summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch8
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch35
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch96
-rw-r--r--meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch47
-rw-r--r--meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch111
-rwxr-xr-xmeta/recipes-connectivity/openssh/openssh/run-ptest1
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd2
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd.service3
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd.socket1
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd_check_keys2
-rw-r--r--meta/recipes-connectivity/openssh/openssh_10.0p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_9.7p1.bb)72
11 files changed, 91 insertions, 287 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
index 8763f30f4b..f424288e37 100644
--- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -1,4 +1,4 @@
1From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 1From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001
2From: Mikko Rapeli <mikko.rapeli@linaro.org> 2From: Mikko Rapeli <mikko.rapeli@linaro.org>
3Date: Mon, 11 Sep 2023 09:55:21 +0100 3Date: Mon, 11 Sep 2023 09:55:21 +0100
4Subject: [PATCH] regress/banner.sh: log input and output files on error 4Subject: [PATCH] regress/banner.sh: log input and output files on error
@@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
37Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437] 37Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
38 38
39Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> 39Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
40Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
40--- 41---
41 regress/banner.sh | 4 +++- 42 regress/banner.sh | 4 +++-
42 1 file changed, 3 insertions(+), 1 deletion(-) 43 1 file changed, 3 insertions(+), 1 deletion(-)
43 44
44diff --git a/regress/banner.sh b/regress/banner.sh 45diff --git a/regress/banner.sh b/regress/banner.sh
45index a84feb5a..de84957a 100644 46index a84feb5..de84957 100644
46--- a/regress/banner.sh 47--- a/regress/banner.sh
47+++ b/regress/banner.sh 48+++ b/regress/banner.sh
48@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do 49@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
@@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644
56 done 57 done
57 58
58 trace "test suppress banner (-q)" 59 trace "test suppress banner (-q)"
59--
602.34.1
61
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
new file mode 100644
index 0000000000..360b62af34
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
@@ -0,0 +1,35 @@
1From 9dcccafe44ea17e972e7cddea205bbe9fe71d8d6 Mon Sep 17 00:00:00 2001
2From: Jose Quaresma <jose.quaresma@foundries.io>
3Date: Mon, 15 Jul 2024 18:43:08 +0100
4Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env
5
6The SSHAGENT_BIN was changed in [1] to SSH_BIN but
7the last one don't use the absolute path and consequently
8the function increase_datafile_size can loops forever
9if the binary not found.
10
11[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818
12
13Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510]
14
15Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
16---
17 regress/test-exec.sh | 5 +++++
18 1 file changed, 5 insertions(+)
19
20diff --git a/regress/test-exec.sh b/regress/test-exec.sh
21index 8a00c72..2891f27 100644
22--- a/regress/test-exec.sh
23+++ b/regress/test-exec.sh
24@@ -179,6 +179,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
25 fi
26
27 # Path to sshd must be absolute for rexec
28+case "$SSH" in
29+/*) ;;
30+*) SSH=`which $SSH` ;;
31+esac
32+
33 case "$SSHD" in
34 /*) ;;
35 *) SSHD=`which $SSHD` ;;
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
deleted file mode 100644
index f079d936a4..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
+++ /dev/null
@@ -1,96 +0,0 @@
1From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001
2From: Matt Jolly <Matt.Jolly@footclan.ninja>
3Date: Thu, 2 Feb 2023 21:05:40 +1100
4Subject: [PATCH] systemd: Add optional support for systemd `sd_notify`
5
6This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org>
7patch based on Jakub Jelen's <jjelen@redhat.com> original patch
8
9Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56]
10
11Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
12---
13 configure.ac | 24 ++++++++++++++++++++++++
14 sshd.c | 13 +++++++++++++
15 2 files changed, 37 insertions(+)
16
17diff --git a/configure.ac b/configure.ac
18index 82e8bb7..d1145d3 100644
19--- a/configure.ac
20+++ b/configure.ac
21@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS])
23 AC_SUBST([CHANNELLIBS])
24
25+# Check whether user wants systemd support
