summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch59
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch35
-rw-r--r--meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch47
-rw-r--r--meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch111
-rwxr-xr-xmeta/recipes-connectivity/openssh/openssh/run-ptest17
-rw-r--r--meta/recipes-connectivity/openssh/openssh/ssh_config14
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd2
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd.service18
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd.socket1
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd_check_keys5
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd_config17
-rw-r--r--meta/recipes-connectivity/openssh/openssh_10.0p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_8.8p1.bb)130
12 files changed, 234 insertions, 222 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
new file mode 100644
index 0000000000..f424288e37
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -0,0 +1,59 @@
1From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001
2From: Mikko Rapeli <mikko.rapeli@linaro.org>
3Date: Mon, 11 Sep 2023 09:55:21 +0100
4Subject: [PATCH] regress/banner.sh: log input and output files on error
5
6Some test environments like yocto with qemu are seeing these
7tests failing. There may be additional error messages in the
8stderr of ssh cloent command. busybox cmp shows this error when
9first input file has less new line characters then second
10input file:
11
12cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
13
14Logging the full banner.out will show what other error messages
15are captured in addition of the expected banner.
16
17Full log of a failing banner test runs is:
18
19run test banner.sh ...
20test banner: missing banner file
21test banner: size 0
22cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
23banner size 0 mismatch
24test banner: size 10
25test banner: size 100
26cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
27banner size 100 mismatch
28test banner: size 1000
29test banner: size 10000
30test banner: size 100000
31test banner: suppress banner (-q)
32FAIL: banner
33return value: 1
34
35See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
36
37Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
38
39Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
40Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
41---
42 regress/banner.sh | 4 +++-
43 1 file changed, 3 insertions(+), 1 deletion(-)
44
45diff --git a/regress/banner.sh b/regress/banner.sh
46index a84feb5..de84957 100644
47--- a/regress/banner.sh
48+++ b/regress/banner.sh
49@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
50 verbose "test $tid: size $s"
51 ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
52 cmp $OBJ/banner.in $OBJ/banner.out ) || \
53- fail "banner size $s mismatch"
54+ ( verbose "Contents of $OBJ/banner.in:"; cat $OBJ/banner.in; \
55+ verbose "Contents of $OBJ/banner.out:"; cat $OBJ/banner.out; \
56+ fail "banner size $s mismatch" )
57 done
58
59 trace "test suppress banner (-q)"
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
new file mode 100644
index 0000000000..360b62af34
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
@@ -0,0 +1,35 @@
1From 9dcccafe44ea17e972e7cddea205bbe9fe71d8d6 Mon Sep 17 00:00:00 2001
2From: Jose Quaresma <jose.quaresma@foundries.io>
3Date: Mon, 15 Jul 2024 18:43:08 +0100
4Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env
5
6The SSHAGENT_BIN was changed in [1] to SSH_BIN but
7the last one don't use the absolute path and consequently
8the function increase_datafile_size can loops forever
9if the binary not found.
10
11[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818
12
13Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510]
14
15Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
16---
17 regress/test-exec.sh | 5 +++++
18 1 file changed, 5 insertions(+)
19
20diff --git a/regress/test-exec.sh b/regress/test-exec.sh
21index 8a00c72..2891f27 100644
22--- a/regress/test-exec.sh
23+++ b/regress/test-exec.sh
24@@ -179,6 +179,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
25 fi
26
27 # Path to sshd must be absolute for rexec
28+case "$SSH" in
29+/*) ;;
30+*) SSH=`which $SSH` ;;
31+esac
32+
33 case "$SSHD" in
34 /*) ;;
35 *) SSHD=`which $SSHD` ;;
diff --git a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
deleted file mode 100644
index b8402a4dee..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
+++ /dev/null
@@ -1,47 +0,0 @@
1Adjust test cases to work with busybox.
2
3- Replace dd parameter "obs" with "bs".
4- Replace "head -<num>" with "head -n <num>".
