summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch30
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch8
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch35
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch96
-rw-r--r--meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch47
-rw-r--r--meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch111
-rwxr-xr-xmeta/recipes-connectivity/openssh/openssh/run-ptest1
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd.service2
-rw-r--r--meta/recipes-connectivity/openssh/openssh_9.8p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_9.7p1.bb)63
9 files changed, 113 insertions, 280 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch
new file mode 100644
index 0000000000..c41642ae10
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch
@@ -0,0 +1,30 @@
1From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001
2From: Darren Tucker <dtucker@dtucker.net>
3Date: Sun, 7 Jul 2024 18:46:19 +1000
4Subject: [PATCH] Cast to sockaddr * in systemd interface.
5
6Fixes build with musl libx. bz#3707.
7
8Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8]
9
10Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
11---
12 openbsd-compat/port-linux.c | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
16index 4c024c6d2..8adfec5a7 100644
17--- a/openbsd-compat/port-linux.c
18+++ b/openbsd-compat/port-linux.c
19@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...)
20 error_f("socket \"%s\": %s", path, strerror(errno));
21 goto out;
22 }
23- if (connect(fd, &addr, sizeof(addr)) != 0) {
24+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
25 error_f("socket \"%s\" connect: %s", path, strerror(errno));
26 goto out;
27 }
28--
292.45.2
30
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
index 8763f30f4b..f424288e37 100644
--- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -1,4 +1,4 @@
1From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 1From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001
2From: Mikko Rapeli <mikko.rapeli@linaro.org> 2From: Mikko Rapeli <mikko.rapeli@linaro.org>
3Date: Mon, 11 Sep 2023 09:55:21 +0100 3Date: Mon, 11 Sep 2023 09:55:21 +0100
4Subject: [PATCH] regress/banner.sh: log input and output files on error 4Subject: [PATCH] regress/banner.sh: log input and output files on error
@@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
37Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437] 37Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
38 38
39Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> 39Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
40Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
40--- 41---
41 regress/banner.sh | 4 +++- 42 regress/banner.sh | 4 +++-
42 1 file changed, 3 insertions(+), 1 deletion(-) 43 1 file changed, 3 insertions(+), 1 deletion(-)
43 44
44diff --git a/regress/banner.sh b/regress/banner.sh 45diff --git a/regress/banner.sh b/regress/banner.sh
45index a84feb5a..de84957a 100644 46index a84feb5..de84957 100644
46--- a/regress/banner.sh 47--- a/regress/banner.sh
47+++ b/regress/banner.sh 48+++ b/regress/banner.sh
48@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do 49@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
@@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644
56 done 57 done
57 58
58 trace "test suppress banner (-q)" 59 trace "test suppress banner (-q)"
59--
602.34.1
61
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
new file mode 100644
index 0000000000..b90cd2e69d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
@@ -0,0 +1,35 @@
1From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001
2From: Jose Quaresma <jose.quaresma@foundries.io>
3Date: Mon, 15 Jul 2024 18:43:08 +0100
4Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env
5
6The SSHAGENT_BIN was changed in [1] to SSH_BIN but
7the last one don't use the absolute path and consequently
8the function increase_datafile_size can loops forever
9if the binary not found.