26+SYSTEMD_MSG="no"
27+AC_ARG_WITH(systemd,
28+ [ --with-systemd Enable systemd support],
29+ [ if test "x$withval" != "xno" ; then
30+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
31+ if test "$PKGCONFIG" != "no"; then
32+ AC_MSG_CHECKING([for libsystemd])
33+ if $PKGCONFIG --exists libsystemd; then
34+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
35+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
36+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
37+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
38+ AC_MSG_RESULT([yes])
39+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
40+ SYSTEMD_MSG="yes"
41+ else
42+ AC_MSG_RESULT([no])
43+ fi
44+ fi
45+ fi ]
46+)
47+
48 # Looking for programs, paths and files
49
50 PRIVSEP_PATH=/var/empty
51@@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG"
52 echo " Solaris process contract support: $SPC_MSG"
53 echo " Solaris project support: $SP_MSG"
54 echo " Solaris privilege support: $SPP_MSG"
55+echo " systemd support: $SYSTEMD_MSG"
56 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
57 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
58 echo " BSD Auth support: $BSD_AUTH_MSG"
59diff --git a/sshd.c b/sshd.c
60index b4f2b97..6820a41 100644
61--- a/sshd.c
62+++ b/sshd.c
63@@ -88,6 +88,10 @@
64 #include <prot.h>
65 #endif
66
67+#ifdef HAVE_SYSTEMD
68+#include <systemd/sd-daemon.h>
69+#endif
70+
71 #include "xmalloc.h"
72 #include "ssh.h"
73 #include "ssh2.h"
74@@ -308,6 +312,10 @@ static void
75 sighup_restart(void)
76 {
77 logit("Received SIGHUP; restarting.");
78+#ifdef HAVE_SYSTEMD
79+ /* Signal systemd that we are reloading */
80+ sd_notify(0, "RELOADING=1");
81+#endif
82 if (options.pid_file != NULL)
83 unlink(options.pid_file);
84 platform_pre_restart();
85@@ -2093,6 +2101,11 @@ main(int ac, char **av)
86 }
87 }
88
89+#ifdef HAVE_SYSTEMD
90+ /* Signal systemd that we are ready to accept connections */
91+ sd_notify(0, "READY=1");
92+#endif
93+
94 /* Accept a connection and return in a forked child */
95 server_accept_loop(&sock_in, &sock_out,
96 &newsock, config_s);
diff --git a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
deleted file mode 100644
index b8402a4dee..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
+++ /dev/null
@@ -1,47 +0,0 @@
1Adjust test cases to work with busybox.
2
3- Replace dd parameter "obs" with "bs".
4- Replace "head -<num>" with "head -n <num>".
5
6Signed-off-by: Maxin B. John <maxin.john@enea.com>
7Upstream-Status: Pending
8
9Index: openssh-7.6p1/regress/cipher-speed.sh
10===================================================================
11--- openssh-7.6p1.orig/regress/cipher-speed.sh
12+++ openssh-7.6p1/regress/cipher-speed.sh
13@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for
14 printf "%-60s" "$c/$m:"
15 ( ${SSH} -o 'compression no' \
16 -F $OBJ/ssh_proxy -m $m -c $c somehost \
17- exec sh -c \'"dd of=/dev/null obs=32k"\' \
18+ exec sh -c \'"dd of=/dev/null bs=32k"\' \
19 < ${DATA} ) 2>&1 | getbytes
20
21 if [ $? -ne 0 ]; then
22Index: openssh-7.6p1/regress/transfer.sh
23===================================================================
24--- openssh-7.6p1.orig/regress/transfer.sh
25+++ openssh-7.6p1/regress/transfer.sh
26@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY} || fail "corrupted
27 for s in 10 100 1k 32k 64k 128k 256k; do
28 trace "dd-size ${s}"
29 rm -f ${COPY}
30- dd if=$DATA obs=${s} 2> /dev/null | \
31+ dd if=$DATA bs=${s} 2> /dev/null | \
32 ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
33 if [ $? -ne 0 ]; then
34 fail "ssh cat $DATA failed"
35Index: openssh-7.6p1/regress/key-options.sh
36===================================================================
37--- openssh-7.6p1.orig/regress/key-options.sh
38+++ openssh-7.6p1/regress/key-options.sh
39@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
40 fi
41
42 sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
43- from=`head -1 $authkeys | cut -f1 -d ' '`
44+ from=`head -n 1 $authkeys | cut -f1 -d ' '`
45 verbose "key option $from"
46 r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
47 if [ "$r" = "true" ]; then
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
deleted file mode 100644
index 20036da931..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+++ /dev/null
@@ -1,111 +0,0 @@
1From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
2From: Yuanjie Huang <yuanjie.huang@windriver.com>
3Date: Wed, 24 Aug 2016 03:15:43 +0000
4Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
5
6Pointer arithmatic results in implementation defined signed integer
7type, so that 's - src' in strlcpy and others may trigger signed overflow.
8In case of compilation by gcc or clang with -ftrapv option, the overflow
9would lead to program abort.