5
6Signed-off-by: Maxin B. John <maxin.john@enea.com>
7Upstream-Status: Pending
8
9Index: openssh-7.6p1/regress/cipher-speed.sh
10===================================================================
11--- openssh-7.6p1.orig/regress/cipher-speed.sh
12+++ openssh-7.6p1/regress/cipher-speed.sh
13@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for
14 printf "%-60s" "$c/$m:"
15 ( ${SSH} -o 'compression no' \
16 -F $OBJ/ssh_proxy -m $m -c $c somehost \
17- exec sh -c \'"dd of=/dev/null obs=32k"\' \
18+ exec sh -c \'"dd of=/dev/null bs=32k"\' \
19 < ${DATA} ) 2>&1 | getbytes
20
21 if [ $? -ne 0 ]; then
22Index: openssh-7.6p1/regress/transfer.sh
23===================================================================
24--- openssh-7.6p1.orig/regress/transfer.sh
25+++ openssh-7.6p1/regress/transfer.sh
26@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY} || fail "corrupted
27 for s in 10 100 1k 32k 64k 128k 256k; do
28 trace "dd-size ${s}"
29 rm -f ${COPY}
30- dd if=$DATA obs=${s} 2> /dev/null | \
31+ dd if=$DATA bs=${s} 2> /dev/null | \
32 ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
33 if [ $? -ne 0 ]; then
34 fail "ssh cat $DATA failed"
35Index: openssh-7.6p1/regress/key-options.sh
36===================================================================
37--- openssh-7.6p1.orig/regress/key-options.sh
38+++ openssh-7.6p1/regress/key-options.sh
39@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
40 fi
41
42 sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
43- from=`head -1 $authkeys | cut -f1 -d ' '`
44+ from=`head -n 1 $authkeys | cut -f1 -d ' '`
45 verbose "key option $from"
46 r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
47 if [ "$r" = "true" ]; then
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
deleted file mode 100644
index 20036da931..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+++ /dev/null
@@ -1,111 +0,0 @@
1From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
2From: Yuanjie Huang <yuanjie.huang@windriver.com>
3Date: Wed, 24 Aug 2016 03:15:43 +0000
4Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
5
6Pointer arithmatic results in implementation defined signed integer
7type, so that 's - src' in strlcpy and others may trigger signed overflow.
8In case of compilation by gcc or clang with -ftrapv option, the overflow
9would lead to program abort.
10
11Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
12
13Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
14
15Complete the fix
16Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
17---
18 openbsd-compat/strlcat.c | 10 +++++++---
19 openbsd-compat/strlcpy.c | 8 ++++++--
20 openbsd-compat/strnlen.c | 8 ++++++--
21 3 files changed, 19 insertions(+), 7 deletions(-)
22
23diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
24index bcc1b61..124e1e3 100644
25--- a/openbsd-compat/strlcat.c
26+++ b/openbsd-compat/strlcat.c
27@@ -23,6 +23,7 @@
28
29 #include <sys/types.h>
30 #include <string.h>
31+#include <stdint.h>
32
33 /*
34 * Appends src to string dst of size siz (unlike strncat, siz is the
35@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
36 /* Find the end of dst and adjust bytes left but don't go past end */
37 while (n-- != 0 && *d != '\0')
38 d++;
39- dlen = d - dst;
40+ dlen = (uintptr_t)d - (uintptr_t)dst;
41 n = siz - dlen;
42
43 if (n == 0)
44@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
45 s++;
46 }
47 *d = '\0';
48-
49- return(dlen + (s - src)); /* count does not include NUL */
50+ /*
51+ * Cast pointers to unsigned type before calculation, to avoid signed
52+ * overflow when the string ends where the MSB has changed.
53+ */
54+ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */
55 }
56
57 #endif /* !HAVE_STRLCAT */
58diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
59index b4b1b60..b06f374 100644
60--- a/openbsd-compat/strlcpy.c
61+++ b/openbsd-compat/strlcpy.c
62@@ -23,6 +23,7 @@
63
64 #include <sys/types.h>
65 #include <string.h>
66+#include <stdint.h>
67
68 /*
69 * Copy src to string dst of size siz. At most siz-1 characters
70@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
71 while (*s++)
72 ;
73 }
74-
75- return(s - src - 1); /* count does not include NUL */
76+ /*
77+ * Cast pointers to unsigned type before calculation, to avoid signed
78+ * overflow when the string ends where the MSB has changed.
