From 5534deb69b0a2835fbbf149a00d1f6ba61cc8160 Mon Sep 17 00:00:00 2001 From: Andrei Dinu Date: Mon, 28 Jan 2013 10:50:04 +0200 Subject: openssh : upgrade to 6.1p1 Signed-off-by: Andrei Dinu Signed-off-by: Richard Purdie --- .../openssh/openssh-6.0p1/init | 92 ---------------- .../openssh/openssh-6.0p1/nostrip.patch | 20 ---- .../openssh-6.0p1/openssh-CVE-2011-4327.patch | 27 ----- .../openssh/openssh-6.0p1/ssh_config | 46 -------- .../openssh/openssh-6.0p1/sshd | 10 -- .../openssh/openssh-6.0p1/sshd_config | 119 --------------------- .../openssh/openssh-6.1p1/init | 92 ++++++++++++++++ .../openssh/openssh-6.1p1/nostrip.patch | 20 ++++ .../openssh-6.1p1/openssh-CVE-2011-4327.patch | 27 +++++ .../openssh/openssh-6.1p1/ssh_config | 46 ++++++++ .../openssh/openssh-6.1p1/sshd | 10 ++ .../openssh/openssh-6.1p1/sshd_config | 119 +++++++++++++++++++++ meta/recipes-connectivity/openssh/openssh_6.0p1.bb | 107 ------------------ meta/recipes-connectivity/openssh/openssh_6.1p1.bb | 107 ++++++++++++++++++ 14 files changed, 421 insertions(+), 421 deletions(-) delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/init delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/nostrip.patch delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/ssh_config delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/sshd delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config create mode 100644 meta/recipes-connectivity/openssh/openssh-6.1p1/init create mode 100644 meta/recipes-connectivity/openssh/openssh-6.1p1/nostrip.patch create mode 100644 meta/recipes-connectivity/openssh/openssh-6.1p1/openssh-CVE-2011-4327.patch create mode 100644 meta/recipes-connectivity/openssh/openssh-6.1p1/ssh_config create mode 100644 meta/recipes-connectivity/openssh/openssh-6.1p1/sshd create mode 100644 meta/recipes-connectivity/openssh/openssh-6.1p1/sshd_config delete mode 100644 meta/recipes-connectivity/openssh/openssh_6.0p1.bb create mode 100644 meta/recipes-connectivity/openssh/openssh_6.1p1.bb diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/init b/meta/recipes-connectivity/openssh/openssh-6.0p1/init deleted file mode 100644 index cde52ef3f4..0000000000 --- a/meta/recipes-connectivity/openssh/openssh-6.0p1/init +++ /dev/null @@ -1,92 +0,0 @@ -#! /bin/sh -set -e - -# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon - -test -x /usr/sbin/sshd || exit 0 -( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 - -if test -f /etc/default/ssh; then - . /etc/default/ssh -fi - -check_for_no_start() { - # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists - if [ -e /etc/ssh/sshd_not_to_be_run ]; then - echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" - exit 0 - fi -} - -check_privsep_dir() { - # Create the PrivSep empty dir if necessary - if [ ! -d /var/run/sshd ]; then - mkdir /var/run/sshd - chmod 0755 /var/run/sshd - fi -} - -check_config() { - /usr/sbin/sshd -t || exit 1 -} - -check_keys() { - # create keys if necessary - if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then - echo " generating ssh RSA key..." - ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa - fi - if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then - echo " generating ssh ECDSA key..." - ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa - fi - if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then - echo " generating ssh DSA key..." - ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa - fi -} - -export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" - -case "$1" in - start) - check_for_no_start - echo "Starting OpenBSD Secure Shell server: sshd" - check_keys - check_privsep_dir - start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS - echo "done." - ;; - stop) - echo -n "Stopping OpenBSD Secure Shell server: sshd" - start-stop-daemon -K -x /usr/sbin/sshd - echo "." - ;; - - reload|force-reload) - check_for_no_start - check_keys - check_config - echo -n "Reloading OpenBSD Secure Shell server's configuration" - start-stop-daemon -K -s 1 -x /usr/sbin/sshd - echo "." - ;; - - restart) - check_keys - check_config - echo -n "Restarting OpenBSD Secure Shell server: sshd" - start-stop-daemon -K -oknodo -x /usr/sbin/sshd - check_for_no_start - check_privsep_dir - sleep 2 - start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS - echo "." - ;; - - *) - echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}" - exit 1 -esac - -exit 0 diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/nostrip.