10
11Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
12
13Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
14
15Complete the fix
16Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
17---
18 openbsd-compat/strlcat.c | 10 +++++++---
19 openbsd-compat/strlcpy.c | 8 ++++++--
20 openbsd-compat/strnlen.c | 8 ++++++--
21 3 files changed, 19 insertions(+), 7 deletions(-)
22
23diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
24index bcc1b61..124e1e3 100644
25--- a/openbsd-compat/strlcat.c
26+++ b/openbsd-compat/strlcat.c
27@@ -23,6 +23,7 @@
28
29 #include <sys/types.h>
30 #include <string.h>
31+#include <stdint.h>
32
33 /*
34 * Appends src to string dst of size siz (unlike strncat, siz is the
35@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
36 /* Find the end of dst and adjust bytes left but don't go past end */
37 while (n-- != 0 && *d != '\0')
38 d++;
39- dlen = d - dst;
40+ dlen = (uintptr_t)d - (uintptr_t)dst;
41 n = siz - dlen;
42
43 if (n == 0)
44@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
45 s++;
46 }
47 *d = '\0';
48-
49- return(dlen + (s - src)); /* count does not include NUL */
50+ /*
51+ * Cast pointers to unsigned type before calculation, to avoid signed
52+ * overflow when the string ends where the MSB has changed.
53+ */
54+ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */
55 }
56
57 #endif /* !HAVE_STRLCAT */
58diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
59index b4b1b60..b06f374 100644
60--- a/openbsd-compat/strlcpy.c
61+++ b/openbsd-compat/strlcpy.c
62@@ -23,6 +23,7 @@
63
64 #include <sys/types.h>
65 #include <string.h>
66+#include <stdint.h>
67
68 /*
69 * Copy src to string dst of size siz. At most siz-1 characters
70@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
71 while (*s++)
72 ;
73 }
74-
75- return(s - src - 1); /* count does not include NUL */
76+ /*
77+ * Cast pointers to unsigned type before calculation, to avoid signed
78+ * overflow when the string ends where the MSB has changed.
79+ */
80+ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */
81 }
82
83 #endif /* !HAVE_STRLCPY */
84diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
85index 7ad3573..7040f1f 100644
86--- a/openbsd-compat/strnlen.c
87+++ b/openbsd-compat/strnlen.c
88@@ -23,6 +23,7 @@
89 #include <sys/types.h>
90
91 #include <string.h>
92+#include <stdint.h>
93
94 size_t
95 strnlen(const char *str, size_t maxlen)
96@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
97
98 for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
99 ;
100-
101- return (size_t)(cp - str);
102+ /*
103+ * Cast pointers to unsigned type before calculation, to avoid signed
104+ * overflow when the string ends where the MSB has changed.
105+ */
106+ return (size_t)((uintptr_t)cp - (uintptr_t)str);
107 }
108 #endif
109--
1102.17.1
111
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
index b2244d725a..c9100f9f37 100755
--- a/meta/recipes-connectivity/openssh/openssh/run-ptest
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,5 +1,6 @@
1#!/bin/sh 1#!/bin/sh
2 2
3export TEST_SSH_SSH=ssh
3export TEST_SHELL=sh 4export TEST_SHELL=sh
4export SKIP_UNIT=1 5export SKIP_UNIT=1
5 6
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd b/meta/recipes-connectivity/openssh/openssh/sshd
index 4882e58b48..cf675a4dad 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd
+++ b/meta/recipes-connectivity/openssh/openssh/sshd
@@ -7,4 +7,4 @@ password include common-password
7session optional pam_keyinit.so force revoke 7session optional pam_keyinit.so force revoke
8session include common-session 8session include common-session
9session required pam_loginuid.so 9session required pam_loginuid.so
10 10session required pam_env.so
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service
index 2a997b656a..c71fff1cc1 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.service
@@ -2,13 +2,14 @@
2Description=OpenSSH server daemon 2Description=OpenSSH server daemon
3Wants=sshdgenkeys.service 3Wants=sshdgenkeys.service
4After=sshdgenkeys.service 4After=sshdgenkeys.service
5After=nss-user-lookup.target
5 6
6[Service] 7[Service]
8Type=notify-reload
7Environment="SSHD_OPTS=" 9Environment="SSHD_OPTS="
8EnvironmentFile=-/etc/default/ssh 10EnvironmentFile=-/etc/default/ssh
9ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd 11ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
10ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS 12ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
11ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
12KillMode=process 13KillMode=process
13Restart=on-failure 14Restart=on-failure
14RestartSec=42s 15RestartSec=42s
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 8d76d62309..7dd2ed0626 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,6 +1,7 @@
1[Unit] 1[Unit]
2Conflicts=sshd.service 2Conflicts=sshd.service
3Wants=sshdgenkeys.service 3Wants=sshdgenkeys.service
4After=nss-user-lookup.target
4 5
5[Socket] 6[Socket]
6ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd 7ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index 606d1894b5..bbb6a14908 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -8,7 +8,7 @@ generate_key() {
8 mkdir -p "$DIR" 8 mkdir -p "$DIR"
9 rm -f ${FILE}.tmp 9 rm -f ${FILE}.tmp
10 ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE 10 ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
11 11 chmod go-rwx "$FILE.tmp"
12 # Atomically rename file public key 12 # Atomically rename file public key
13 mv -f "${FILE}.tmp.pub" "${FILE}.pub" 13 mv -f "${FILE}.tmp.pub" "${FILE}.pub"
14 14
diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
index d1468c59fc..a044aec063 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
@@ -6,12 +6,12 @@ and for executing commands on a remote machine."