10
11[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818
12
13Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510]
14
15Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
16---
17 regress/test-exec.sh | 5 +++++
18 1 file changed, 5 insertions(+)
19
20diff --git a/regress/test-exec.sh b/regress/test-exec.sh
21index 7afc2807..175f554b 100644
22--- a/regress/test-exec.sh
23+++ b/regress/test-exec.sh
24@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
25 fi
26
27 # Path to sshd must be absolute for rexec
28+case "$SSH" in
29+/*) ;;
30+*) SSH=`which $SSH` ;;
31+esac
32+
33 case "$SSHD" in
34 /*) ;;
35 *) SSHD=`which $SSHD` ;;
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
deleted file mode 100644
index f079d936a4..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
+++ /dev/null
@@ -1,96 +0,0 @@
1From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001
2From: Matt Jolly <Matt.Jolly@footclan.ninja>
3Date: Thu, 2 Feb 2023 21:05:40 +1100
4Subject: [PATCH] systemd: Add optional support for systemd `sd_notify`
5
6This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org>
7patch based on Jakub Jelen's <jjelen@redhat.com> original patch
8
9Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56]
10
11Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
12---
13 configure.ac | 24 ++++++++++++++++++++++++
14 sshd.c | 13 +++++++++++++
15 2 files changed, 37 insertions(+)
16
17diff --git a/configure.ac b/configure.ac
18index 82e8bb7..d1145d3 100644
19--- a/configure.ac
20+++ b/configure.ac
21@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS])
23 AC_SUBST([CHANNELLIBS])
24
25+# Check whether user wants systemd support
26+SYSTEMD_MSG="no"
27+AC_ARG_WITH(systemd,
28+ [ --with-systemd Enable systemd support],
29+ [ if test "x$withval" != "xno" ; then
30+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
31+ if test "$PKGCONFIG" != "no"; then
32+ AC_MSG_CHECKING([for libsystemd])
33+ if $PKGCONFIG --exists libsystemd; then
34+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
35+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
36+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
37+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
38+ AC_MSG_RESULT([yes])
39+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
40+ SYSTEMD_MSG="yes"
41+ else
42+ AC_MSG_RESULT([no])
43+ fi
44+ fi
45+ fi ]
46+)
47+
48 # Looking for programs, paths and files
49
50 PRIVSEP_PATH=/var/empty
51@@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG"
52 echo " Solaris process contract support: $SPC_MSG"
53 echo " Solaris project support: $SP_MSG"
54 echo " Solaris privilege support: $SPP_MSG"
55+echo " systemd support: $SYSTEMD_MSG"
56 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
57 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
58 echo " BSD Auth support: $BSD_AUTH_MSG"
59diff --git a/sshd.c b/sshd.c
60index b4f2b97..6820a41 100644
61--- a/sshd.c
62+++ b/sshd.c
63@@ -88,6 +88,10 @@
64 #include <prot.h>
65 #endif
66
67+#ifdef HAVE_SYSTEMD
68+#include <systemd/sd-daemon.h>
69+#endif
70+
71 #include "xmalloc.h"
72 #include "ssh.h"
73 #include "ssh2.h"
74@@ -308,6 +312,10 @@ static void
75 sighup_restart(void)
76 {
77 logit("Received SIGHUP; restarting.");
78+#ifdef HAVE_SYSTEMD
79+ /* Signal systemd that we are reloading */
80+ sd_notify(0, "RELOADING=1");
81+#endif
82 if (options.pid_file != NULL)
83 unlink(options.pid_file);
84 platform_pre_restart();
85@@ -2093,6 +2101,11 @@ main(int ac, char **av)
86 }
87 }
88
89+#ifdef HAVE_SYSTEMD
90+ /* Signal systemd that we are ready to accept connections */
91+ sd_notify(0, "READY=1");
92+#endif
93+
94 /* Accept a connection and return in a forked child */
95 server_accept_loop(&sock_in, &sock_out,
96 &newsock, config_s);
diff --git a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
deleted file mode 100644
index b8402a4dee..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
+++ /dev/null
@@ -1,47 +0,0 @@
1Adjust test cases to work with busybox.
2
3- Replace dd parameter "obs" with "bs".
4- Replace "head -<num>" with "head -n <num>".
