| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Quoting 'man systemd.special':
nss-user-lookup.target
A target that should be used as synchronization point for all
regular UNIX user/group name service lookups. [...] All services
for which the availability of the full user/group database is
essential should be ordered after this target, but not pull it
in. All services which provide parts of the user/group database
should be ordered before this target, and pull it in.
When no service providing parts of the user/group database exists and
thus pulls in the nss-user-lookup.target, this added dependency is a
no-op.
However, when such a service does exist, and e.g. modifies /etc/shadow
to change password or enable/disable certain accounts, it is essential
that no ssh connections are accepted until those changes are made.
(From OE-Core rev: 365b5490f3b12772ed57a6bcfd1e0e8a91185afc)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
refresh for 9.7p1
Changelog:
============
New features
------------
* ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
all open channels and will close all open channels if there is no
traffic on any of them for the specified interval. This is in
addition to the existing per-channel timeouts added recently.
* All: make DSA key support compile-time optional, defaulting to on.
Bugfixes
--------
* sshd(8): don't append an unnecessary space to the end of subsystem
arguments
* ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added.
* ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden
* ssh-agent(1): fix potential spin in signal handler
* Many fixes to manual pages and other documentation
* Greatly improve interop testing against PuTTY.
(From OE-Core rev: e409b8ceb514d67d6472b4433cc9869c43401b94)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSH supports FIDO security keys in both the client
and server. Add an option to support them in oe.
This change requires a new recipe that I've submitted to
meta-openembedded that has not merged yet.
(From OE-Core rev: 74451a65f29b16f78b008b3ac70c99c2d61a7cad)
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes [YOCTO #15415]
The new openssh version has an ICE on powerpc64le similar to the one on
mips/mips64[1]. By adding flag "--without-hardening" to "./configure",
compiler option "-fzero-call-used-regs" will be removed when compiling. This
prevents certain functions from triggering the following ICE:
unimplemented: argument 'used' is not supported for '-fzero-call-used-regs' on this target
References
[1] https://git.openembedded.org/openembedded-core/commit/?id=5b290566519a87c563945a033cb49863317ad63d
(From OE-Core rev: bc793fa9d1fe24c102d91e97b7002b6e637cbfa5)
Signed-off-by: William Lyu <William.Lyu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unfortunately the new openssh version has an ICE on mips. This looks similar to:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104817
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104820
Given how long these have been open, workaround the issue by disabling the compiler
hardening options on mips.
It is likely better to do this than have the open CVEs for everyone
as we can't upgrade.
An example:
| during RTL pass: zero_call_used_regs
| clientloop.c: In function 'client_loop':
| clientloop.c:1699:1: internal compiler error: in int_mode_for_mode, at stor-layout.cc:407
| 1699 | }
| | ^
| 0x14d0acc internal_error(char const*, ...)
| ???:0
| 0x5cf765 fancy_abort(char const*, int, char const*)
| ???:0
| 0x826f1f emit_move_insn_1(rtx_def*, rtx_def*)
| ???:0
| 0x8270c5 emit_move_insn(rtx_def*, rtx_def*)
| ???:0
| 0xb7b994 default_zero_call_used_regs(HARD_REG_SET)
| ???:0
| Please submit a full bug report, with preprocessed source (by using -freport-bug).
| Please include the complete backtrace with any bug report.
(From OE-Core rev: 5b290566519a87c563945a033cb49863317ad63d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Relocate Upstream-Status in 0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
so it will not throw an error in AUH
https://www.openssh.com/txt/release-9.6
https://github.com/openssh/openssh-portable/compare/V_9_5_P1...V_9_6_P1
https://nvd.nist.gov/vuln/detail/CVE-2023-48795
https://nvd.nist.gov/vuln/detail/CVE-2023-51384
https://nvd.nist.gov/vuln/detail/CVE-2023-51385
CVE: CVE-2023-48795
CVE: CVE-2023-51384
CVE: CVE-2023-51385
(From OE-Core rev: 8416c8d1b57dd6c9c7890aac962feb63bac6429b)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add systemd-sshd-socket-mode PACKAGECONFIG option to choose installing
sshd.socket and systemd-sshd-service-mode PACKAGECONFIG option to choose
installing sshd.service.