6HOMEPAGE = "http://www.openssh.com/" 6HOMEPAGE = "http://www.openssh.com/"
7SECTION = "console/network" 7SECTION = "console/network"
8LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT" 8LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT"
9LIC_FILES_CHKSUM = "file://LICENCE;md5=072979064e691d342002f43cd89c0394" 9LIC_FILES_CHKSUM = "file://LICENCE;md5=78ffb36e5a48c0d8c5648603a3b6c8eb"
10 10
11DEPENDS = "zlib openssl virtual/crypt" 11DEPENDS = "zlib openssl virtual/crypt"
12DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" 12DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
13 13
14SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ 14SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
15 file://sshd_config \ 15 file://sshd_config \
16 file://ssh_config \ 16 file://ssh_config \
17 file://init \ 17 file://init \
@@ -22,13 +22,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
22 file://sshdgenkeys.service \ 22 file://sshdgenkeys.service \
23 file://volatiles.99_sshd \ 23 file://volatiles.99_sshd \
24 file://run-ptest \ 24 file://run-ptest \
25 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
26 file://sshd_check_keys \ 25 file://sshd_check_keys \
27 file://add-test-support-for-busybox.patch \
28 file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ 26 file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
29 file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ 27 file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
30 " 28 "
31SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" 29SRC_URI[sha256sum] = "021a2e709a0edf4250b1256bd5a9e500411a90dddabea830ed59cef90eb9d85c"
32 30
33CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." 31CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
34 32
@@ -38,6 +36,7 @@ CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to Op
38Red Hat Enterprise Linux 7 and when running in a Kerberos environment" 36Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
39 37
40CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries." 38CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
39CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
41 40
42PAM_SRC_URI = "file://sshd" 41PAM_SRC_URI = "file://sshd"
43 42
@@ -53,11 +52,10 @@ SYSTEMD_PACKAGES = "${PN}-sshd"
53SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}" 52SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
54 53
55inherit autotools-brokensep ptest pkgconfig 54inherit autotools-brokensep ptest pkgconfig
56DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
57 55
58# systemd-sshd-socket-mode means installing sshd.socket 56# systemd-sshd-socket-mode means installing sshd.socket
59# and systemd-sshd-service-mode corresponding to sshd.service 57# and systemd-sshd-service-mode corresponding to sshd.service
60PACKAGECONFIG ??= "systemd-sshd-socket-mode" 58PACKAGECONFIG ??= "systemd-sshd-socket-mode hostkey-ecdsa"
61PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2" 59PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2"
62PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" 60PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
63PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" 61PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
@@ -65,6 +63,9 @@ PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
65PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" 63PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
66PACKAGECONFIG[systemd-sshd-socket-mode] = "" 64PACKAGECONFIG[systemd-sshd-socket-mode] = ""
67PACKAGECONFIG[systemd-sshd-service-mode] = "" 65PACKAGECONFIG[systemd-sshd-service-mode] = ""
66PACKAGECONFIG[hostkey-rsa] = ""
67PACKAGECONFIG[hostkey-ecdsa] = ""
68PACKAGECONFIG[hostkey-ed25519] = ""
68 69
69EXTRA_AUTORECONF += "--exclude=aclocal" 70EXTRA_AUTORECONF += "--exclude=aclocal"
70 71
@@ -76,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
76 --sysconfdir=${sysconfdir}/ssh \ 77 --sysconfdir=${sysconfdir}/ssh \
77 --with-xauth=${bindir}/xauth \ 78 --with-xauth=${bindir}/xauth \
78 --disable-strip \ 79 --disable-strip \
79 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \
80 " 80 "
81 81
82# musl doesn't implement wtmp/utmp and logwtmp 82# musl doesn't implement wtmp/utmp and logwtmp
@@ -102,17 +102,42 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
102 102
103do_configure:prepend () { 103do_configure:prepend () {
104 export LD="${CC}" 104 export LD="${CC}"
105 install -m 0644 ${WORKDIR}/sshd_config ${B}/ 105 install -m 0644 ${UNPACKDIR}/sshd_config ${B}/
106 install -m 0644 ${WORKDIR}/ssh_config ${B}/ 106 install -m 0644 ${UNPACKDIR}/ssh_config ${B}/
107} 107}
108 108
109do_compile_ptest() { 109do_compile_ptest() {
110 oe_runmake regress-binaries regress-unit-binaries 110 oe_runmake regress-binaries regress-unit-binaries
111} 111}
112 112
113sshd_hostkey_setup() {
114 # Enable specific ssh host keys
115 sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config
116 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
117 echo "HostKey /etc/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
118 fi
119 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
120 echo "HostKey /etc/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
121 fi
122 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
123 echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config
124 fi
125
126 sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
