From b22c4ce0fcea2099fe598f5537d7cced50613c07 Mon Sep 17 00:00:00 2001 From: Vyacheslav Pedash Date: Mon, 8 Feb 2021 18:41:15 +0200 Subject: MTX-3787 Update openssh to ver 8.4p1 --- .../openssh/openssh-mlinux/ssh.default | 2 + recipes-connectivity/openssh/openssh-mlinux/sshd | 11 ++ .../openssh/openssh-mlinux/sshd_check_keys | 82 ++++++++++ .../openssh/openssh-mlinux/sshd_config | 122 ++++++++++++++ .../0f90440ca70abab947acbd77795e9f130967956c.patch | 28 ++++ .../openssh/add-test-support-for-busybox.patch | 47 ++++++ ...ial-signed-overflow-in-pointer-arithmatic.patch | 26 ++- recipes-connectivity/openssh/openssh/init | 81 ++-------- ...penssh-8.1p1-add-test-support-for-busybox.patch | 48 ------ ...h-8.1p1-conditional-compile-des-in-cipher.patch | 13 -- ...h-8.1p1-conditional-compile-des-in-pkcs11.patch | 52 ------ recipes-connectivity/openssh/openssh/run-ptest | 3 +- recipes-connectivity/openssh/openssh/ssh.default | 2 - recipes-connectivity/openssh/openssh/ssh_config | 12 +- recipes-connectivity/openssh/openssh/sshd | 1 - recipes-connectivity/openssh/openssh/sshd.socket | 1 + recipes-connectivity/openssh/openssh/sshd@.service | 3 - .../openssh/openssh/sshd_check_keys | 78 +++++++++ recipes-connectivity/openssh/openssh/sshd_config | 30 +--- .../openssh/openssh/sshdgenkeys.service | 17 +- recipes-connectivity/openssh/openssh_%.bbappend | 22 --- recipes-connectivity/openssh/openssh_8.1p1.bb | 160 ------------------ recipes-connectivity/openssh/openssh_8.4p1.bb | 180 +++++++++++++++++++++ .../openssh/openssh_8.4p1.bbappend | 28 ++++ 24 files changed, 625 insertions(+), 424 deletions(-) create mode 100644 recipes-connectivity/openssh/openssh-mlinux/ssh.default create mode 100644 recipes-connectivity/openssh/openssh-mlinux/sshd create mode 100644 recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys create mode 100644 recipes-connectivity/openssh/openssh-mlinux/sshd_config create mode 100644 recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch create mode 100644 recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch delete mode 100644 recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch delete mode 100644 recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch delete mode 100644 recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch delete mode 100644 recipes-connectivity/openssh/openssh/ssh.default create mode 100644 recipes-connectivity/openssh/openssh/sshd_check_keys delete mode 100644 recipes-connectivity/openssh/openssh_%.bbappend delete mode 100644 recipes-connectivity/openssh/openssh_8.1p1.bb create mode 100644 recipes-connectivity/openssh/openssh_8.4p1.bb create mode 100644 recipes-connectivity/openssh/openssh_8.4p1.bbappend (limited to 'recipes-connectivity/openssh') diff --git a/recipes-connectivity/openssh/openssh-mlinux/ssh.default b/recipes-connectivity/openssh/openssh-mlinux/ssh.default new file mode 100644 index 0000000..d5c0507 --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/ssh.default @@ -0,0 +1,2 @@ +# put keys here +SYSCONFDIR=/var/config/ssh diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd b/recipes-connectivity/openssh/openssh-mlinux/sshd new file mode 100644 index 0000000..182650b --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/sshd @@ -0,0 +1,11 @@ +#%PAM-1.0 + +auth include common-auth +account required pam_nologin.so +account include common-account +password include common-password +session optional pam_keyinit.so force revoke +session optional pam_radauth.so +session include common-session +session required pam_loginuid.so + diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys b/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys new file mode 100644 index 0000000..4af8d5c --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys @@ -0,0 +1,82 @@ +#! /bin/sh + +generate_key() { + local FILE=$1 + local TYPE=$2 + local DIR="$(dirname "$FILE")" + + mkdir -p "$DIR" + ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE + + # Atomically rename file public key + mv -f "${FILE}.tmp.pub" "${FILE}.pub" + + # This sync does double duty: Ensuring that the data in the temporary + # private key file is on disk before the rename, and ensuring that the + # public key rename is completed before the private key rename, since we + # switch on the existence of the private key to trigger key generation. + # This does mean it is possible for the public key to exist, but be garbage + # but this is OK because in that case the private key won't exist and the + # keys will be regenerated. + # + # In the event that sync understands arguments that limit what it tries to + # fsync(), we provided them. If it does not, it will simply call sync() + # which is just as well + sync "${FILE}.pub" "$DIR" "${FILE}.tmp" + + mv "${FILE}.tmp" "$FILE" + + # sync to ensure the atomic rename is committed + sync "$DIR" +} + +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS +if test -f /etc/default/ssh; then + . /etc/default/ssh +fi + +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +# parse sshd options +set -- ${SSHD_OPTS} -- +sshd_config=/etc/ssh/sshd_config +while true ; do + case "$1" in + -f*) if [ "$1" = "-f" ] ; then + sshd_config="$2" + shift + else + sshd_config="${1#-f}" + fi + shift + ;; + --) shift; break;; + *) shift;; + esac +done + +HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") +[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_dsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" + +for key in ${HOST_KEYS} ; do + [ -f $key ] && continue + case $key in + *_rsa_key) + echo " generating ssh RSA host key..." + generate_key $key rsa + ;; + *_dsa_key) + echo " generating ssh DSA host key..." + generate_key $key dsa + ;; + *_ecdsa_key) + echo " generating ssh ECDSA host key..." + generate_key $key ecdsa + ;; + *_ed25519_key) + echo " generating ssh ED25519 host key..." + generate_key $key ed25519 + ;; + esac +done diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd_config b/recipes-connectivity/openssh/openssh-mlinux/sshd_config new file mode 100644 index 0000000..7e9da84 --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/sshd_config @@ -0,0 +1,122 @@ +# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + + +# The default requires explicit activation of protocol 1 +Protocol 2 + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch new file mode 100644 index 0000000..b88bc18 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch @@ -0,0 +1,28 @@ +From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Fri, 20 Nov 2020 13:37:54 +1100 +Subject: [PATCH] Add new pselect6_time64 syscall on ARM. + +This is apparently needed on armhfp/armv7hl. bz#3232, patch from +jjelen at redhat.com. +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +Upstream-Status: Backport +[fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33] + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e0768c063..5065ae7ef 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_pselect6 + SC_ALLOW(__NR_pselect6), + #endif ++#ifdef __NR_pselect6_time64 ++ SC_ALLOW(__NR_pselect6_time64), ++#endif + #ifdef __NR_read + SC_ALLOW(__NR_read), + #endif diff --git a/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch new file mode 100644 index 0000000..b8402a4 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch @@ -0,0 +1,47 @@ +Adjust test cases to work with busybox. + +- Replace dd parameter "obs" with "bs". +- Replace "head -" with "head -n ". + +Signed-off-by: Maxin B. John +Upstream-Status: Pending + +Index: openssh-7.6p1/regress/cipher-speed.sh +=================================================================== +--- openssh-7.6p1.orig/regress/cipher-speed.sh ++++ openssh-7.6p1/regress/cipher-speed.sh +@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for + printf "%-60s" "$c/$m:" + ( ${SSH} -o 'compression no' \ + -F $OBJ/ssh_proxy -m $m -c $c somehost \ +- exec sh -c \'"dd of=/dev/null obs=32k"\' \ ++ exec sh -c \'"dd of=/dev/null bs=32k"\' \ + < ${DATA} ) 2>&1 | getbytes + + if [ $? -ne 0 ]; then +Index: openssh-7.6p1/regress/transfer.sh +=================================================================== +--- openssh-7.6p1.orig/regress/transfer.sh ++++ openssh-7.6p1/regress/transfer.sh +@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY} || fail "corrupted + for s in 10 100 1k 32k 64k 128k 256k; do + trace "dd-size ${s}" + rm -f ${COPY} +- dd if=$DATA obs=${s} 2> /dev/null | \ ++ dd if=$DATA bs=${s} 2> /dev/null | \ + ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" +Index: openssh-7.6p1/regress/key-options.sh +=================================================================== +--- openssh-7.6p1.orig/regress/key-options.sh ++++ openssh-7.6p1/regress/key-options.sh +@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do + fi + + sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys +- from=`head -1 $authkeys | cut -f1 -d ' '` ++ from=`head -n 1 $authkeys | cut -f1 -d ' '` + verbose "key option $from" + r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` + if [ "$r" = "true" ]; then diff --git a/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch index 7e043a2..20036da 100644 --- a/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch +++ b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch @@ -11,14 +11,17 @@ would lead to program abort. Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608] Signed-off-by: Yuanjie Huang + +Complete the fix +Signed-off-by: Hongxu Jia --- - openbsd-compat/strlcat.c | 8 ++++++-- - openbsd-compat/strlcpy.c | 8 ++++++-- - openbsd-compat/strnlen.c | 8 ++++++-- - 3 files changed, 18 insertions(+), 6 deletions(-) + openbsd-compat/strlcat.c | 10 +++++++--- + openbsd-compat/strlcpy.c | 8 ++++++-- + openbsd-compat/strnlen.c | 8 ++++++-- + 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c -index bcc1b61..e758ebf 100644 +index bcc1b61..124e1e3 100644 --- a/openbsd-compat/strlcat.c +++ b/openbsd-compat/strlcat.c @@ -23,6 +23,7 @@ @@ -29,6 +32,15 @@ index bcc1b61..e758ebf 100644 /* * Appends src to string dst of size siz (unlike strncat, siz is the +@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz) + /* Find the end of dst and adjust bytes left but don't go past end */ + while (n-- != 0 && *d != '\0') + d++; +- dlen = d - dst; ++ dlen = (uintptr_t)d - (uintptr_t)dst; + n = siz - dlen; + + if (n == 0) @@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz) s++; } @@ -70,7 +82,7 @@ index b4b1b60..b06f374 100644 #endif /* !HAVE_STRLCPY */ diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c -index 93d5155..9b8de5d 100644 +index 7ad3573..7040f1f 100644 --- a/openbsd-compat/strnlen.c +++ b/openbsd-compat/strnlen.c @@ -23,6 +23,7 @@ @@ -95,5 +107,5 @@ index 93d5155..9b8de5d 100644 } #endif -- -1.9.1 +2.17.1 diff --git a/recipes-connectivity/openssh/openssh/init b/recipes-connectivity/openssh/openssh/init index 386628a..8887e3a 100644 --- a/recipes-connectivity/openssh/openssh/init +++ b/recipes-connectivity/openssh/openssh/init @@ -19,25 +19,6 @@ fi [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh mkdir -p $SYSCONFDIR -parse_sshd_opts() { - set -- ${SSHD_OPTS} -- - sshd_config=/etc/ssh/sshd_config - while true ; do - case "$1" in - -f*) if [ "$1" = "-f" ] ; then - sshd_config="$2" - shift - else - sshd_config="${1#-f}" - fi - shift - ;; - --) shift; break;; - *) shift;; - esac - done -} - check_for_no_start() { # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then @@ -55,51 +36,7 @@ check_privsep_dir() { } check_config() { - /usr/sbin/sshd -t $SSHD_OPTS || exit 1 -} - -check_keys() { - # parse location of keys - local HOST_KEY_RSA - local HOST_KEY_DSA - local HOST_KEY_ECDSA - local HOST_KEY_ED25519 - - parse_sshd_opts - HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key - HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key - HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key - HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key - - # create keys if necessary - if [ ! -f $HOST_KEY_RSA ]; then - echo " generating ssh RSA key..." - mkdir -p $(dirname $HOST_KEY_RSA) - ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa - fi - if [ ! -f $HOST_KEY_ECDSA ]; then - echo " generating ssh ECDSA key..." - mkdir -p $(dirname $HOST_KEY_ECDSA) - ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa - fi - if [ ! -f $HOST_KEY_DSA ]; then - echo " generating ssh DSA key..." - mkdir -p $(dirname $HOST_KEY_DSA) - ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa - fi - if [ ! -f $HOST_KEY_ED25519 ]; then - echo " generating ssh ED25519 key..." - mkdir -p $(dirname $HOST_KEY_ED25519) - ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 - fi + /usr/sbin/sshd $SSHD_OPTS -t || exit 1 } export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" @@ -108,30 +45,30 @@ case "$1" in start) check_for_no_start echo "Starting OpenBSD Secure Shell server: sshd" - check_keys + @LIBEXECDIR@/sshd_check_keys check_privsep_dir start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS - echo "done." + echo "done." ;; stop) - echo -n "Stopping OpenBSD Secure Shell server: sshd" + echo -n "Stopping OpenBSD Secure Shell server: sshd" start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd - echo "." + echo "." ;; reload|force-reload) check_for_no_start - check_keys + @LIBEXECDIR@/sshd_check_keys check_config - echo -n "Reloading OpenBSD Secure Shell server's configuration" + echo -n "Reloading OpenBSD Secure Shell server's configuration" start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd echo "." ;; restart) - check_keys + @LIBEXECDIR@/sshd_check_keys check_config - echo -n "Restarting OpenBSD Secure Shell server: sshd" + echo -n "Restarting OpenBSD Secure Shell server: sshd" start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd check_for_no_start check_privsep_dir diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch deleted file mode 100644 index d6fbd3b..0000000 --- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -ruN a/regress/cipher-speed.sh b/regress/cipher-speed.sh ---- a/regress/cipher-speed.sh 2019-12-03 13:16:36.091896387 -0600 -+++ b/regress/cipher-speed.sh 2019-12-03 13:28:29.726275955 -0600 -@@ -17,7 +17,7 @@ - printf "%-60s" "$c/$m:" - ( ${SSH} -o 'compression no' \ - -F $OBJ/ssh_proxy -m $m -c $c somehost \ -- exec sh -c \'"dd of=/dev/null obs=32k"\' \ -+ exec sh -c \'"dd of=/dev/null bs=32k"\' \ - < ${DATA} ) 2>&1 | getbytes - - if [ $? -ne 0 ]; then -diff -ruN a/regress/key-options.sh b/regress/key-options.sh ---- a/regress/key-options.sh 2019-12-03 13:24:44.164243780 -0600 -+++ b/regress/key-options.sh 2019-12-03 13:33:14.447235791 -0600 -@@ -84,7 +84,7 @@ - fi - - sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys -- from=`head -1 $authkeys | cut -f1 -d ' '` -+ from=`head -n 1 $authkeys | cut -f1 -d ' '` - verbose "key option $from" - r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` - if [ "$r" = "true" ]; then -diff -ruN a/regress/transfer.sh b/regress/transfer.sh ---- a/regress/transfer.sh 2019-12-03 13:16:58.342857354 -0600 -+++ b/regress/transfer.sh 2019-12-03 13:29:08.733267753 -0600 -@@ -13,7 +13,7 @@ - for s in 10 100 1k 32k 64k 128k 256k; do - trace "dd-size ${s}" - rm -f ${COPY} -- dd if=$DATA obs=${s} 2> /dev/null | \ -+ dd if=$DATA bs=${s} 2> /dev/null | \ - ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}" - if [ $? -ne 0 ]; then - fail "ssh cat $DATA failed" -diff -ruN a/regress/yes-head.sh b/regress/yes-head.sh ---- a/regress/yes-head.sh 2019-12-03 13:17:11.682259074 -0600 -+++ b/regress/yes-head.sh 2019-12-03 13:32:47.699869866 -0600 -@@ -3,7 +3,7 @@ - - tid="yes pipe head" - --lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` -+lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)` - if [ $? -ne 0 ]; then - fail "yes|head test failed" - lines = 0; diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch deleted file mode 100644 index 507026c..0000000 --- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/cipher.c 2019-12-03 12:46:22.282290586 -0600 -+++ b/cipher.c 2019-12-03 12:45:19.273805437 -0600 -@@ -158,8 +158,10 @@ - u_int - cipher_seclen(const struct sshcipher *c) - { -+#ifndef OPENSSL_NO_DES - if (strcmp("3des-cbc", c->name) == 0) - return 14; -+#endif - return cipher_keylen(c); - } - diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch deleted file mode 100644 index 46b60b5..0000000 --- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch +++ /dev/null @@ -1,52 +0,0 @@ ---- a/pkcs11.h 2019-12-03 12:52:10.920974412 -0600 -+++ b/pkcs11.h 2019-12-03 12:56:56.383171416 -0600 -@@ -342,9 +342,11 @@ - #define CKK_GENERIC_SECRET (0x10) - #define CKK_RC2 (0x11) - #define CKK_RC4 (0x12) -+#ifndef OPENSSL_NO_DES - #define CKK_DES (0x13) - #define CKK_DES2 (0x14) - #define CKK_DES3 (0x15) -+#endif /* OPENSSL_NO_DES */ - #define CKK_CAST (0x16) - #define CKK_CAST3 (0x17) - #define CKK_CAST128 (0x18) -@@ -512,6 +514,7 @@ - #define CKM_RC2_CBC_PAD (0x105) - #define CKM_RC4_KEY_GEN (0x110) - #define CKM_RC4 (0x111) -+#ifndef OPENSSL_NO_DES - #define CKM_DES_KEY_GEN (0x120) - #define CKM_DES_ECB (0x121) - #define CKM_DES_CBC (0x122) -@@ -525,6 +528,7 @@ - #define CKM_DES3_MAC (0x134) - #define CKM_DES3_MAC_GENERAL (0x135) - #define CKM_DES3_CBC_PAD (0x136) -+#endif /* OPENSSL_NO_DES */ - #define CKM_CDMF_KEY_GEN (0x140) - #define CKM_CDMF_ECB (0x141) - #define CKM_CDMF_CBC (0x142) -@@ -610,8 +614,10 @@ - #define CKM_MD5_KEY_DERIVATION (0x390) - #define CKM_MD2_KEY_DERIVATION (0x391) - #define CKM_SHA1_KEY_DERIVATION (0x392) -+#ifndef OPENSSL_NO_DES - #define CKM_PBE_MD2_DES_CBC (0x3a0) - #define CKM_PBE_MD5_DES_CBC (0x3a1) -+#endif /* OPENSSL_NO_DES */ - #define CKM_PBE_MD5_CAST_CBC (0x3a2) - #define CKM_PBE_MD5_CAST3_CBC (0x3a3) - #define CKM_PBE_MD5_CAST5_CBC (0x3a4) -@@ -620,8 +626,10 @@ - #define CKM_PBE_SHA1_CAST128_CBC (0x3a5) - #define CKM_PBE_SHA1_RC4_128 (0x3a6) - #define CKM_PBE_SHA1_RC4_40 (0x3a7) -+#ifndef OPENSSL_NO_DES - #define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8) - #define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9) -+#endif /* OPENSSL_NO_DES */ - #define CKM_PBE_SHA1_RC2_128_CBC (0x3aa) - #define CKM_PBE_SHA1_RC2_40_CBC (0x3ab) - #define CKM_PKCS5_PBKD2 (0x3b0) diff --git a/recipes-connectivity/openssh/openssh/run-ptest b/recipes-connectivity/openssh/openssh/run-ptest index 36a3d2a..ae03e92 100755 --- a/recipes-connectivity/openssh/openssh/run-ptest +++ b/recipes-connectivity/openssh/openssh/run-ptest @@ -1,11 +1,12 @@ #!/bin/sh export TEST_SHELL=sh +export SKIP_UNIT=1 cd regress sed -i "/\t\tagent-ptrace /d" Makefile make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ - | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' + | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' SSHAGENT=`which ssh-agent` GDB=`which gdb` diff --git a/recipes-connectivity/openssh/openssh/ssh.default b/recipes-connectivity/openssh/openssh/ssh.default deleted file mode 100644 index d5c0507..0000000 --- a/recipes-connectivity/openssh/openssh/ssh.default +++ /dev/null @@ -1,2 +0,0 @@ -# put keys here -SYSCONFDIR=/var/config/ssh diff --git a/recipes-connectivity/openssh/openssh/ssh_config b/recipes-connectivity/openssh/openssh/ssh_config index 9e91915..e0d0238 100644 --- a/recipes-connectivity/openssh/openssh/ssh_config +++ b/recipes-connectivity/openssh/openssh/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ +# $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -31,14 +31,14 @@ Host * # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 # Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# Protocol 2 +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com # EscapeChar ~ # Tunnel no # TunnelDevice any:any diff --git a/recipes-connectivity/openssh/openssh/sshd b/recipes-connectivity/openssh/openssh/sshd index 182650b..4882e58 100644 --- a/recipes-connectivity/openssh/openssh/sshd +++ b/recipes-connectivity/openssh/openssh/sshd @@ -5,7 +5,6 @@ account required pam_nologin.so account include common-account password include common-password session optional pam_keyinit.so force revoke -session optional pam_radauth.so session include common-session session required pam_loginuid.so diff --git a/recipes-connectivity/openssh/openssh/sshd.socket b/recipes-connectivity/openssh/openssh/sshd.socket index 12c39b2..8d76d62 100644 --- a/recipes-connectivity/openssh/openssh/sshd.socket +++ b/recipes-connectivity/openssh/openssh/sshd.socket @@ -1,5 +1,6 @@ [Unit] Conflicts=sshd.service +Wants=sshdgenkeys.service [Socket] ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd diff --git a/recipes-connectivity/openssh/openssh/sshd@.service b/recipes-connectivity/openssh/openssh/sshd@.service index 9d83dfb..9d9965e 100644 --- a/recipes-connectivity/openssh/openssh/sshd@.service +++ b/recipes-connectivity/openssh/openssh/sshd@.service @@ -1,13 +1,10 @@ [Unit] Description=OpenSSH Per-Connection Daemon -Wants=sshdgenkeys.service After=sshdgenkeys.service [Service] Environment="SSHD_OPTS=" EnvironmentFile=-/etc/default/ssh ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID StandardInput=socket -StandardError=syslog KillMode=process diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys b/recipes-connectivity/openssh/openssh/sshd_check_keys new file mode 100644 index 0000000..1931dc7 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -0,0 +1,78 @@ +#! /bin/sh + +generate_key() { + local FILE=$1 + local TYPE=$2 + local DIR="$(dirname "$FILE")" + + mkdir -p "$DIR" + ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE + + # Atomically rename file public key + mv -f "${FILE}.tmp.pub" "${FILE}.pub" + + # This sync does double duty: Ensuring that the data in the temporary + # private key file is on disk before the rename, and ensuring that the + # public key rename is completed before the private key rename, since we + # switch on the existence of the private key to trigger key generation. + # This does mean it is possible for the public key to exist, but be garbage + # but this is OK because in that case the private key won't exist and the + # keys will be regenerated. + # + # In the event that sync understands arguments that limit what it tries to + # fsync(), we provided them. If it does not, it will simply call sync() + # which is just as well + sync "${FILE}.pub" "$DIR" "${FILE}.tmp" + + mv "${FILE}.tmp" "$FILE" + + # sync to ensure the atomic rename is committed + sync "$DIR" +} + +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS +if test -f /etc/default/ssh; then + . /etc/default/ssh +fi + +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +# parse sshd options +set -- ${SSHD_OPTS} -- +sshd_config=/etc/ssh/sshd_config +while true ; do + case "$1" in + -f*) if [ "$1" = "-f" ] ; then + sshd_config="$2" + shift + else + sshd_config="${1#-f}" + fi + shift + ;; + --) shift; break;; + *) shift;; + esac +done + +HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") +[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" + +for key in ${HOST_KEYS} ; do + [ -f $key ] && continue + case $key in + *_rsa_key) + echo " generating ssh RSA host key..." + generate_key $key rsa + ;; + *_ecdsa_key) + echo " generating ssh ECDSA host key..." + generate_key $key ecdsa + ;; + *_ed25519_key) + echo " generating ssh ED25519 host key..." + generate_key $key ed25519 + ;; + esac +done diff --git a/recipes-connectivity/openssh/openssh/sshd_config b/recipes-connectivity/openssh/openssh/sshd_config index 31fe5d9..15f061b 100644 --- a/recipes-connectivity/openssh/openssh/sshd_config +++ b/recipes-connectivity/openssh/openssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ +# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. #Port 22 @@ -15,43 +15,30 @@ #ListenAddress 0.0.0.0 #ListenAddress :: -# The default requires explicit activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - # Ciphers and keying #RekeyLimit default none # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m -#PermitRootLogin yes +#PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -#RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none @@ -59,11 +46,9 @@ AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication +# HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -72,7 +57,8 @@ AuthorizedKeysFile .ssh/authorized_keys #PasswordAuthentication yes #PermitEmptyPasswords no -# Change to no to disable s/key passwords +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) ChallengeResponseAuthentication no # Kerberos options @@ -111,7 +97,7 @@ ChallengeResponseAuthentication no Compression no ClientAliveInterval 15 ClientAliveCountMax 4 -#UseDNS yes +#UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no diff --git a/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/recipes-connectivity/openssh/openssh/sshdgenkeys.service index 148e6ad..fd81793 100644 --- a/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ b/recipes-connectivity/openssh/openssh/sshdgenkeys.service @@ -1,22 +1,9 @@ [Unit] Description=OpenSSH Key Generation RequiresMountsFor=/var /run -ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key -ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key -ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key [Service] -Environment="SYSCONFDIR=/etc/ssh" -EnvironmentFile=-/etc/default/ssh -ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519 +ExecStart=@LIBEXECDIR@/sshd_check_keys Type=oneshot RemainAfterExit=yes +Nice=10 diff --git a/recipes-connectivity/openssh/openssh_%.bbappend b/recipes-connectivity/openssh/openssh_%.bbappend deleted file mode 100644 index 53d3da1..0000000 --- a/recipes-connectivity/openssh/openssh_%.bbappend +++ /dev/null @@ -1,22 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://ssh.default" - -KEYFILES = "ssh_host_dsa_key \ -ssh_host_dsa_key.pub \ -ssh_host_ecdsa_key \ -ssh_host_ecdsa_key.pub \ -ssh_host_rsa_key \ -ssh_host_rsa_key.pub \ -ssh_host_ed25519_key \ -ssh_host_ed25519_key.pub \ -" - -do_install_append() { - install -d ${D}${sysconfdir}/default - install -m 644 ${WORKDIR}/ssh.default ${D}${sysconfdir}/default/ssh - for f in ${KEYFILES}; do - ln -sf /var/config/ssh/$f ${D}${sysconfdir}/ssh/$f - done -} -CONFFILES_${PN}-sshd += "${sysconfdir}/init.d/sshd" diff --git a/recipes-connectivity/openssh/openssh_8.1p1.bb b/recipes-connectivity/openssh/openssh_8.1p1.bb deleted file mode 100644 index 5bfd8e3..0000000 --- a/recipes-connectivity/openssh/openssh_8.1p1.bb +++ /dev/null @@ -1,160 +0,0 @@ -SUMMARY = "A suite of security-related network utilities based on \ -the SSH protocol including the ssh client and sshd server" -DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ -Ssh (Secure Shell) is a program for logging into a remote machine \ -and for executing commands on a remote machine." -HOMEPAGE = "http://www.openssh.com/" -SECTION = "console/network" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" - -DEPENDS = "zlib openssl" -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" - -SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ - file://sshd_config \ - file://ssh_config \ - file://init \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ - file://sshd.socket \ - file://sshd@.service \ - file://sshdgenkeys.service \ - file://volatiles.99_sshd \ - file://openssh-8.1p1-add-test-support-for-busybox.patch \ - file://run-ptest \ - file://openssh-8.1p1-conditional-compile-des-in-cipher.patch \ - file://openssh-8.1p1-conditional-compile-des-in-pkcs11.patch \ - file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ - " - -PAM_SRC_URI = "file://sshd" - -SRC_URI[md5sum] = "513694343631a99841e815306806edf0" -SRC_URI[sha256sum] = "02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff" - -inherit useradd update-rc.d update-alternatives systemd - -USERADD_PACKAGES = "${PN}-sshd" -USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" -INITSCRIPT_PACKAGES = "${PN}-sshd" -INITSCRIPT_NAME_${PN}-sshd = "sshd" -INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" - -SYSTEMD_PACKAGES = "${PN}-sshd" -SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" - -inherit autotools-brokensep ptest - -# LFS support: -CFLAGS += "-D__FILE_OFFSET_BITS=64" - -# login path is hardcoded in sshd -EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ - --without-zlib-version-check \ - --with-privsep-path=/var/run/sshd \ - --sysconfdir=${sysconfdir}/ssh \ - --with-xauth=/usr/bin/xauth \ - --disable-strip \ - " - -# Since we do not depend on libbsd, we do not want configure to use it -# just because it finds libutil.h. But, specifying --disable-libutil -# causes compile errors, so... -CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" - -# passwd path is hardcoded in sshd -CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" - -# We don't want to depend on libblockfile -CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" - -do_configure_prepend () { - export LD="${CC}" - install -m 0644 ${WORKDIR}/sshd_config ${B}/ - install -m 0644 ${WORKDIR}/ssh_config ${B}/ - if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then - cp aclocal.m4 acinclude.m4 - fi -} - -do_compile_ptest() { - # skip regress/unittests/ binaries: this will silently skip - # unittests in run-ptests which is good because they are so slow. - oe_runmake regress/modpipe regress/setuid-allowed regress/netcat -} - -do_install_append () { - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then - install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd - sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config - fi - - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then - sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config - fi - - install -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd - rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin - rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} - install -d ${D}/${sysconfdir}/default/volatiles - install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd - install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} - - # Create config files for read-only rootfs - install -d ${D}${sysconfdir}/ssh - install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly - sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - - install -d ${D}${systemd_unitdir}/system - install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system - install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system - install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system - sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ - -e 's,@SBINDIR@,${sbindir},g' \ - -e 's,@BINDIR@,${bindir},g' \ - ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service -} - -do_install_ptest () { - sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh - cp -r regress ${D}${PTEST_PATH} -} - -ALLOW_EMPTY_${PN} = "1" - -PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" -FILES_${PN}-scp = "${bindir}/scp.${BPN}" -FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" -FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" -FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" -FILES_${PN}-sftp = "${bindir}/sftp" -FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" -FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" -FILES_${PN}-keygen = "${bindir}/ssh-keygen" - -RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" -RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" -RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make" - -RPROVIDES_${PN}-ssh = "ssh" -RPROVIDES_${PN}-sshd = "sshd" - -RCONFLICTS_${PN} = "dropbear" -RCONFLICTS_${PN}-sshd = "dropbear" -RCONFLICTS_${PN}-keygen = "ssh-keygen" - -CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" -CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" - -ALTERNATIVE_PRIORITY = "90" -ALTERNATIVE_${PN}-scp = "scp" -ALTERNATIVE_${PN}-ssh = "ssh" - -do_rm_work () { -} diff --git a/recipes-connectivity/openssh/openssh_8.4p1.bb b/recipes-connectivity/openssh/openssh_8.4p1.bb new file mode 100644 index 0000000..128e2e3 --- /dev/null +++ b/recipes-connectivity/openssh/openssh_8.4p1.bb @@ -0,0 +1,180 @@ +SUMMARY = "A suite of security-related network utilities based on \ +the SSH protocol including the ssh client and sshd server" +DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ +Ssh (Secure Shell) is a program for logging into a remote machine \ +and for executing commands on a remote machine." +HOMEPAGE = "http://www.openssh.com/" +SECTION = "console/network" +LICENSE = "BSD & ISC & MIT" +LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" + +DEPENDS = "zlib openssl virtual/crypt" +DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ + file://sshd_config \ + file://ssh_config \ + file://init \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://sshd.socket \ + file://sshd@.service \ + file://sshdgenkeys.service \ + file://volatiles.99_sshd \ + file://run-ptest \ + file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ + file://sshd_check_keys \ + file://add-test-support-for-busybox.patch \ + file://0f90440ca70abab947acbd77795e9f130967956c.patch \ + " +SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24" + +# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 +# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded +CVE_CHECK_WHITELIST += "CVE-2014-9278" + +PAM_SRC_URI = "file://sshd" + +inherit manpages useradd update-rc.d update-alternatives systemd + +USERADD_PACKAGES = "${PN}-sshd" +USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" +INITSCRIPT_PACKAGES = "${PN}-sshd" +INITSCRIPT_NAME_${PN}-sshd = "sshd" +INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" + +SYSTEMD_PACKAGES = "${PN}-sshd" +SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" + +inherit autotools-brokensep ptest + +PACKAGECONFIG ??