The systemd-sshd-socket-mode PACKAGECONFIG option is enabled by default
and user can choose the above two PACKAGECONFIG option to customize the
sshd mode.
(From OE-Core rev: bc830ad3c6a11af1a350dca7f33f0682aeee0d21)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The sshd keeps on terminating and restarting in servel minutes, we can observe
log from journalctl that the sshd was killed by systemd with signal 15:
systemd[1]: sshd.service start operation timed out. Terminating.
sshd[374]: Received signal 15; terminating.
When the sshd as a systemd service, it need to tell systemd with a "READY" status,
and when it is restarted, it need to tell systemd with a "RELOADING" status, otherwise,
systemd would treat it as failing service and restart it again.
Taken a patch from openssh upstream PR[1], that after using a signal to tell systemd
it is ready or reload now.
Ref:
[1] https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56
(From OE-Core rev: 4090dca8e44ec79ccb9a674db31e835d20b51888)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Don't hardcode the directory of the binary in sshd.service.
(From OE-Core rev: 977820725c39736061b649389864a53e112e213d)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For systems with a large amount of SSH traffic, it shoule be better to
run a single SSH server for all incoming connections.
And both sshd.socket and sshd.service are deployed on other distros
like ubuntu, fedora and etc.
So add sshd.service to make it possible to run a standalone SSH server.
(From OE-Core rev: 3ecebc70f957e53e3dcf1cc835ff359115db6e56)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
===========
Potentially incompatible changes
--------------------------------
* ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
are very convenient due to their small size. Ed25519 keys are
specified in RFC 8709 and OpenSSH has supported them since version 6.5
(January 2014).
* sshd(8): the Subsystem directive now accurately preserves quoting of
subsystem commands and arguments. This may change behaviour for exotic
configurations, but the most common subsystem configuration
(sftp-server) is unlikely to be affected.
New features
------------
* ssh(1): add keystroke timing obfuscation to the client. This attempts
to hide inter-keystroke timings by sending interactive traffic at
fixed intervals (default: every 20ms) when there is only a small
amount of data being sent. It also sends fake "chaff" keystrokes for
a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword.
* ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".
* sshd(8): allow override of Subsystem directives in sshd Match blocks.
Bugfixes
--------
* scp(1): fix scp in SFTP mode recursive upload and download of
directories that contain symlinks to other directories. In scp mode,
the links would be followed, but in SFTP mode they were not. bz3611
* ssh-keygen(1): handle cr+lf (instead of just cr) line endings in
sshsig signature files.
* ssh(1): interactive mode for ControlPersist sessions if they
originally requested a tty.
* sshd(8): make PerSourceMaxStartups first-match-wins
* sshd(8): limit artificial login delay to a reasonable maximum (5s)
and don't delay at all for the "none" authentication mechanism.cw
bz3602
* sshd(8): Log errors in kex_exchange_identification() with level
verbose instead of error to reduce preauth log spam. All of those
get logged with a more generic error message by sshpkt_fatal().
* sshd(8): correct math for ClientAliveInterval that caused the probes
to be sent less frequently than configured.
* ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
multiplexed sessions to ignore SIGINT under some circumstances.
Portability
-----------
* Avoid clang zero-call-used-regs=all bug on Apple compilers, which
for some reason have version numbers that do not match the upstream
clang version numbers. bz#3584
* Fix configure test for zlib 1.3 and later/development versions. bz3604
(From OE-Core rev: 1f7a8aedecae81339d71c40f4cf7f6d1e5e4286c)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tests don't actually need sudo on core-image-ptest-openssh.
Based on logs seen in
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 it seems
that socket errors from sudo are creeping into stderr which are failing
the banner ptest from openssh. Removing sudo should help removing
the stderr messages and possibly cure the banner test failures.