127 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
128 echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
129 fi
130 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
131 echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
132 fi
133 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
134 echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
135 fi
136}
137
113do_install:append () { 138do_install:append () {
114 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then 139 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
115 install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd 140 install -D -m 0644 ${UNPACKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
116 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config 141 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
117 fi 142 fi
118 143
@@ -121,25 +146,21 @@ do_install:append () {
121 fi 146 fi
122 147
123 install -d ${D}${sysconfdir}/init.d 148 install -d ${D}${sysconfdir}/init.d
124 install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd 149 install -m 0755 ${UNPACKDIR}/init ${D}${sysconfdir}/init.d/sshd
125 rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin 150 rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
126 rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} 151 rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
127 install -d ${D}/${sysconfdir}/default/volatiles 152 install -d ${D}/${sysconfdir}/default/volatiles
128 install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd 153 install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
129 install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} 154 install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
130 155
131 # Create config files for read-only rootfs 156 # Create config files for read-only rootfs
132 install -d ${D}${sysconfdir}/ssh 157 install -d ${D}${sysconfdir}/ssh
133 install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly 158 install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
134 sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
135 echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
136 echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
137 echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
138 159
139 install -d ${D}${systemd_system_unitdir} 160 install -d ${D}${systemd_system_unitdir}
140 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then 161 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
141 install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir} 162 install -c -m 0644 ${UNPACKDIR}/sshd.socket ${D}${systemd_system_unitdir}
142 install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir} 163 install -c -m 0644 ${UNPACKDIR}/sshd@.service ${D}${systemd_system_unitdir}
143 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ 164 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
144 -e 's,@SBINDIR@,${sbindir},g' \ 165 -e 's,@SBINDIR@,${sbindir},g' \
145 -e 's,@BINDIR@,${bindir},g' \ 166 -e 's,@BINDIR@,${bindir},g' \
@@ -147,9 +168,9 @@ do_install:append () {
147 ${D}${systemd_system_unitdir}/sshd.socket 168 ${D}${systemd_system_unitdir}/sshd.socket
148 fi 169 fi
149 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then 170 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then
150 install -c -m 0644 ${WORKDIR}/sshd.service ${D}${systemd_system_unitdir} 171 install -c -m 0644 ${UNPACKDIR}/sshd.service ${D}${systemd_system_unitdir}
151 fi 172 fi
152 install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir} 173 install -c -m 0644 ${UNPACKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
153 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ 174 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
154 -e 's,@SBINDIR@,${sbindir},g' \ 175 -e 's,@SBINDIR@,${sbindir},g' \
155 -e 's,@BINDIR@,${bindir},g' \ 176 -e 's,@BINDIR@,${bindir},g' \
@@ -159,7 +180,8 @@ do_install:append () {
159 sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ 180 sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
160 ${D}${sysconfdir}/init.d/sshd 181 ${D}${sysconfdir}/init.d/sshd
161 182
162 install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys 183 install -D -m 0755 ${UNPACKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
184 sshd_hostkey_setup
163} 185}
164 186
165do_install_ptest () { 187do_install_ptest () {
@@ -173,9 +195,9 @@ ALLOW_EMPTY:${PN} = "1"
173PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" 195PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
174FILES:${PN}-scp = "${bindir}/scp.${BPN}" 196FILES:${PN}-scp = "${bindir}/scp.${BPN}"
175FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" 197FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
176FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" 198FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
177FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" 199FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
178FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" 200FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys ${libexecdir}/sshd-auth"
179FILES:${PN}-sftp = "${bindir}/sftp" 201FILES:${PN}-sftp = "${bindir}/sftp"
180FILES:${PN}-sftp-server = "${libexecdir}/sftp-server" 202FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
181FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" 203FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-07 06:05:48 +0000