5
6Signed-off-by: Maxin B. John <maxin.john@enea.com>
7Upstream-Status: Pending
8
9Index: openssh-7.6p1/regress/cipher-speed.sh
10===================================================================
11--- openssh-7.6p1.orig/regress/cipher-speed.sh
12+++ openssh-7.6p1/regress/cipher-speed.sh
13@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for
14 printf "%-60s" "$c/$m:"
15 ( ${SSH} -o 'compression no' \
16 -F $OBJ/ssh_proxy -m $m -c $c somehost \
17- exec sh -c \'"dd of=/dev/null obs=32k"\' \
18+ exec sh -c \'"dd of=/dev/null bs=32k"\' \
19 < ${DATA} ) 2>&1 | getbytes
20
21 if [ $? -ne 0 ]; then
22Index: openssh-7.6p1/regress/transfer.sh
23===================================================================
24--- openssh-7.6p1.orig/regress/transfer.sh
25+++ openssh-7.6p1/regress/transfer.sh
26@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY} || fail "corrupted
27 for s in 10 100 1k 32k 64k 128k 256k; do
28 trace "dd-size ${s}"
29 rm -f ${COPY}
30- dd if=$DATA obs=${s} 2> /dev/null | \
31+ dd if=$DATA bs=${s} 2> /dev/null | \
32 ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
33 if [ $? -ne 0 ]; then
34 fail "ssh cat $DATA failed"
35Index: openssh-7.6p1/regress/key-options.sh
36===================================================================
37--- openssh-7.6p1.orig/regress/key-options.sh
38+++ openssh-7.6p1/regress/key-options.sh
39@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
40 fi
41
42 sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
43- from=`head -1 $authkeys | cut -f1 -d ' '`
44+ from=`head -n 1 $authkeys | cut -f1 -d ' '`
45 verbose "key option $from"
46 r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
47 if [ "$r" = "true" ]; then
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
deleted file mode 100644
index 20036da931..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+++ /dev/null
@@ -1,111 +0,0 @@
1From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
2From: Yuanjie Huang <yuanjie.huang@windriver.com>
3Date: Wed, 24 Aug 2016 03:15:43 +0000
4Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
5
6Pointer arithmatic results in implementation defined signed integer
7type, so that 's - src' in strlcpy and others may trigger signed overflow.
8In case of compilation by gcc or clang with -ftrapv option, the overflow
9would lead to program abort.
10
11Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
12
13Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
14
15Complete the fix
16Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
17---
18 openbsd-compat/strlcat.c | 10 +++++++---
19 openbsd-compat/strlcpy.c | 8 ++++++--
20 openbsd-compat/strnlen.c | 8 ++++++--
21 3 files changed, 19 insertions(+), 7 deletions(-)
22
23diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
24index bcc1b61..124e1e3 100644
25--- a/openbsd-compat/strlcat.c
26+++ b/openbsd-compat/strlcat.c
27@@ -23,6 +23,7 @@
28
29 #include <sys/types.h>
30 #include <string.h>
31+#include <stdint.h>
32
33 /*
34 * Appends src to string dst of size siz (unlike strncat, siz is the
35@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
36 /* Find the end of dst and adjust bytes left but don't go past end */
37 while (n-- != 0 && *d != '\0')
38 d++;
39- dlen = d - dst;
40+ dlen = (uintptr_t)d - (uintptr_t)dst;
41 n = siz - dlen;
42
43 if (n == 0)
44@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
45 s++;
46 }
47 *d = '\0';
48-
49- return(dlen + (s - src)); /* count does not include NUL */
50+ /*
51+ * Cast pointers to unsigned type before calculation, to avoid signed
52+ * overflow when the string ends where the MSB has changed.
53+ */
54+ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */
55 }
56
57 #endif /* !HAVE_STRLCAT */
58diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
59index b4b1b60..b06f374 100644
60--- a/openbsd-compat/strlcpy.c
61+++ b/openbsd-compat/strlcpy.c
62@@ -23,6 +23,7 @@
63
64 #include <sys/types.h>
65 #include <string.h>
66+#include <stdint.h>
67
68 /*
69 * Copy src to string dst of size siz. At most siz-1 characters
70@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
71 while (*s++)
72 ;
73 }
74-
75- return(s - src - 1); /* count does not include NUL */
76+ /*
77+ * Cast pointers to unsigned type before calculation, to avoid signed
78+ * overflow when the string ends where the MSB has changed.
79+ */
80+ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */
81 }
82
83 #endif /* !HAVE_STRLCPY */
84diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
85index 7ad3573..7040f1f 100644
86--- a/openbsd-compat/strnlen.c
87+++ b/openbsd-compat/strnlen.c
88@@ -23,6 +23,7 @@
89 #include <sys/types.h>
90
91 #include <string.h>
92+#include <stdint.h>
93
94 size_t
95 strnlen(const char *str, size_t maxlen)
96@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
97
98 for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
99 ;
100-
101- return (size_t)(cp - str);
102+ /*
103+ * Cast pointers to unsigned type before calculation, to avoid signed
104+ * overflow when the string ends where the MSB has changed.