(From OE-Core rev: 47e754f483b674b207bfddcc8d4c5d9a3008e102)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parsing sshd's config file with 'sed' does not work in for example the
case where somebody has made use of the new ability to add a config
fragment in /etc/ssh/sshd_config.d/ with one or more HostKey
stanzas. Also, sshd_config keywords are case-insensitive, but the
current sed pattern only matches the CamelCase spelling of HostKey.
In openssh 9.3, sshd learnt a new command line flag '-G', which causes
sshd to parse the given configuration file and print the resulting
effective configuration on stdout. So use that instead.
Furthermore, since that "effective configuration" includes the default
set of host keys if the configuration file has no HostKey stanzas, we
also avoid the script needing to know what sshd's default is - that
could plausibly change with some future release.
(From OE-Core rev: dd27f9d869b8aa28dfb18de037a24ab0ec735718)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop patch to improve logging since upstream rejected it
but capture failure logs in run-ptests with similar code
as what upstream uses when running the tests via
https://github.com/openssh/openssh-portable/blob/master/.github/run_test.sh#L23
(From OE-Core rev: 5f817f5a3897bca39eb832bb910b032632f275b8)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Log the input and output banner files. Output seems to
contain more lines than input which fails the test but
it's not clear what is in there from the ssh command
stderr. So print them out to dig deeper into the root
cause.
Upstream rejected previous logging patch so they will likely
do the same for this:
https://github.com/openssh/openssh-portable/pull/437
Reference: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
(From OE-Core rev: 3230378d651ecc53ff5cac1aaa24f35d5cea8665)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Upstream rejected the change:
https://github.com/openssh/openssh-portable/pull/437
(From OE-Core rev: 46c5f3b7a57442b9979ad36b679900cf0b8f74d5)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When tests fail, capture the sshd and ssh client logs from
the failing test run. These are needed to investigate
the root cause.
Reference: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
(From OE-Core rev: 7c6a0ee7961dc976dddbfd1615f90c2306970626)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
Update sha256sum
Remove backported patch
(From OE-Core rev: 51a6e56fcb28ec97ba3a4b40bbcd3d64e6d390d5)
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change sync the contents of this file with upstream's
ssh_config except for the locally added line
'Include /etc/ssh/ssh_config.d/*.conf'.
More specifically the ForwardXXX options are disabled by default,
this sync with what ssh_config(5) says about these two items.
In addition, the RSAAuthentication items are removed as they are v1 protocol.
See the contents of Changelog file in openssh project as below:
"""
commit bfe19197a92b7916f64a121fbd3c179abf15e218
Author: Darren Tucker <dtucker@dtucker.net>
Date: Fri Jul 2 15:43:28 2021 +1000
Remove now-unused SSHv1 enums.
sRhostsRSAAuthentication and sRSAAuthentication are protocol 1 options
and are no longer used.
"""
(From OE-Core rev: 01174262c6cb8f6d7b9dbe5292d0f93f72a15691)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
9795c401 (tag: V_9_3_P2) OpenSSH 9.3p2
bde3635f update version in README
f673f2f3 update RPM spec versions
d7790cdc disallow remote addition of FIDO/PKCS11 keys
b23fe83f terminate pkcs11 process for bad libraries
This includes the fix for CVE-2023-38408.
(From OE-Core rev: 7ae89bdeaa97c8d6a0b63e92da31290548f03168)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
(From OE-Core rev: 1634ed4048cf56788cd5c2c1bdc979b70afcdcd7)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Below upstream commit removed BSD-4-Clause from the LICENSE variable,
Link: https://git.yoctoproject.org/poky/commit/?id=2c86f586d55d0f6b99053e3e4d14c9ee36fa8aa8
But actually if we check from the source code of the openssh for this
version (8.9p1), there are some files (openbsd-compat/libressl-api-compat.c)
still affected.
