diff options
author | Vyacheslav Pedash <vyacheslav.pedash@globallogic.com> | 2021-02-08 18:41:15 +0200 |
---|---|---|
committer | John Klug <john.klug@multitech.com> | 2021-02-09 13:53:42 -0600 |
commit | b22c4ce0fcea2099fe598f5537d7cced50613c07 (patch) | |
tree | aaaed811e4db4086559fc4002b6aa255d16cbe41 /recipes-connectivity/openssh/openssh-mlinux | |
parent | 58995ef9573038e7da17d4592ca14b90d62b3d10 (diff) | |
download | meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.tar.gz meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.tar.bz2 meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.zip |
MTX-3787 Update openssh to ver 8.4p1
Diffstat (limited to 'recipes-connectivity/openssh/openssh-mlinux')
4 files changed, 217 insertions, 0 deletions
diff --git a/recipes-connectivity/openssh/openssh-mlinux/ssh.default b/recipes-connectivity/openssh/openssh-mlinux/ssh.default new file mode 100644 index 0000000..d5c0507 --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/ssh.default @@ -0,0 +1,2 @@ +# put keys here +SYSCONFDIR=/var/config/ssh diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd b/recipes-connectivity/openssh/openssh-mlinux/sshd new file mode 100644 index 0000000..182650b --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/sshd @@ -0,0 +1,11 @@ +#%PAM-1.0 + +auth include common-auth +account required pam_nologin.so +account include common-account +password include common-password +session optional pam_keyinit.so force revoke +session optional pam_radauth.so +session include common-session +session required pam_loginuid.so + diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys b/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys new file mode 100644 index 0000000..4af8d5c --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys @@ -0,0 +1,82 @@ +#! /bin/sh + +generate_key() { + local FILE=$1 + local TYPE=$2 + local DIR="$(dirname "$FILE")" + + mkdir -p "$DIR" + ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE + + # Atomically rename file public key + mv -f "${FILE}.tmp.pub" "${FILE}.pub" + + # This sync does double duty: Ensuring that the data in the temporary + # private key file is on disk before the rename, and ensuring that the + # public key rename is completed before the private key rename, since we + # switch on the existence of the private key to trigger key generation. + # This does mean it is possible for the public key to exist, but be garbage + # but this is OK because in that case the private key won't exist and the + # keys will be regenerated. + # + # In the event that sync understands arguments that limit what it tries to + # fsync(), we provided them. If it does not, it will simply call sync() + # which is just as well + sync "${FILE}.pub" "$DIR" "${FILE}.tmp" + + mv "${FILE}.tmp" "$FILE" + + # sync to ensure the atomic rename is committed + sync "$DIR" +} + +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS +if test -f /etc/default/ssh; then + . /etc/default/ssh +fi + +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +# parse sshd options +set -- ${SSHD_OPTS} -- +sshd_config=/etc/ssh/sshd_config +while true ; do + case "$1" in + -f*) if [ "$1" = "-f" ] ; then + sshd_config="$2" + shift + else + sshd_config="${1#-f}" + fi + shift + ;; + --) shift; break;; + *) shift;; + esac +done + +HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") +[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_dsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" + +for key in ${HOST_KEYS} ; do + [ -f $key ] && continue + case $key in + *_rsa_key) + echo " generating ssh RSA host key..." + generate_key $key rsa + ;; + *_dsa_key) + echo " generating ssh DSA host key..." + generate_key $key dsa + ;; + *_ecdsa_key) + echo " generating ssh ECDSA host key..." + generate_key $key ecdsa + ;; + *_ed25519_key) + echo " generating ssh ED25519 host key..." + generate_key $key ed25519 + ;; + esac +done diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd_config b/recipes-connectivity/openssh/openssh-mlinux/sshd_config new file mode 100644 index 0000000..7e9da84 --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/sshd_config @@ -0,0 +1,122 @@ +# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + + +# The default requires explicit activation of protocol 1 +Protocol 2 + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server |