105+ */
106+ return (size_t)((uintptr_t)cp - (uintptr_t)str);
107 }
108 #endif
109--
1102.17.1
111
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
index b2244d725a..c9100f9f37 100755
--- a/meta/recipes-connectivity/openssh/openssh/run-ptest
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,5 +1,6 @@
1#!/bin/sh 1#!/bin/sh
2 2
3export TEST_SSH_SSH=ssh
3export TEST_SHELL=sh 4export TEST_SHELL=sh
4export SKIP_UNIT=1 5export SKIP_UNIT=1
5 6
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service
index 3e570ab1e5..c71fff1cc1 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.service
@@ -5,11 +5,11 @@ After=sshdgenkeys.service
5After=nss-user-lookup.target 5After=nss-user-lookup.target
6 6
7[Service] 7[Service]
8Type=notify-reload
8Environment="SSHD_OPTS=" 9Environment="SSHD_OPTS="
9EnvironmentFile=-/etc/default/ssh 10EnvironmentFile=-/etc/default/ssh
10ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd 11ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
11ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS 12ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
12ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
13KillMode=process 13KillMode=process
14Restart=on-failure 14Restart=on-failure
15RestartSec=42s 15RestartSec=42s
diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb
index 36ffa49398..83145dbd18 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb
@@ -22,13 +22,12 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
22 file://sshdgenkeys.service \ 22 file://sshdgenkeys.service \
23 file://volatiles.99_sshd \ 23 file://volatiles.99_sshd \
24 file://run-ptest \ 24 file://run-ptest \
25 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
26 file://sshd_check_keys \ 25 file://sshd_check_keys \
27 file://add-test-support-for-busybox.patch \ 26 file://0001-Cast-to-sockaddr-in-systemd-interface.patch \
28 file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ 27 file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
29 file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ 28 file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
30 " 29 "
31SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" 30SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3"
32 31
33CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." 32CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
34 33
@@ -38,6 +37,7 @@ CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to Op
38Red Hat Enterprise Linux 7 and when running in a Kerberos environment" 37Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
39 38
40CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries." 39CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
40CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
41 41
42PAM_SRC_URI = "file://sshd" 42PAM_SRC_URI = "file://sshd"
43 43
@@ -53,11 +53,10 @@ SYSTEMD_PACKAGES = "${PN}-sshd"
53SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}" 53SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
54 54
55inherit autotools-brokensep ptest pkgconfig 55inherit autotools-brokensep ptest pkgconfig
56DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
57 56
58# systemd-sshd-socket-mode means installing sshd.socket 57# systemd-sshd-socket-mode means installing sshd.socket
59# and systemd-sshd-service-mode corresponding to sshd.service 58# and systemd-sshd-service-mode corresponding to sshd.service
60PACKAGECONFIG ??= "systemd-sshd-socket-mode" 59PACKAGECONFIG ??= "systemd-sshd-socket-mode hostkey-ecdsa"
61PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2" 60PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2"
62PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" 61PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
63PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" 62PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
@@ -65,6 +64,9 @@ PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
65PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" 64PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
66PACKAGECONFIG[systemd-sshd-socket-mode] = "" 65PACKAGECONFIG[systemd-sshd-socket-mode] = ""
67PACKAGECONFIG[systemd-sshd-service-mode] = "" 66PACKAGECONFIG[systemd-sshd-service-mode] = ""
67PACKAGECONFIG[hostkey-rsa] = ""
68PACKAGECONFIG[hostkey-ecdsa] = ""
69PACKAGECONFIG[hostkey-ed25519] = ""
68 70
69EXTRA_AUTORECONF += "--exclude=aclocal" 71EXTRA_AUTORECONF += "--exclude=aclocal"
70 72
@@ -76,7 +78,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
76 --sysconfdir=${sysconfdir}/ssh \ 78 --sysconfdir=${sysconfdir}/ssh \
77 --with-xauth=${bindir}/xauth \ 79 --with-xauth=${bindir}/xauth \
78 --disable-strip \ 80 --disable-strip \
79 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \
80 " 81 "
81 82
82# musl doesn't implement wtmp/utmp and logwtmp 83# musl doesn't implement wtmp/utmp and logwtmp
@@ -110,9 +111,34 @@ do_compile_ptest() {
110 oe_runmake regress-binaries regress-unit-binaries 111 oe_runmake regress-binaries regress-unit-binaries
111} 112}
112 113
114sshd_hostkey_setup() {
115 # Enable specific ssh host keys
116 sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config
117 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
118 echo "HostKey /etc/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
119 fi
120 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
121 echo "HostKey /etc/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
122 fi