As upstream removed this BSD-4-clause license, there are still some files
has this license. Below file is affected by this BSD-4-clause contents when
the below command is executed
grep -rl "All advertising materials mentioning features or use of this software" *|grep -v \.1|grep -v \.5|grep -v \.8 | sort
openbsd-compat/libressl-api-compat.c
All advertising materials mentioning features or use of this software
Reason for backporting is some of the product restrict the BSD-4-Clause usage and the purpose of this commit is
to completely remove the BSD-4-Clause license from the openssh.
When checked in the master branch, openssh upstream removes the bsd-4 license compeletely from this commit
https://github.com/openssh/openssh-portable/commit/7280401bdd77ca54be6867a154cc01e0d72612e0
Hence Backport this commit completely to remove license of BSD-4-clause contents from code. Hunks are refreshed.
(From OE-Core rev: d9045a7bc6d9acc137c292b60a8ce4d24f359a19)
Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSH 9.3p1 fixes 1 HIGH level security vulnerability.
Upgrade the recipe to point to 9.3p1.
CVEs Fixed:
1) CVE-2023-28531
- ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints.
(From OE-Core rev: ca4b4165f388a8b8bb80c120a2baef00e7e3bcac)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
One of the openssl ptests needs the openssl binary so fails
on a minimal image without this. Add the missing dependency.
(From OE-Core rev: c29276b467ae10027f38cb403a2089b3558fc639)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 845334cb22708e7a88701aa0a1bc496a67f2b5d5)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It appears that rngd is not needed as of linux-5.6 and later[1]
and should not be installed by default since the purpose of rngd
is to provide additional trusted sources of entropy.
We did some testing on real hardware, the result seems to support that
we no longer need rngd by default on kernel v5.6 and later.
Testing result as below:
1. observing the crng init stage.
the "random: crng init done" always available before fs being mounted.
2. generating random number without rngd.
testing command: dd if=/dev/random of=/dev/null status=progress
on Marvell CN96xx RDB board, speed almost 20.4 MB/s without block
on NXP i.mx6q board, speed almost 31.9 MB/s without block
on qemu x86-64, speed almost 2.6MB/s without block
3. using rngtest command without rngd
testing command: rngtest -c 1000 </dev/random
on Marvell CN96xx RDB board:
rngtest: input channel speed: (min=4.340; avg=135.364; max=146.719)Mibits/s
rngtest: FIPS tests speed: (min=8.197; avg=69.020; max=72.800)Mibits/s
rngtest: Program run time: 418771 microseconds
on NXP i.mx6q board:
rngtest: input channel speed: (min=96.820; avg=326.769; max=340.598)Mibits/s
rngtest: FIPS tests speed: (min=15.090; avg=37.543; max=40.324)Mibits/s
rngtest: Program run time: 570229 microseconds
on qemu x86-64:
rngtest: input channel speed: (min=37.769; avg=101.136; max=136.239)Mibits/s
rngtest: FIPS tests speed: (min=10.288; avg=30.682; max=40.155)Mibits/s
rngtest: Program run time: 836800 microseconds
4. observing sshd service.
using "systemctl disable rng-tools" disable service and reboot system.
system boot up normal, sshd service also start in normal time without
block.
Reference:
[1] https://github.com/torvalds/linux/commit/30c08efec8884fb106b8e57094baa51bb4c44e32
(From OE-Core rev: 868dfb46d96a27ec9041cb902fb769330277257d)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
License-Update: add Kungliga Tekniska Högskolan to copyright holders
(From OE-Core rev: c80a3a7a4a9dc40cbb675777a1ba1481532ecb05)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes it simpler to set specific ssh/sshd config options by adding
snippet files to /etc/ssh/ssh_config.d/ or /etc/ssh/sshd_config.d/
instead of modifying a copy of the full configuration file. As new
snippets can be added from separate recipes, targeted changes can be
done in multiple layers.
These specific directories are also used in Debian's default
configuration.
(From OE-Core rev: 70447c1680672bb4741a9e1c98aadc274e1ed5a0)
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes are caused by the removal of deprecated options.
