ||
102 | install -d ${D}${sysconfdir}/ssh | ||
103 | install -m 644 ${WORKDIR}/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
104 | sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
105 | echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
106 | echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
107 | echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | ||
108 | |||
109 | install -d ${D}${systemd_unitdir}/system | ||
110 | install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system | ||
111 | install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system | ||
112 | install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system | ||
113 | sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ | ||
114 | -e 's,@SBINDIR@,${sbindir},g' \ | ||
115 | -e 's,@BINDIR@,${bindir},g' \ | ||
116 | ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service | ||
117 | } | ||
118 | |||
119 | do_install_ptest () { | ||
120 | sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libdir}/${PN}/sftp-server|" regress/test-exec.sh | ||
121 | cp -r regress ${D}${PTEST_PATH} | ||
122 | } | ||
123 | |||
124 | ALLOW_EMPTY_${PN} = "1" | ||
125 | |||
126 | PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" | ||
127 | FILES_${PN}-scp = "${bindir}/scp.${BPN}" | ||
128 | FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" | ||
129 | FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd" | ||
130 | FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd" | ||
131 | FILES_${PN}-sftp = "${bindir}/sftp" | ||
132 | FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" | ||
133 | FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" | ||
134 | FILES_${PN}-keygen = "${bindir}/ssh-keygen" | ||
135 | |||
136 | RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" | ||
137 | RDEPENDS_${PN}-sshd += "${PN}-keygen" | ||
138 | RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make" | ||
139 | |||
140 | CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" | ||
141 | CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" | ||
142 | |||
143 | ALTERNATIVE_PRIORITY = "90" | ||
144 | ALTERNATIVE_${PN}-scp = "scp" | ||
145 | ALTERNATIVE_${PN}-ssh = "ssh" | ||
146 | |||