8 files changed, 136 insertions, 100 deletions

diff --git a/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch
new file mode 100644
index 0000000000..967b66322f
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch
@@ -0,0 +1,74 @@
+From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001
+From: Konstantin Demin <rockdrilla@gmail.com>
+Date: Fri, 9 May 2025 22:39:35 +0300
+Subject: [PATCH] Fix proxycmd without netcat
+
+fixes e5a0ef27c2 "Execute multihop commands directly, no shell"
+
+Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
+
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/5cc0127000db5f7567b54d0495fb91a8e452fe09]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/cli-main.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/cli-main.c b/src/cli-main.c
+index 2fafa88..0a052a3 100644
+--- a/src/cli-main.c
++++ b/src/cli-main.c
+@@ -77,7 +77,11 @@ int main(int argc, char ** argv) {
+        }
+ 
+ #if DROPBEAR_CLI_PROXYCMD
+-       if (cli_opts.proxycmd || cli_opts.proxyexec) {
++       if (cli_opts.proxycmd
++#if DROPBEAR_CLI_MULTIHOP
++               || cli_opts.proxyexec
++#endif
++       ) {
+                cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
+                if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
+                        signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
+@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) {
+        dropbear_exit("Failed to run '%s'\n", cmd);
+ }
+ 
++#if DROPBEAR_CLI_MULTIHOP
+ static void exec_proxy_cmd(const void *unused) {
+        (void)unused;
+        run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd);
+        dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]);
+ }
++#endif
+ 
+ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+        char * cmd_arg = NULL;
+@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+                cmd_arg = m_malloc(shell_cmdlen);
+                snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
+                exec_fn = shell_proxy_cmd;
++#if DROPBEAR_CLI_MULTIHOP
+        } else {
+                /* No shell */
+                exec_fn = exec_proxy_cmd;
++#endif
+        }
+ 
+        ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
+@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+ cleanup:
+        m_free(cli_opts.proxycmd);
+        m_free(cmd_arg);
++#if DROPBEAR_CLI_MULTIHOP
+        if (cli_opts.proxyexec) {
+                char **a = NULL;
+                for (a = cli_opts.proxyexec; *a; a++) {
+@@ -166,6 +175,7 @@ cleanup:
+                }
+                m_free(cli_opts.proxyexec);
+        }
++#endif
+ }
+ 
+ static void kill_proxy_sighandler(int UNUSED(signo)) {
diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
index 684641dcbd..0687e5dab1 100644
--- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
+++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
@@ -1,15 +1,18 @@
-Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h
+From cdc6a4a57a86d8116a92a5d905993e65cf723556 Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard@openedhand.com>
+Date: Wed, 31 Aug 2005 10:45:47 +0000
+Subject: [PATCH] urandom-xauth-changes-to-options.h
 
 Upstream-Status: Inappropriate [configuration]
 ---
- default_options.h | 2 +-
+ src/default_options.h | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/default_options.h b/default_options.h
-index 3b75eb8..1fd8082 100644
---- a/default_options.h
-+++ b/default_options.h
-@@ -243,7 +243,7 @@ Homedir is prepended unless path begins with / */
+diff --git a/src/default_options.h b/src/default_options.h
+index 6e970bb..ccc8b47 100644
+--- a/src/default_options.h
++++ b/src/default_options.h
+@@ -317,7 +317,7 @@ group1 in Dropbear server too */
  
  /* The command to invoke for xauth when using X11 forwarding.
   * "-q" for quiet */
@@ -17,7 +20,4 @@ index 3b75eb8..1fd8082 100644
 +#define XAUTH_COMMAND "xauth -q"
  
  
- /* if you want to enable running an sftp server (such as the one included with
--- 
-1.7.11.7
-
+ /* If you want to enable running an sftp server (such as the one included with
diff --git a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch
index 857681520c..6743f506e9 100644
--- a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch
+++ b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch
@@ -1,7 +1,7 @@
-From b8cece92ba19aa77ac013ea161bfe4c7147747c9 Mon Sep 17 00:00:00 2001
+From 253ca01f0fc50dbaeb2ff8bcece0c34256eba94f Mon Sep 17 00:00:00 2001
 From: Jussi Kukkonen <jussi.kukkonen@intel.com>
 Date: Wed, 2 Dec 2015 11:36:02 +0200
-Subject: Enable pam
+Subject: [PATCH] Enable pam
 
