diff options
| author | Vyacheslav Pedash <vyacheslav.pedash@globallogic.com> | 2021-02-08 18:41:15 +0200 |
|---|---|---|
| committer | John Klug <john.klug@multitech.com> | 2021-02-09 13:53:42 -0600 |
| commit | b22c4ce0fcea2099fe598f5537d7cced50613c07 (patch) | |
| tree | aaaed811e4db4086559fc4002b6aa255d16cbe41 /recipes-connectivity/openssh/openssh | |
| parent | 58995ef9573038e7da17d4592ca14b90d62b3d10 (diff) | |
| download | meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.tar.gz meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.tar.bz2 meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.zip | |
MTX-3787 Update openssh to ver 8.4p1
Diffstat (limited to 'recipes-connectivity/openssh/openssh')
16 files changed, 200 insertions, 242 deletions
diff --git a/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch new file mode 100644 index 0000000..b88bc18 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch @@ -0,0 +1,28 @@ +From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Fri, 20 Nov 2020 13:37:54 +1100 +Subject: [PATCH] Add new pselect6_time64 syscall on ARM. + +This is apparently needed on armhfp/armv7hl. bz#3232, patch from +jjelen at redhat.com. +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +Upstream-Status: Backport +[fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33] + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e0768c063..5065ae7ef 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_pselect6 + SC_ALLOW(__NR_pselect6), + #endif ++#ifdef __NR_pselect6_time64 ++ SC_ALLOW(__NR_pselect6_time64), ++#endif + #ifdef __NR_read + SC_ALLOW(__NR_read), + #endif diff --git a/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch new file mode 100644 index 0000000..b8402a4 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch @@ -0,0 +1,47 @@ +Adjust test cases to work with busybox. + +- Replace dd parameter "obs" with "bs". +- Replace "head -<num>" with "head -n <num>". + +Signed-off-by: Maxin B. John <maxin.john@enea.com> +Upstream-Status: Pending + +Index: openssh-7.6p1/regress/cipher-speed.sh +=================================================================== +--- openssh-7.6p1.orig/regress/cipher-speed.sh ++++ openssh-7.6p1/regress/cipher-speed.sh +@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for + printf "%-60s" "$c/$m:" + ( ${SSH} -o 'compression no' \ + -F $OBJ/ssh_proxy -m $m -c $c somehost \ +- exec sh -c \'"dd of=/dev/null obs=32k"\' \ ++ exec sh -c \'"dd of=/dev/null bs=32k"\' \ + < ${DATA} ) 2>&1 | getbytes + + if [ $? -ne 0 ]; then +Index: openssh-7.6p1/regress/transfer.sh +=================================================================== +--- openssh-7.6p1.orig/regress/transfer.sh ++++ openssh-7.6p1/regress/transfer.sh +@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY} || fail "corrupted + for s in 10 100 1k 32k 64k 128k 256k; do + trace "dd-size ${s}" + rm -f ${COPY} +- dd if=$DATA obs=${s} 2> /dev/null | \ ++ dd if=$DATA bs=${s} 2> /dev/null | \ + ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" +Index: openssh-7.6p1/regress/key-options.sh +=================================================================== +--- openssh-7.6p1.orig/regress/key-options.sh ++++ openssh-7.6p1/regress/key-options.sh +@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do + fi + + sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys +- from=`head -1 $authkeys | cut -f1 -d ' '` ++ from=`head -n 1 $authkeys | cut -f1 -d ' '` + verbose "key option $from" + r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` + if [ "$r" = "true" ]; then diff --git a/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch index 7e043a2..20036da 100644 --- a/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch +++ b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch @@ -11,14 +11,17 @@ would lead to program abort. Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608] Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> + +Complete the fix +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- - openbsd-compat/strlcat.c | 8 ++++++-- - openbsd-compat/strlcpy.c | 8 ++++++-- - openbsd-compat/strnlen.c | 8 ++++++-- - 3 files changed, 18 insertions(+), 6 deletions(-) + openbsd-compat/strlcat.c | 10 +++++++--- + openbsd-compat/strlcpy.c | 8 ++++++-- + openbsd-compat/strnlen.c | 8 ++++++-- + 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c -index bcc1b61..e758ebf 100644 +index bcc1b61..124e1e3 100644 --- a/openbsd-compat/strlcat.c +++ b/openbsd-compat/strlcat.c @@ -23,6 +23,7 @@ @@ -29,6 +32,15 @@ index bcc1b61..e758ebf 100644 /* * Appends src to string dst of size siz (unlike strncat, siz is the +@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz) + /* Find the end of dst and adjust bytes left but don't go past end */ + while (n-- != 0 && *d != '\0') + d++; +- dlen = d - dst; ++ dlen = (uintptr_t)d - (uintptr_t)dst; + n = siz - dlen; + + if (n == 0) @@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz) s++; } @@ -70,7 +82,7 @@ index b4b1b60..b06f374 100644 #endif /* !HAVE_STRLCPY */ diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c -index 93d5155..9b8de5d 100644 +index 7ad3573..7040f1f 100644 --- a/openbsd-compat/strnlen.c +++ b/openbsd-compat/strnlen.c @@ -23,6 +23,7 @@ @@ -95,5 +107,5 @@ index 93d5155..9b8de5d 100644 } #endif -- -1.9.1 +2.17.1 diff --git a/recipes-connectivity/openssh/openssh/init b/recipes-connectivity/openssh/openssh/init index 386628a..8887e3a 100644 --- a/recipes-connectivity/openssh/openssh/init +++ b/recipes-connectivity/openssh/openssh/init @@ -19,25 +19,6 @@ fi [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh mkdir -p $SYSCONFDIR -parse_sshd_opts() { - set -- ${SSHD_OPTS} -- - sshd_config=/etc/ssh/sshd_config - while true ; do - case "$1" in - -f*) if [ "$1" = "-f" ] ; then - sshd_config="$2" - shift - else - sshd_config="${1#-f}" - fi - shift - ;; - --) shift; break;; - *) shift;; - esac - done -} - check_for_no_start() { # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then @@ -55,51 +36,7 @@ check_privsep_dir() { } check_config() { - /usr/sbin/sshd -t $SSHD_OPTS || exit 1 -} - -check_keys() { - # parse location of keys - local HOST_KEY_RSA - local HOST_KEY_DSA - local HOST_KEY_ECDSA - local HOST_KEY_ED25519 - - parse_sshd_opts - HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key - HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key - HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key - HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key - - # create keys if necessary - if [ ! -f $HOST_KEY_RSA ]; then - echo " generating ssh RSA key..." - mkdir -p $(dirname $HOST_KEY_RSA) - ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa - fi - if [ ! -f $HOST_KEY_ECDSA ]; then - echo " generating ssh ECDSA key..." - mkdir -p $(dirname $HOST_KEY_ECDSA) - ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa - fi - if [ ! -f $HOST_KEY_DSA ]; then - echo " generating ssh DSA key..." - mkdir -p $(dirname $HOST_KEY_DSA) - ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa - fi - if [ ! -f $HOST_KEY_ED25519 ]; then - echo " generating ssh ED25519 key..." - mkdir -p $(dirname $HOST_KEY_ED25519) - ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 - fi + /usr/sbin/sshd $SSHD_OPTS -t || exit 1 } export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" @@ -108,30 +45,30 @@ case "$1" in start) check_for_no_start echo "Starting OpenBSD Secure Shell server: sshd" - check_keys + @LIBEXECDIR@/sshd_check_keys check_privsep_dir start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS - echo "done." + echo "done." ;; stop) - echo -n "Stopping OpenBSD Secure Shell server: sshd" + echo -n "Stopping OpenBSD Secure Shell server: sshd" start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd - echo "." + echo "." ;; reload|force-reload) check_for_no_start - check_keys + @LIBEXECDIR@/sshd_check_keys check_config - echo -n "Reloading OpenBSD Secure Shell server's configuration" + echo -n "Reloading OpenBSD