79+ */
80+ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */
81 }
82
83 #endif /* !HAVE_STRLCPY */
84diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
85index 7ad3573..7040f1f 100644
86--- a/openbsd-compat/strnlen.c
87+++ b/openbsd-compat/strnlen.c
88@@ -23,6 +23,7 @@
89 #include <sys/types.h>
90
91 #include <string.h>
92+#include <stdint.h>
93
94 size_t
95 strnlen(const char *str, size_t maxlen)
96@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
97
98 for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
99 ;
100-
101- return (size_t)(cp - str);
102+ /*
103+ * Cast pointers to unsigned type before calculation, to avoid signed
104+ * overflow when the string ends where the MSB has changed.
105+ */
106+ return (size_t)((uintptr_t)cp - (uintptr_t)str);
107 }
108 #endif
109--
1102.17.1
111
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
index ae03e929b2..c9100f9f37 100755
--- a/meta/recipes-connectivity/openssh/openssh/run-ptest
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,11 +1,26 @@
1#!/bin/sh 1#!/bin/sh
2 2
3export TEST_SSH_SSH=ssh
3export TEST_SHELL=sh 4export TEST_SHELL=sh
4export SKIP_UNIT=1 5export SKIP_UNIT=1
5 6
6cd regress 7cd regress
8
9# copied from openssh-portable/.github/run_test.sh
10output_failed_logs() {
11 for i in failed*.log; do
12 if [ -f "$i" ]; then
13 echo -------------------------------------------------------------------------
14 echo LOGFILE $i
15 cat $i
16 echo -------------------------------------------------------------------------
17 fi
18 done
19}
20trap output_failed_logs 0
21
7sed -i "/\t\tagent-ptrace /d" Makefile 22sed -i "/\t\tagent-ptrace /d" Makefile
8make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ 23make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="" tests \
9 | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' 24 | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g'
10 25
11SSHAGENT=`which ssh-agent` 26SSHAGENT=`which ssh-agent`
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
index e0d023803e..cb2774a163 100644
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ 1# $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
2 2
3# This is the ssh client system-wide configuration file. See 3# This is the ssh client system-wide configuration file. See
4# ssh_config(5) for more information. This file provides defaults for 4# ssh_config(5) for more information. This file provides defaults for
@@ -17,11 +17,11 @@
17# list of available options, their meanings and defaults, please see the 17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page. 18# ssh_config(5) man page.
19 19
20Host * 20Include /etc/ssh/ssh_config.d/*.conf
21 ForwardAgent yes 21
22 ForwardX11 yes 22# Host *
23# RhostsRSAAuthentication no 23# ForwardAgent no
24# RSAAuthentication yes 24# ForwardX11 no
25# PasswordAuthentication yes 25# PasswordAuthentication yes
26# HostbasedAuthentication no 26# HostbasedAuthentication no
27# GSSAPIAuthentication no 27# GSSAPIAuthentication no
@@ -36,7 +36,6 @@ Host *
36# IdentityFile ~/.ssh/id_ecdsa 36# IdentityFile ~/.ssh/id_ecdsa
37# IdentityFile ~/.ssh/id_ed25519 37# IdentityFile ~/.ssh/id_ed25519
38# Port 22 38# Port 22
39# Protocol 2
40# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc 39# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
41# MACs hmac-md5,hmac-sha1,umac-64@openssh.com 40# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
42# EscapeChar ~ 41# EscapeChar ~
@@ -46,3 +45,4 @@ Host *
46# VisualHostKey no 45# VisualHostKey no
47# ProxyCommand ssh -q -W %h:%p gateway.example.com 46# ProxyCommand ssh -q -W %h:%p gateway.example.com
48# RekeyLimit 1G 1h 47# RekeyLimit 1G 1h
48# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd b/meta/recipes-connectivity/openssh/openssh/sshd
index 4882e58b48..cf675a4dad 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd
+++ b/meta/recipes-connectivity/openssh/openssh/sshd
@@ -7,4 +7,4 @@ password include common-password
7session optional pam_keyinit.so force revoke 7session optional pam_keyinit.so force revoke