ChallengeResponseAuthentication was replaced by
KbdInteractiveAuthentication in the SSHv2 protocol, see
https://www.openssh.com/txt/release-8.7
(From OE-Core rev: 3a66dd6e05a65446a43cba2bf6972e78b2b13c31)
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSH 9.0 uses sftp by default as the transport for scp, add in
sftp-server so that this works as expected for users, rather than being
left with a confusing "scp: Connection closed" message.
(From OE-Core rev: be61b9dac78f0d85c870a0d8304fb4b536ec4bc8)
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: ee2b6da307512beecebc468194d614ba5de33d01)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
backport a patch to fix sandboxing issues seen on ppc32 and also on
riscv32 [1]
[1] https://bugzilla.mindrot.org/show_bug.cgi?id=3398
(From OE-Core rev: 90895a627be5e8a4e4943fa9195b5553416086d3)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
License-Update: blowfish relicensed under 3-BSD.
Fix up ptests; listing the helper binaries one by one
is not necessary. Unittests are skipped explicitly in run-ptest,
no need to avoid building them. They still take long, but they
can be executed on target if wanted.
(From OE-Core rev: 9f031d936edb69c038639656288c84564434b906)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
| |
(From OE-Core rev: aa52af4518604b5bf13f3c5e885113bf868d6c81)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 15ae6c75ed201d1f16c5cc1494314cb49968370c)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Repo-wide replacement to use newer variable to represent systemd
system unitdir directory.
(From OE-Core rev: 5ace3ada5c54500c71becc8e0c6eddeb8bc053e3)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
The license statement already includes BSD-2-Clause and BSD-3-Clause, so
remove the redundant and ambiguous BSD license.
(From OE-Core rev: 5c0b03cda19bcebfc71e1e601a4336fcda4bfc2b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: e744b59d6ba40ba1b810d8912ea65778655103bc)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Key generation may wait for user input, due to the existence of
temporary keys resulting from power interruption in the first boot.
This prevents users from login via ssh.
(From OE-Core rev: 3196249a6917a32491be56e70bbf26d3b9818e0e)
Signed-off-by: Asfak Rahman <asfakr@outlook.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
CVE only applies to some distributed RHEL binaries so irrelavent to us.
(From OE-Core rev: 5d8b3ddf91050f6745a99a8abb1c3b03c35247af)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
We don't build/use the OPIE PAM module, exclude the CVE from this recipe.
(From OE-Core rev: 3670be602f2ace24dc49e196407efec577164050)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 5fd4497e7ad156fa426bb1913846c2b65a9fbd1b)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Update LICENSE to show that BSD-2-Clause, BSD-3-Clause and BSD-4-Clause
are all present.
(From OE-Core rev: d17938953fc2524bc5f04db4409a47aa400e756a)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
0f90440ca70abab947acbd77795e9f130967956c.patch
removed since it is included in 8.5p1
License Updated :
2-clause BSD license and 4-clause BSD license added
(From OE-Core rev: 60ab470f8759539547a96f1b47299b7b16d6a630)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
This fixes openssh failing to work on qemux86 with glibc 2.33 due to
seccomp and the fact new syscalls are used. Also likely fixes issues
on other platforms.
(From OE-Core rev: 22f8ce6e6d998c0539a40b2776b1a2abb4f44bb3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 0e9b2fe106e3c6c0a1f27e7a56a11e86e5de371e)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The OpenSSH server, as used in Fedora and Red Hat Enterprise
Linux 7 and when running in a Kerberos environment, allows remote
authenticated users to log in as another user when they are listed
in the .k5users file of that user, which might bypass intended
authentication requirements that would force a local login.
Whitelist the CVE since this issue is Redhat specific.
(From OE-Core rev: 309132e50d23b1e3f15ef8db1a101166b35f7ca4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: fc394ade8a0033bc695d979e592e8e92a882c54d)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
enabling it by default so there is no behavior change.
(From OE-Core rev: fe99349c1bd72b69d22ab0dc52b8825d3157b8e7)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|