 We need modify file default_options.h besides enabling pam in
 configure if we want dropbear to support pam.
@@ -11,14 +11,14 @@ Upstream-Status: Pending
 Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
 Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
 ---
- default_options.h | 4 ++--
+ src/default_options.h | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/default_options.h b/default_options.h
-index 3b75eb8..8617cd0 100644
---- a/default_options.h
-+++ b/default_options.h
-@@ -179,7 +179,7 @@ group1 in Dropbear server too */
+diff --git a/src/default_options.h b/src/default_options.h
+index ccc8b47..12768d1 100644
+--- a/src/default_options.h
++++ b/src/default_options.h
+@@ -228,7 +228,7 @@ group1 in Dropbear server too */
  
  /* Authentication Types - at least one required.
     RFC Draft requires pubkey auth, and recommends password */
@@ -27,16 +27,12 @@ index 3b75eb8..8617cd0 100644
  
  /* Note: PAM auth is quite simple and only works for PAM modules which just do
   * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
-@@ -187,7 +187,7 @@ group1 in Dropbear server too */
+@@ -236,7 +236,7 @@ group1 in Dropbear server too */
   * but there's an interface via a PAM module. It won't work for more complex
   * PAM challenge/response.
   * You can't enable both PASSWORD and PAM. */
 -#define DROPBEAR_SVR_PAM_AUTH 0
 +#define DROPBEAR_SVR_PAM_AUTH 1
  
- /* ~/.ssh/authorized_keys authentication */
- #define DROPBEAR_SVR_PUBKEY_AUTH 1
- 
--- 
-2.1.4
-
+ /* ~/.ssh/authorized_keys authentication.
+  * You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */
diff --git a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch
index deed78ffb9..44861088cc 100644
--- a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch
+++ b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch
@@ -1,4 +1,4 @@
-From e3a5db1b6d3f6382a15b2266458c26c645a10f18 Mon Sep 17 00:00:00 2001
+From 16b147f97f0938cddb55ec1c90bc919c13f26fc0 Mon Sep 17 00:00:00 2001
 From: Mingli Yu <Mingli.Yu@windriver.com>
 Date: Thu, 6 Sep 2018 15:54:00 +0800
 Subject: [PATCH] dropbear configuration file
@@ -12,14 +12,14 @@ Signed-off-by: Maxin B. John <maxin.john@enea.com>
 Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
 Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
 ---
- svr-authpam.c | 2 +-
+ src/svr-authpam.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/svr-authpam.c b/svr-authpam.c
-index d201bc9..165ec5c 100644
---- a/svr-authpam.c
-+++ b/svr-authpam.c
-@@ -223,7 +223,7 @@ void svr_auth_pam(int valid_user) {
+diff --git a/src/svr-authpam.c b/src/svr-authpam.c
+index ec14632..026102f 100644
+--- a/src/svr-authpam.c
++++ b/src/svr-authpam.c
+@@ -224,7 +224,7 @@ void svr_auth_pam(int valid_user) {
         }
  