Secure Shell server's configuration" start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd echo "." ;; restart) - check_keys + @LIBEXECDIR@/sshd_check_keys check_config - echo -n "Restarting OpenBSD Secure Shell server: sshd" + echo -n "Restarting OpenBSD Secure Shell server: sshd" start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd check_for_no_start check_privsep_dir diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch deleted file mode 100644 index d6fbd3b..0000000 --- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -ruN a/regress/cipher-speed.sh b/regress/cipher-speed.sh ---- a/regress/cipher-speed.sh 2019-12-03 13:16:36.091896387 -0600 -+++ b/regress/cipher-speed.sh 2019-12-03 13:28:29.726275955 -0600 -@@ -17,7 +17,7 @@ - printf "%-60s" "$c/$m:" - ( ${SSH} -o 'compression no' \ - -F $OBJ/ssh_proxy -m $m -c $c somehost \ -- exec sh -c \'"dd of=/dev/null obs=32k"\' \ -+ exec sh -c \'"dd of=/dev/null bs=32k"\' \ - < ${DATA} ) 2>&1 | getbytes - - if [ $? -ne 0 ]; then -diff -ruN a/regress/key-options.sh b/regress/key-options.sh ---- a/regress/key-options.sh 2019-12-03 13:24:44.164243780 -0600 -+++ b/regress/key-options.sh 2019-12-03 13:33:14.447235791 -0600 -@@ -84,7 +84,7 @@ - fi - - sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys -- from=`head -1 $authkeys | cut -f1 -d ' '` -+ from=`head -n 1 $authkeys | cut -f1 -d ' '` - verbose "key option $from" - r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` - if [ "$r" = "true" ]; then -diff -ruN a/regress/transfer.sh b/regress/transfer.sh ---- a/regress/transfer.sh 2019-12-03 13:16:58.342857354 -0600 -+++ b/regress/transfer.sh 2019-12-03 13:29:08.733267753 -0600 -@@ -13,7 +13,7 @@ - for s in 10 100 1k 32k 64k 128k 256k; do - trace "dd-size ${s}" - rm -f ${COPY} -- dd if=$DATA obs=${s} 2> /dev/null | \ -+ dd if=$DATA bs=${s} 2> /dev/null | \ - ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}" - if [ $? -ne 0 ]; then - fail "ssh cat $DATA failed" -diff -ruN a/regress/yes-head.sh b/regress/yes-head.sh ---- a/regress/yes-head.sh 2019-12-03 13:17:11.682259074 -0600 -+++ b/regress/yes-head.sh 2019-12-03 13:32:47.699869866 -0600 -@@ -3,7 +3,7 @@ - - tid="yes pipe head" - --lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` -+lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)` - if [ $? -ne 0 ]; then - fail "yes|head test failed" - lines = 0; diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch deleted file mode 100644 index 507026c..0000000 --- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/cipher.c 2019-12-03 12:46:22.282290586 -0600 -+++ b/cipher.c 2019-12-03 12:45:19.273805437 -0600 -@@ -158,8 +158,10 @@ - u_int - cipher_seclen(const struct sshcipher *c) - { -+#ifndef OPENSSL_NO_DES - if (strcmp("3des-cbc", c->name) == 0) - return 14; -+#endif - return cipher_keylen(c); - } - diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch deleted file mode 100644 index 46b60b5..0000000 --- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch +++ /dev/null @@ -1,52 +0,0 @@ ---- a/pkcs11.h 2019-12-03 12:52:10.920974412 -0600 -+++ b/pkcs11.h 2019-12-03 12:56:56.383171416 -0600 -@@ -342,9 +342,11 @@ - #define CKK_GENERIC_SECRET (0x10) - #define CKK_RC2 (0x11) - #define CKK_RC4 (0x12) -+#ifndef OPENSSL_NO_DES - #define CKK_DES (0x13) - #define CKK_DES2 (0x14) - #define CKK_DES3 (0x15) -+#endif /* OPENSSL_NO_DES */ - #define CKK_CAST (0x16) - #define CKK_CAST3 (0x17) - #define CKK_CAST128 (0x18) -@@ -512,6 +514,7 @@ - #define CKM_RC2_CBC_PAD (0x105) - #define CKM_RC4_KEY_GEN (0x110) - #define CKM_RC4 (0x111) -+#ifndef OPENSSL_NO_DES - #define CKM_DES_KEY_GEN (0x120) - #define CKM_DES_ECB (0x121) - #define CKM_DES_CBC (0x122) -@@ -525,6 +528,7 @@ - #define CKM_DES3_MAC (0x134) - #define CKM_DES3_MAC_GENERAL (0x135) - #define CKM_DES3_CBC_PAD (0x136) -+#endif /* OPENSSL_NO_DES */ - #define CKM_CDMF_KEY_GEN (0x140) - #define CKM_CDMF_ECB (0x141) - #define CKM_CDMF_CBC (0x142) -@@ -610,8 +614,10 @@ - #define CKM_MD5_KEY_DERIVATION (0x390) - #define CKM_MD2_KEY_DERIVATION (0x391) - #define CKM_SHA1_KEY_DERIVATION (0x392) -+#ifndef OPENSSL_NO_DES - #define CKM_PBE_MD2_DES_CBC (0x3a0) - #define CKM_PBE_MD5_DES_CBC (0x3a1) -+#endif /* OPENSSL_NO_DES */ - #define CKM_PBE_MD5_CAST_CBC (0x3a2) - #define CKM_PBE_MD5_CAST3_CBC (0x3a3) - #define CKM_PBE_MD5_CAST5_CBC (0x3a4) -@@ -620,8 +626,10 @@ - #define CKM_PBE_SHA1_CAST128_CBC (0x3a5) - #define CKM_PBE_SHA1_RC4_128 (0x3a6) - #define CKM_PBE_SHA1_RC4_40 (0x3a7) -+#ifndef OPENSSL_NO_DES - #define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8) - #define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9) -+#endif /* OPENSSL_NO_DES */ - #define CKM_PBE_SHA1_RC2_128_CBC (0x3aa) - #define CKM_PBE_SHA1_RC2_40_CBC (0x3ab) - #define CKM_PKCS5_PBKD2 (0x3b0) diff --git a/recipes-connectivity/openssh/openssh/run-ptest b/recipes-connectivity/openssh/openssh/run-ptest index 36a3d2a..ae03e92 100755 --- a/recipes-connectivity/openssh/openssh/run-ptest +++ b/recipes-connectivity/openssh/openssh/run-ptest @@ -1,11 +1,12 @@ #!/bin/sh export TEST_SHELL=sh +export SKIP_UNIT=1 cd regress sed -i "/\t\tagent-ptrace /d" Makefile make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ - | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' + | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' SSHAGENT=`which ssh-agent` GDB=`which gdb` diff --git a/recipes-connectivity/openssh/openssh/ssh.default b/recipes-connectivity/openssh/openssh/ssh.default deleted file mode 100644 index d5c0507..0000000 --- a/recipes-connectivity/openssh/openssh/ssh.default +++ /dev/null @@ -1,2 +0,0 @@ -# put keys here -SYSCONFDIR=/var/config/ssh diff --git a/recipes-connectivity/openssh/openssh/ssh_config b/recipes-connectivity/openssh/openssh/ssh_config index 9e91915..e0d0238 100644 --- a/recipes-connectivity/openssh/openssh/ssh_config +++ b/recipes-connectivity/openssh/openssh/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ +# $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -31,14 +31,14 @@ Host * # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 # Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# Protocol 2 +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com # EscapeChar ~ # Tunnel no # TunnelDevice any:any diff --git a/recipes-connectivity/openssh/openssh/sshd b/recipes-connectivity/openssh/openssh/sshd index 182650b..4882e58 100644 --- a/recipes-connectivity/openssh/openssh/sshd +++ b/recipes-connectivity/openssh/openssh/sshd @@ -5,7 +5,6 @@ account required pam_nologin.so account include common-account password include common-password session optional pam_keyinit.so force revoke -session optional pam_radauth.so session include common-session session required pam_loginuid.so diff --git a/recipes-connectivity/openssh/openssh/sshd.socket b/recipes-connectivity/openssh/openssh/sshd.socket index 12c39b2..8d76d62 100644 --- a/recipes-connectivity/openssh/openssh/sshd.socket +++ b/recipes-connectivity/openssh/openssh/sshd.socket @@ -1,5 +1,6 @@ [Unit] Conflicts=sshd.service +Wants=sshdgenkeys.service [Socket] ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd diff --git a/recipes-connectivity/openssh/openssh/sshd@.service b/recipes-connectivity/openssh/openssh/sshd@.service index 9d83dfb..9d9965e 100644 --- a/recipes-connectivity/openssh/openssh/sshd@.service +++ b/recipes-connectivity/openssh/openssh/sshd@.service @@ -1,13 +1,10 @@ [Unit] Description=OpenSSH Per-Connection Daemon -Wants=sshdgenkeys.service After=sshdgenkeys.service [Service] Environment="SSHD_OPTS=" EnvironmentFile=-/etc/default/ssh ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID StandardInput=socket -StandardError=syslog KillMode=process diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys b/recipes-connectivity/openssh/openssh/sshd_check_keys new file mode 100644 index 0000000..1931dc7 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -0,0 +1,78 @@ +#! /bin/sh + +generate_key() { + local FILE=$1 + local TYPE=$2 + local DIR="$(dirname "$FILE")" + + mkdir -p "$DIR" + ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE + + # Atomically rename file public key + mv -f "${FILE}.tmp.pub" "${FILE}.pub" + + # This sync does double duty: Ensuring that the data in the temporary + # private key file is on disk before the rename, and ensuring that the + # public key rename is completed before the private key rename, since we + # switch on the existence of the private key to trigger key generation. + # This does mean it is possible for the public key to exist, but be garbage + # but this is OK because in that case the private key won't exist and the + # keys will be regenerated. + # + # In the event that sync understands arguments that limit what it tries to + # fsync(), we provided them. If it does not, it will simply call sync() + # which is just as well + sync "${FILE}.pub" "$DIR" "${FILE}.tmp" + + mv "${FILE}.tmp" "$FILE" + + # sync to ensure the atomic rename is committed + sync "$DIR" +} + +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS +if test -f /etc/default/ssh; then + . /etc/default/ssh +fi + +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +# parse sshd options +set -- ${SSHD_OPTS} -- +sshd_config=/etc/ssh/sshd_config +while true ; do + case "$1" in + -f*) if [ "$1" = "-f" ] ; then + sshd_config="$2" + shift + else + sshd_config="${1#-f}" + fi + shift + ;; + --) shift; break;; + *) shift;; + esac +done + +HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") +[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" + +for key in ${HOST_KEYS} ; do + [ -f $key ] && continue + case $key in + *_rsa_key) + echo " generating ssh RSA host key..." + generate_key $key rsa + ;; + *_ecdsa_key) + echo " generating ssh ECDSA host key..." + generate_key $key ecdsa + ;; + *_ed25519_key) + echo " generating ssh ED25519 host key..." + generate_key $key ed25519 + ;; + esac +done diff --git a/recipes-connectivity/openssh/openssh/sshd_config b/recipes-connectivity/openssh/openssh/sshd_config index 31fe5d9..15f061b 100644 --- a/recipes-connectivity/openssh/openssh/sshd_config +++ b/recipes-connectivity/openssh/openssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ +# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. #Port 22 @@ -15,43 +15,30 @@ #ListenAddress 0.0.0.0 #ListenAddress :: -# The default requires explicit activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - # Ciphers and keying #RekeyLimit default none # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m -#PermitRootLogin yes +#PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -#RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none @@ -59,11 +46,9 @@ AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication +# HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -72,7 +57,8 @@ AuthorizedKeysFile .ssh/authorized_keys #PasswordAuthentication yes #PermitEmptyPasswords no -# Change to no to disable s/key passwords +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) ChallengeResponseAuthentication no # Kerberos options @@ -111,7 +97,7 @@ ChallengeResponseAuthentication no Compression no ClientAliveInterval 15 ClientAliveCountMax 4 -#UseDNS yes +#UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no diff --git a/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/recipes-connectivity/openssh/openssh/sshdgenkeys.service index 148e6ad..fd81793 100644 --- a/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ b/recipes-connectivity/openssh/openssh/sshdgenkeys.service @@ -1,22 +1,9 @@ [Unit] Description=OpenSSH Key Generation RequiresMountsFor=/var /run -ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key -ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key -ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key [Service] -Environment="SYSCONFDIR=/etc/ssh" -EnvironmentFile=-/etc/default/ssh -ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519 +ExecStart=@LIBEXECDIR@/sshd_check_keys Type=oneshot RemainAfterExit=yes +Nice=10 |