8session include common-session 8session include common-session
9session required pam_loginuid.so 9session required pam_loginuid.so
10 10session required pam_env.so
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service
new file mode 100644
index 0000000000..c71fff1cc1
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.service
@@ -0,0 +1,18 @@
1[Unit]
2Description=OpenSSH server daemon
3Wants=sshdgenkeys.service
4After=sshdgenkeys.service
5After=nss-user-lookup.target
6
7[Service]
8Type=notify-reload
9Environment="SSHD_OPTS="
10EnvironmentFile=-/etc/default/ssh
11ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
12ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
13KillMode=process
14Restart=on-failure
15RestartSec=42s
16
17[Install]
18WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 8d76d62309..7dd2ed0626 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,6 +1,7 @@
1[Unit] 1[Unit]
2Conflicts=sshd.service 2Conflicts=sshd.service
3Wants=sshdgenkeys.service 3Wants=sshdgenkeys.service
4After=nss-user-lookup.target
4 5
5[Socket] 6[Socket]
6ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd 7ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index ef117de897..bbb6a14908 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -8,7 +8,7 @@ generate_key() {
8 mkdir -p "$DIR" 8 mkdir -p "$DIR"
9 rm -f ${FILE}.tmp 9 rm -f ${FILE}.tmp
10 ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE 10 ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
11 11 chmod go-rwx "$FILE.tmp"
12 # Atomically rename file public key 12 # Atomically rename file public key
13 mv -f "${FILE}.tmp.pub" "${FILE}.pub" 13 mv -f "${FILE}.tmp.pub" "${FILE}.pub"
14 14
@@ -57,8 +57,7 @@ while true ; do
57 esac 57 esac
58done 58done
59 59
60HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") 60HOST_KEYS=$(sshd -G -f "${sshd_config}" | grep -i '^hostkey ' | cut -f2 -d' ')
61[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
62 61
63for key in ${HOST_KEYS} ; do 62for key in ${HOST_KEYS} ; do
64 [ -f $key ] && continue 63 [ -f $key ] && continue
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
index 15f061b570..e9eaf93157 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ 1# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -10,6 +10,8 @@
10# possible, but leave them commented. Uncommented options override the 10# possible, but leave them commented. Uncommented options override the
11# default value. 11# default value.
12 12
13Include /etc/ssh/sshd_config.d/*.conf
14
13#Port 22 15#Port 22
14#AddressFamily any 16#AddressFamily any
15#ListenAddress 0.0.0.0 17#ListenAddress 0.0.0.0
@@ -57,9 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys
57#PasswordAuthentication yes 59#PasswordAuthentication yes
58#PermitEmptyPasswords no 60#PermitEmptyPasswords no
59 61
60# Change to yes to enable challenge-response passwords (beware issues with 62# Change to yes to enable keyboard-interactive authentication (beware issues
61# some PAM modules and threads) 63# with some PAM modules and threads)
62ChallengeResponseAuthentication no 64KbdInteractiveAuthentication no
63 65
64# Kerberos options 66# Kerberos options
65#KerberosAuthentication no 67#KerberosAuthentication no
@@ -73,13 +75,13 @@ ChallengeResponseAuthentication no
73 75
74# Set this to 'yes' to enable PAM authentication, account processing, 76# Set this to 'yes' to enable PAM authentication, account processing,
75# and session processing. If this is enabled, PAM authentication will 77# and session processing. If this is enabled, PAM authentication will
76# be allowed through the ChallengeResponseAuthentication and 78# be allowed through the KbdInteractiveAuthentication and
77# PasswordAuthentication. Depending on your PAM configuration, 79# PasswordAuthentication. Depending on your PAM configuration,
78# PAM authentication via ChallengeResponseAuthentication may bypass 80# PAM authentication via KbdInteractiveAuthentication may bypass
79# the setting of "PermitRootLogin without-password". 81# the setting of "PermitRootLogin without-password".