123 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
124 echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config
125 fi
126
127 sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
128 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
129 echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
130 fi
131 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
132 echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
133 fi
134 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
135 echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
136 fi
137}
138
113do_install:append () { 139do_install:append () {
114 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then 140 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
115 install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd 141 install -D -m 0644 ${UNPACKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
116 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config 142 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
117 fi 143 fi
118 144
@@ -121,25 +147,21 @@ do_install:append () {
121 fi 147 fi
122 148
123 install -d ${D}${sysconfdir}/init.d 149 install -d ${D}${sysconfdir}/init.d
124 install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd 150 install -m 0755 ${UNPACKDIR}/init ${D}${sysconfdir}/init.d/sshd
125 rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin 151 rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
126 rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} 152 rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
127 install -d ${D}/${sysconfdir}/default/volatiles 153 install -d ${D}/${sysconfdir}/default/volatiles
128 install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd 154 install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
129 install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} 155 install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
130 156
131 # Create config files for read-only rootfs 157 # Create config files for read-only rootfs
132 install -d ${D}${sysconfdir}/ssh 158 install -d ${D}${sysconfdir}/ssh
133 install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly 159 install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
134 sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
135 echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
136 echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
137 echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
138 160
139 install -d ${D}${systemd_system_unitdir} 161 install -d ${D}${systemd_system_unitdir}
140 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then 162 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
141 install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir} 163 install -c -m 0644 ${UNPACKDIR}/sshd.socket ${D}${systemd_system_unitdir}
142 install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir} 164 install -c -m 0644 ${UNPACKDIR}/sshd@.service ${D}${systemd_system_unitdir}
143 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ 165 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
144 -e 's,@SBINDIR@,${sbindir},g' \ 166 -e 's,@SBINDIR@,${sbindir},g' \
145 -e 's,@BINDIR@,${bindir},g' \ 167 -e 's,@BINDIR@,${bindir},g' \
@@ -147,9 +169,9 @@ do_install:append () {
147 ${D}${systemd_system_unitdir}/sshd.socket 169 ${D}${systemd_system_unitdir}/sshd.socket
148 fi 170 fi
149 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then 171 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then
150 install -c -m 0644 ${WORKDIR}/sshd.service ${D}${systemd_system_unitdir} 172 install -c -m 0644 ${UNPACKDIR}/sshd.service ${D}${systemd_system_unitdir}
151 fi 173 fi
152 install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir} 174 install -c -m 0644 ${UNPACKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
153 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ 175 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
154 -e 's,@SBINDIR@,${sbindir},g' \ 176 -e 's,@SBINDIR@,${sbindir},g' \
155 -e 's,@BINDIR@,${bindir},g' \ 177 -e 's,@BINDIR@,${bindir},g' \
@@ -159,7 +181,8 @@ do_install:append () {
159 sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ 181 sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
160 ${D}${sysconfdir}/init.d/sshd 182 ${D}${sysconfdir}/init.d/sshd
161 183
162 install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys 184 install -D -m 0755 ${UNPACKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
185 sshd_hostkey_setup
163} 186}
164 187
165do_install_ptest () { 188do_install_ptest () {
@@ -173,7 +196,7 @@ ALLOW_EMPTY:${PN} = "1"
173PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" 196PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
174FILES:${PN}-scp = "${bindir}/scp.${BPN}" 197FILES:${PN}-scp = "${bindir}/scp.${BPN}"
175FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" 198FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
176FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" 199FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
177FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" 200FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
178FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" 201FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
179FILES:${PN}-sftp = "${bindir}/sftp" 202FILES:${PN}-sftp = "${bindir}/sftp"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-09-22 14:00:11 +0000