= "rng-tools" +PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" +PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" +PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" +PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" + +# Add RRECOMMENDS to rng-tools for sshd package +PACKAGECONFIG[rng-tools] = "" + +EXTRA_AUTORECONF += "--exclude=aclocal" + +# login path is hardcoded in sshd +EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ + --without-zlib-version-check \ + --with-privsep-path=${localstatedir}/run/sshd \ + --sysconfdir=${sysconfdir}/ssh \ + --with-xauth=${bindir}/xauth \ + --disable-strip \ + " + +# musl doesn't implement wtmp/utmp and logwtmp +EXTRA_OECONF_append_libc-musl = " --disable-wtmp --disable-lastlog" + +# Since we do not depend on libbsd, we do not want configure to use it +# just because it finds libutil.h. But, specifying --disable-libutil +# causes compile errors, so... +CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" + +# passwd path is hardcoded in sshd +CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" + +# We don't want to depend on libblockfile +CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" + +do_configure_prepend () { + export LD="${CC}" + install -m 0644 ${WORKDIR}/sshd_config ${B}/ + install -m 0644 ${WORKDIR}/ssh_config ${B}/ +} + +do_compile_ptest() { + # skip regress/unittests/ binaries: this will silently skip + # unittests in run-ptests which is good because they are so slow. + oe_runmake regress/modpipe regress/setuid-allowed regress/netcat \ + regress/check-perm regress/mkdtemp +} + +do_install_append () { + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then + install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd + sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config + fi + + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then + sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config + fi + + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd + rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin + rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} + install -d ${D}/${sysconfdir}/default/volatiles + install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd + install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} + + # Create config files for read-only rootfs + install -d ${D}${sysconfdir}/ssh + install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly + sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + + install -d ${D}${systemd_unitdir}/system + install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system + install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system + install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ + -e 's,@SBINDIR@,${sbindir},g' \ + -e 's,@BINDIR@,${bindir},g' \ + -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ + ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service + + sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ + ${D}${sysconfdir}/init.d/sshd + + install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys +} + +do_install_ptest () { + sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh + cp -r regress ${D}${PTEST_PATH} +} + +ALLOW_EMPTY_${PN} = "1" + +PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" +FILES_${PN}-scp = "${bindir}/scp.${BPN}" +FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" +FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" +FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" +FILES_${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" +FILES_${PN}-sftp = "${bindir}/sftp" +FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" +FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" +FILES_${PN}-keygen = "${bindir}/ssh-keygen" + +RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" +RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" +RRECOMMENDS_${PN}-sshd_append_class-target = "\ + ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ +" + +# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies +RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" + +RPROVIDES_${PN}-ssh = "ssh" +RPROVIDES_${PN}-sshd = "sshd" + +RCONFLICTS_${PN} = "dropbear" +RCONFLICTS_${PN}-sshd = "dropbear" + +CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" +CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" + +ALTERNATIVE_PRIORITY = "90" +ALTERNATIVE_${PN}-scp = "scp" +ALTERNATIVE_${PN}-ssh = "ssh" + +BBCLASSEXTEND += "nativesdk" diff --git a/recipes-connectivity/openssh/openssh_8.4p1.bbappend b/recipes-connectivity/openssh/openssh_8.4p1.bbappend new file mode 100644 index 0000000..9509e8f --- /dev/null +++ b/recipes-connectivity/openssh/openssh_8.4p1.bbappend @@ -0,0 +1,28 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-mlinux:" + +SRC_URI += "file://ssh.default \ + file://sshd \ + file://sshd_config \ + file://sshd_check_keys" + +KEYFILES = "ssh_host_dsa_key \ +ssh_host_dsa_key.pub \ +ssh_host_ecdsa_key \ +ssh_host_ecdsa_key.pub \ +ssh_host_rsa_key \ +ssh_host_rsa_key.pub \ +ssh_host_ed25519_key \ +ssh_host_ed25519_key.pub \ +" + +do_install_append() { + + echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + + install -d ${D}${sysconfdir}/default + install -m 644 ${WORKDIR}/ssh.default ${D}${sysconfdir}/default/ssh + for f in ${KEYFILES}; do + ln -sf /var/config/ssh/$f ${D}${sysconfdir}/ssh/$f + done +} +CONFFILES_${PN}-sshd += "${sysconfdir}/init.d/sshd" -- cgit v1.2.3