80# If you just want the PAM account and session checks to run without 82# If you just want the PAM account and session checks to run without
81# PAM authentication, then enable this but set PasswordAuthentication 83# PAM authentication, then enable this but set PasswordAuthentication
82# and ChallengeResponseAuthentication to 'no'. 84# and KbdInteractiveAuthentication to 'no'.
83#UsePAM no 85#UsePAM no
84 86
85#AllowAgentForwarding yes 87#AllowAgentForwarding yes
@@ -92,7 +94,6 @@ ChallengeResponseAuthentication no
92#PrintMotd yes 94#PrintMotd yes
93#PrintLastLog yes 95#PrintLastLog yes
94#TCPKeepAlive yes 96#TCPKeepAlive yes
95#UseLogin no
96#PermitUserEnvironment no 97#PermitUserEnvironment no
97Compression no 98Compression no
98ClientAliveInterval 15 99ClientAliveInterval 15
diff --git a/meta/recipes-connectivity/openssh/openssh_8.8p1.bb b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
index ee86bb92ab..2f446b5540 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.8p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
@@ -5,37 +5,38 @@ Ssh (Secure Shell) is a program for logging into a remote machine \
5and for executing commands on a remote machine." 5and for executing commands on a remote machine."
6HOMEPAGE = "http://www.openssh.com/" 6HOMEPAGE = "http://www.openssh.com/"
7SECTION = "console/network" 7SECTION = "console/network"
8LICENSE = "BSD-2-Clause & BSD-3-Clause & BSD-4-Clause & ISC & MIT" 8LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT"
9LIC_FILES_CHKSUM = "file://LICENCE;md5=d9d2753bdef9f19466dc7bc959114b11" 9LIC_FILES_CHKSUM = "file://LICENCE;md5=78ffb36e5a48c0d8c5648603a3b6c8eb"
10 10
11DEPENDS = "zlib openssl virtual/crypt" 11DEPENDS = "zlib openssl virtual/crypt"
12DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" 12DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
13 13
14SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ 14SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
15 file://sshd_config \ 15 file://sshd_config \
16 file://ssh_config \ 16 file://ssh_config \
17 file://init \ 17 file://init \
18 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ 18 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
19 file://sshd.service \
19 file://sshd.socket \ 20 file://sshd.socket \
20 file://sshd@.service \ 21 file://sshd@.service \
21 file://sshdgenkeys.service \ 22 file://sshdgenkeys.service \
22 file://volatiles.99_sshd \ 23 file://volatiles.99_sshd \
23 file://run-ptest \ 24 file://run-ptest \
24 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
25 file://sshd_check_keys \ 25 file://sshd_check_keys \
26 file://add-test-support-for-busybox.patch \ 26 file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
27 file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
27 " 28 "
28SRC_URI[sha256sum] = "4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9" 29SRC_URI[sha256sum] = "021a2e709a0edf4250b1256bd5a9e500411a90dddabea830ed59cef90eb9d85c"
29 30
30# This CVE is specific to OpenSSH with the pam opie which we don't build/use here 31CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
31CVE_CHECK_WHITELIST += "CVE-2007-2768"
32 32
33# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 33# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
34# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded 34# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
35CVE_CHECK_WHITELIST += "CVE-2014-9278" 35CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
36Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
36 37
37# CVE only applies to some distributed RHEL binaries 38CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
38CVE_CHECK_WHITELIST += "CVE-2008-3844" 39CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
39 40
40PAM_SRC_URI = "file://sshd" 41PAM_SRC_URI = "file://sshd"
41 42
@@ -48,18 +49,23 @@ INITSCRIPT_NAME:${PN}-sshd = "sshd"
48INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9" 49INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9"
49 50
50SYSTEMD_PACKAGES = "${PN}-sshd" 51SYSTEMD_PACKAGES = "${PN}-sshd"
51SYSTEMD_SERVICE:${PN}-sshd = "sshd.socket" 52SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
52 53
53inherit autotools-brokensep ptest 54inherit autotools-brokensep ptest pkgconfig
54 55
55PACKAGECONFIG ??= "rng-tools" 56# systemd-sshd-socket-mode means installing sshd.socket
57# and systemd-sshd-service-mode corresponding to sshd.service
58PACKAGECONFIG ??= "systemd-sshd-socket-mode hostkey-ecdsa"
59PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2"
56PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" 60PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
57PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" 61PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
58PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" 62PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
59PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" 63PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
60 64PACKAGECONFIG[systemd-sshd-socket-mode] = ""
61# Add RRECOMMENDS to rng-tools for sshd package 65PACKAGECONFIG[systemd-sshd-service-mode] = ""
62PACKAGECONFIG[rng-tools] = "" 66PACKAGECONFIG[hostkey-rsa] = ""
67PACKAGECONFIG[hostkey-ecdsa] = ""
68PACKAGECONFIG[hostkey-ed25519] = ""
63 69
64EXTRA_AUTORECONF += "--exclude=aclocal" 70EXTRA_AUTORECONF += "--exclude=aclocal"
65 71
@@ -76,6 +82,13 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
76# musl doesn't implement wtmp/utmp and logwtmp 82# musl doesn't implement wtmp/utmp and logwtmp
77EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog" 83EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
78 84
85# Work around ICE on mips/mips64 starting in 9.6p1
86EXTRA_OECONF:append:mips = " --without-hardening"
87EXTRA_OECONF:append:mips64 = " --without-hardening"
88
89# Work around ICE on powerpc64le starting in 9.6p1
90EXTRA_OECONF:append:powerpc64le = " --without-hardening"
91
79# Since we do not depend on libbsd, we do not want configure to use it 92# Since we do not depend on libbsd, we do not want configure to use it
80# just because it finds libutil.h. But, specifying --disable-libutil 93# just because it finds libutil.h. But, specifying --disable-libutil
81# causes compile errors, so... 94# causes compile errors, so...
@@ -89,20 +102,42 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
89 102
90do_configure:prepend () { 103do_configure:prepend () {
91 export LD="${CC}" 104 export LD="${CC}"
92 install -m 0644 ${WORKDIR}/sshd_config ${B}/ 105 install -m 0600 ${UNPACKDIR}/sshd_config ${B}/
93 install -m 0644 ${WORKDIR}/ssh_config ${B}/ 106 install -m 0644 ${UNPACKDIR}/ssh_config ${B}/
94} 107}
95 108
96do_compile_ptest() { 109do_compile_ptest() {
97 # skip regress/unittests/ binaries: this will silently skip 110 oe_runmake regress-binaries regress-unit-binaries
98 # unittests in run-ptests which is good because they are so slow. 111}
99 oe_runmake regress/modpipe regress/setuid-allowed regress/netcat \ 112
100 regress/check-perm regress/mkdtemp 113sshd_hostkey_setup() {
114 # Enable specific ssh host keys
115 sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config
116 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
117 echo "HostKey /etc/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
118 fi
119 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
120 echo "HostKey /etc/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
121 fi
122 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
123 echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config
124 fi
125
126 sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
127 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
128 echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
129 fi
130 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
131 echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
132 fi
133 if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
134 echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
135 fi
101} 136}
102 137
103do_install:append () { 138do_install:append () {
104 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then 139 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
105 install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd 140 install -D -m 0644 ${UNPACKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
106 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config 141 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
107 fi 142 fi
108 143
@@ -111,40 +146,51 @@ do_install:append () {
111 fi 146 fi
112 147
113 install -d ${D}${sysconfdir}/init.d 148 install -d ${D}${sysconfdir}/init.d
114 install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd 149 install -m 0755 ${UNPACKDIR}/init ${D}${sysconfdir}/init.d/sshd
115 rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin 150 rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
116 rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} 151 rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
117 install -d ${D}/${sysconfdir}/default/volatiles 152 install -d ${D}/${sysconfdir}/default/volatiles
118 install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd 153 install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
119 install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} 154 install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
120 155
156 # Limit sshd_config access to the owner (default is 0644)
157 chmod 0600 ${D}${sysconfdir}/ssh/sshd_config