         /* Init pam */
@@ -28,6 +28,3 @@ index d201bc9..165ec5c 100644
                 dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", 
                                 rc, pam_strerror(pamHandlep, rc));
                 goto cleanup;
--- 
-2.7.4
-
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
deleted file mode 100644
index b54581f17a..0000000000
--- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001
-From: Joseph Reynolds <joseph.reynolds1@ibm.com>
-Date: Thu, 20 Jun 2019 16:29:15 -0500
-Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
-
-This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
-in the dropbear ssh server and client since they're considered weak ciphers
-and we want to support the stong algorithms.
-
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
-
----
- default_options.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/default_options.h b/default_options.h
-index 1aa2297..7ff1394 100644
---- a/default_options.h
-+++ b/default_options.h
-@@ -163,12 +163,12 @@ IMPORTANT: Some options will require "make clean" after changes */
-  * Small systems should generally include either curve25519 or ecdh for performance.
-  * curve25519 is less widely supported but is faster
-  */ 
--#define DROPBEAR_DH_GROUP14_SHA1 1
-+#define DROPBEAR_DH_GROUP14_SHA1 0
- #define DROPBEAR_DH_GROUP14_SHA256 1
- #define DROPBEAR_DH_GROUP16 0
- #define DROPBEAR_CURVE25519 1
- #define DROPBEAR_ECDH 1
--#define DROPBEAR_DH_GROUP1 1
-+#define DROPBEAR_DH_GROUP1 0
- 
- /* When group1 is enabled it will only be allowed by Dropbear client
- not as a server, due to concerns over its strength. Set to 0 to allow
diff --git a/meta/recipes-core/dropbear/dropbear/dropbearkey.service b/meta/recipes-core/dropbear/dropbear/dropbearkey.service
index 71a12a6110..501e47124f 100644
--- a/meta/recipes-core/dropbear/dropbear/dropbearkey.service
+++ b/meta/recipes-core/dropbear/dropbear/dropbearkey.service
@@ -9,6 +9,6 @@ Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear"
 EnvironmentFile=-/etc/default/dropbear
 Type=oneshot
 ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR}
-ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key
+ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key $DROPBEAR_RSAKEY_ARGS
 RemainAfterExit=yes
 Nice=10
diff --git a/meta/recipes-core/dropbear/dropbear_2020.81.bb b/meta/recipes-core/dropbear/dropbear_2020.81.bb
deleted file mode 100644
index c7edea84f8..0000000000
--- a/meta/recipes-core/dropbear/dropbear_2020.81.bb
+++ /dev/null
@@ -1,3 +0,0 @@
-require dropbear.inc
-
-SRC_URI[sha256sum] = "48235d10b37775dbda59341ac0c4b239b82ad6318c31568b985730c788aac53b"
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear_2025.88.bb
index ed3ef3384a..72a886d907 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb
@@ -9,10 +9,8 @@ LICENSE = "MIT & BSD-3-Clause & BSD-2-Clause & PD"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f"
 
 DEPENDS = "zlib virtual/crypt"
-RPROVIDES_${PN} = "ssh sshd"
-RCONFLICTS_${PN} = "openssh-sshd openssh"
-
-DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
+RPROVIDES:${PN} = "ssh sshd"
+RCONFLICTS:${PN} = "openssh-sshd openssh"
 
 SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
            file://0001-urandom-xauth-changes-to-options.h.patch \
@@ -21,8 +19,12 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
            file://dropbear@.service \
            file://dropbear.socket \
            file://dropbear.default \
+           file://0001-Fix-proxycmd-without-netcat.patch \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "
+           "
+
+SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4"
+MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/"
 
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
                file://0006-dropbear-configuration-file.patch \
@@ -33,8 +35,6 @@ PAM_PLUGINS = "libpam-runtime \
         pam-plugin-permit \
         pam-plugin-unix \
         "
-RDEPENDS_${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_PLUGINS}', '', d)}"
-
 inherit autotools update-rc.d systemd
 
 CVE_PRODUCT = "dropbear_ssh"
@@ -42,25 +42,30 @@ CVE_PRODUCT = "dropbear_ssh"
 INITSCRIPT_NAME = "dropbear"
 INITSCRIPT_PARAMS = "defaults 10"
 
-SYSTEMD_SERVICE_${PN} = "dropbear.socket"
+SYSTEMD_SERVICE:${PN} = "dropbear.socket"
 
 SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
 BINCOMMANDS = "dbclient ssh scp"
 EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
 
-PACKAGECONFIG ?= "disable-weak-ciphers"
+PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam x11', d)}"
+PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}"
 PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
-PACKAGECONFIG[disable-weak-ciphers] = ""
-
-EXTRA_OECONF += "\
- ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
+PACKAGECONFIG[x11] = ",,,,xauth"
 