158
121 # Create config files for read-only rootfs 159 # Create config files for read-only rootfs
122 install -d ${D}${sysconfdir}/ssh 160 install -d ${D}${sysconfdir}/ssh
123 install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly 161 install -m 0600 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
124 sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
125 echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
126 echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
127 echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
128 162
129 install -d ${D}${systemd_system_unitdir} 163 install -d ${D}${systemd_system_unitdir}
130 install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir} 164 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
131 install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir} 165 install -c -m 0644 ${UNPACKDIR}/sshd.socket ${D}${systemd_system_unitdir}
132 install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir} 166 install -c -m 0644 ${UNPACKDIR}/sshd@.service ${D}${systemd_system_unitdir}
167 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
168 -e 's,@SBINDIR@,${sbindir},g' \
169 -e 's,@BINDIR@,${bindir},g' \
170 -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
171 ${D}${systemd_system_unitdir}/sshd.socket
172 fi
173 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then
174 install -c -m 0644 ${UNPACKDIR}/sshd.service ${D}${systemd_system_unitdir}
175 fi
176 install -c -m 0644 ${UNPACKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
133 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ 177 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
134 -e 's,@SBINDIR@,${sbindir},g' \ 178 -e 's,@SBINDIR@,${sbindir},g' \
135 -e 's,@BINDIR@,${bindir},g' \ 179 -e 's,@BINDIR@,${bindir},g' \
136 -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ 180 -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
137 ${D}${systemd_system_unitdir}/sshd.socket ${D}${systemd_system_unitdir}/*.service 181 ${D}${systemd_system_unitdir}/*.service
138 182
139 sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ 183 sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
140 ${D}${sysconfdir}/init.d/sshd 184 ${D}${sysconfdir}/init.d/sshd
141 185
142 install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys 186 install -D -m 0755 ${UNPACKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
187 sshd_hostkey_setup
143} 188}
144 189
145do_install_ptest () { 190do_install_ptest () {
146 sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh 191 sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh
147 cp -r regress ${D}${PTEST_PATH} 192 cp -r regress ${D}${PTEST_PATH}
193 cp config.h ${D}${PTEST_PATH}
148} 194}
149 195
150ALLOW_EMPTY:${PN} = "1" 196ALLOW_EMPTY:${PN} = "1"
@@ -152,22 +198,18 @@ ALLOW_EMPTY:${PN} = "1"
152PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" 198PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
153FILES:${PN}-scp = "${bindir}/scp.${BPN}" 199FILES:${PN}-scp = "${bindir}/scp.${BPN}"
154FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" 200FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
155FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" 201FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
156FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" 202FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
157FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" 203FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys ${libexecdir}/sshd-auth"
158FILES:${PN}-sftp = "${bindir}/sftp" 204FILES:${PN}-sftp = "${bindir}/sftp"
159FILES:${PN}-sftp-server = "${libexecdir}/sftp-server" 205FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
160FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" 206FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
161FILES:${PN}-keygen = "${bindir}/ssh-keygen" 207FILES:${PN}-keygen = "${bindir}/ssh-keygen"
162 208
163RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" 209RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
164RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" 210RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
165RRECOMMENDS:${PN}-sshd:append:class-target = "\
166 ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
167"
168
169# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies 211# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
170RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" 212RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed coreutils openssl-bin"
171 213
172RPROVIDES:${PN}-ssh = "ssh" 214RPROVIDES:${PN}-ssh = "ssh"
173RPROVIDES:${PN}-sshd = "sshd" 215RPROVIDES:${PN}-sshd = "sshd"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-08 16:24:25 +0000