 # This option appends to CFLAGS and LDFLAGS from OE
 # This is causing [textrel] QA warning
 EXTRA_OECONF += "--disable-harden"
 
 # musl does not implement wtmp/logwtmp APIs
-EXTRA_OECONF_append_libc-musl = " --disable-wtmp --disable-lastlog"
+EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
+
+do_configure:append() {
+        echo "/* Dropbear features */" > ${B}/localoptions.h
+        if ${@bb.utils.contains('PACKAGECONFIG', 'x11', 'true', 'false', d)}; then
+                echo "#define DROPBEAR_X11FWD 1" >> ${B}/localoptions.h
+        fi
+}
 
 do_install() {
         install -d ${D}${sysconfdir} \
@@ -71,7 +76,7 @@ do_install() {
                 ${D}${sbindir} \
                 ${D}${localstatedir}
 
-        install -m 0644 ${WORKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear
+        install -m 0644 ${UNPACKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear
 
         install -m 0755 dropbearmulti ${D}${sbindir}/
 
@@ -89,32 +94,32 @@ do_install() {
                 -e 's,/usr/sbin,${sbindir},g' \
                 -e 's,/var,${localstatedir},g' \
                 -e 's,/usr/bin,${bindir},g' \
-                -e 's,/usr,${prefix},g' ${WORKDIR}/init > ${D}${sysconfdir}/init.d/dropbear
+                -e 's,/usr,${prefix},g' ${UNPACKDIR}/init > ${D}${sysconfdir}/init.d/dropbear
         chmod 755 ${D}${sysconfdir}/init.d/dropbear
         if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
                 install -d ${D}${sysconfdir}/pam.d
-                install -m 0644 ${WORKDIR}/dropbear  ${D}${sysconfdir}/pam.d/
+                install -m 0644 ${UNPACKDIR}/dropbear  ${D}${sysconfdir}/pam.d/
         fi
 
         # deal with systemd unit files
-        install -d ${D}${systemd_unitdir}/system
-        install -m 0644 ${WORKDIR}/dropbearkey.service ${D}${systemd_unitdir}/system
-        install -m 0644 ${WORKDIR}/dropbear@.service ${D}${systemd_unitdir}/system
-        install -m 0644 ${WORKDIR}/dropbear.socket ${D}${systemd_unitdir}/system
+        install -d ${D}${systemd_system_unitdir}
+        install -m 0644 ${UNPACKDIR}/dropbearkey.service ${D}${systemd_system_unitdir}
+        install -m 0644 ${UNPACKDIR}/dropbear@.service ${D}${systemd_system_unitdir}
+        install -m 0644 ${UNPACKDIR}/dropbear.socket ${D}${systemd_system_unitdir}
         sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
                 -e 's,@BINDIR@,${bindir},g' \
                 -e 's,@SBINDIR@,${sbindir},g' \
-                ${D}${systemd_unitdir}/system/dropbear.socket ${D}${systemd_unitdir}/system/*.service
+                ${D}${systemd_system_unitdir}/dropbear.socket ${D}${systemd_system_unitdir}/*.service
 }
 
 inherit update-alternatives
 
 ALTERNATIVE_PRIORITY = "20"
-ALTERNATIVE_${PN} = "${@bb.utils.filter('BINCOMMANDS', 'scp ssh', d)}"
+ALTERNATIVE:${PN} = "${@bb.utils.filter('BINCOMMANDS', 'scp ssh', d)}"
 
 ALTERNATIVE_TARGET = "${sbindir}/dropbearmulti"
 
-pkg_postrm_append_${PN} () {
+pkg_postrm:${PN} () {
   if [ -f "${sysconfdir}/dropbear/dropbear_rsa_host_key" ]; then
         rm ${sysconfdir}/dropbear/dropbear_rsa_host_key
   fi
@@ -123,4 +128,6 @@ pkg_postrm_append_${PN} () {
   fi
 }
 
-FILES_${PN} += "${bindir}"
+CONFFILES:${PN} = "${sysconfdir}/default/dropbear"
+
+FILES:${PN} += "${systemd_system_unitdir}/dropbearkey.service"