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/nostrip.patch deleted file mode 100644 index 33111f5494..0000000000 --- a/meta/recipes-connectivity/openssh/openssh-6.0p1/nostrip.patch +++ /dev/null @@ -1,20 +0,0 @@ -Disable stripping binaries during make install. - -Upstream-Status: Inappropriate [configuration] - -Build system specific. - -Signed-off-by: Scott Garman - -diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in ---- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700 -+++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700 -@@ -29,7 +29,7 @@ - RAND_HELPER=$(libexecdir)/ssh-rand-helper - PRIVSEP_PATH=@PRIVSEP_PATH@ - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ --STRIP_OPT=@STRIP_OPT@ -+STRIP_OPT= - - PATHS= -DSSHDIR=\"$(sysconfdir)\" \ - -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch deleted file mode 100644 index 8489edcc82..0000000000 --- a/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch +++ /dev/null @@ -1,27 +0,0 @@ -openssh-CVE-2011-4327 - -A security flaw was found in the way ssh-keysign, -a ssh helper program for host based authentication, -attempted to retrieve enough entropy information on configurations that -lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would -be executed to retrieve the entropy from the system environment). -A local attacker could use this flaw to obtain unauthorized access to host keys -via ptrace(2) process trace attached to the 'ssh-rand-helper' program. - -https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 -http://www.openssh.com/txt/portable-keysign-rand-helper.adv - -Signed-off-by: Li Wang ---- a/ssh-keysign.c -+++ b/ssh-keysign.c -@@ -170,6 +170,10 @@ - key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); - key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); - key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); -+ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 || -+ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 || -+ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0) -+ fatal("fcntl failed"); - - original_real_uid = getuid(); /* XXX readconf.c needs this */ - if ((pw = getpwuid(original_real_uid)) == NULL) diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/ssh_config b/meta/recipes-connectivity/openssh/openssh-6.0p1/ssh_config deleted file mode 100644 index 4a4a649ba8..0000000000 --- a/meta/recipes-connectivity/openssh/openssh-6.0p1/ssh_config +++ /dev/null @@ -1,46 +0,0 @@ -# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $ - -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -Host * - ForwardAgent yes - ForwardX11 yes -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd b/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd deleted file mode 100644 index 4882e58b48..0000000000 --- a/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd +++ /dev/null @@ -1,10 +0,0 @@ -#%PAM-1.0 - -auth include common-auth -account required pam_nologin.so -account include common-account -password include common-password -session optional pam_keyinit.so force revoke -session include common-session -session required pam_loginuid.so - diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config deleted file mode 100644 index 4f9b626fbd..0000000000 --- a/meta/recipes-connectivity/openssh/openssh-6.0p1/sshd_config +++ /dev/null @@ -1,119 +0,0 @@ -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# Disable legacy (protocol version 1) support in the server for new -# installations. In future the default will change to require explicit -# activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -#UsePAM no - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -UsePrivilegeSeparation yes -#PermitUserEnvironment no -Compression no -ClientAliveInterval 15 -ClientAliveCountMax 4 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no -#ChrootDirectory none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server diff --git a/meta/recipes-connectivity/openssh/openssh-6.1p1/init b/meta/recipes-connectivity/openssh/openssh-6.1p1/init new file mode 100644 index 0000000000..cde52ef3f4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.1p1/init @@ -0,0 +1,92 @@ +#! /bin/sh +set -e + +# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon + +test -x /usr/sbin/sshd || exit 0 +( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 + +if test -f /etc/default/ssh; then + . /etc/default/ssh +fi + +check_for_no_start() { + # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists + if [ -e /etc/ssh/sshd_not_to_be_run ]; then + echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" + exit 0 + fi +} + +check_privsep_dir() { + # Create the PrivSep empty dir if necessary + if [ ! -d /var/run/sshd ]; then + mkdir /var/run/sshd + chmod 0755 /var/run/sshd + fi +} + +check_config() { + /usr/sbin/sshd -t || exit 1 +} + +check_keys() { + # create keys if necessary + if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then + echo " generating ssh RSA key..." + ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa + fi + if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then + echo " generating ssh ECDSA key..." + ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa + fi + if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then + echo " generating ssh DSA key..." + ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa + fi +} + +export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" + +case "$1" in + start) + check_for_no_start + echo "Starting OpenBSD Secure Shell server: sshd" + check_keys + check_privsep_dir + start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS + echo "done." + ;; + stop) + echo -n "Stopping OpenBSD Secure Shell server: sshd" + start-stop-daemon -K -x /usr/sbin/sshd + echo "." + ;; + + reload|force-reload) + check_for_no_start + check_keys + check_config + echo -n "Reloading OpenBSD Secure Shell server's configuration" + start-stop-daemon -K -s 1 -x /usr/sbin/sshd + echo "." + ;; + + restart) + check_keys + check_config + echo -n "Restarting OpenBSD Secure Shell server: sshd" + start-stop-daemon -K -oknodo -x /usr/sbin/sshd + check_for_no_start + check_privsep_dir + sleep 2 + start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS + echo "." + ;; + + *) + echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}" + exit 1 +esac + +exit 0 diff --git a/meta/recipes-connectivity/openssh/openssh-6.1p1/nostrip.patch b/meta/recipes-connectivity/openssh/openssh-6.1p1/nostrip.patch new file mode 100644 index 0000000000..33111f5494 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.1p1/nostrip.patch @@ -0,0 +1,20 @@ +Disable stripping binaries during make install. + +Upstream-Status: Inappropriate [configuration] + +Build system specific. + +Signed-off-by: Scott Garman + +diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in +--- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700 ++++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700 +@@ -29,7 +29,7 @@ + RAND_HELPER=$(libexecdir)/ssh-rand-helper + PRIVSEP_PATH=@PRIVSEP_PATH@ + SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ +-STRIP_OPT=@STRIP_OPT@ ++STRIP_OPT= + + PATHS= -DSSHDIR=\"$(sysconfdir)\" \ + -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ diff --git a/meta/recipes-connectivity/openssh/openssh-6.1p1/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.1p1/openssh-CVE-2011-4327.patch new file mode 100644 index 0000000000..8489edcc82 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.1p1/openssh-CVE-2011-4327.patch @@ -0,0 +1,27 @@ +openssh-CVE-2011-4327 + +A security flaw was found in the way ssh-keysign, +a ssh helper program for host based authentication, +attempted to retrieve enough entropy information on configurations that +lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would +be executed to retrieve the entropy from the system environment). +A local attacker could use this flaw to obtain unauthorized access to host keys +via ptrace(2) process trace attached to the 'ssh-rand-helper' program. + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 +http://www.openssh.com/txt/portable-keysign-rand-helper.adv + +Signed-off-by: Li Wang +--- a/ssh-keysign.c ++++ b/ssh-keysign.c +@@ -170,6 +170,10 @@ + key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); + key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); + key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); ++ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 || ++ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 || ++ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0) ++ fatal("fcntl failed"); + + original_real_uid = getuid(); /* XXX readconf.c needs this */ + if ((pw = getpwuid(original_real_uid)) == NULL) diff --git a/meta/recipes-connectivity/openssh/openssh-6.1p1/ssh_config b/meta/recipes-connectivity/openssh/openssh-6.1p1/ssh_config new file mode 100644 index 0000000000..4a4a649ba8 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.1p1/ssh_config @@ -0,0 +1,46 @@ +# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Host * + ForwardAgent yes + ForwardX11 yes +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# Port 22 +# Protocol 2,1 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no diff --git a/meta/recipes-connectivity/openssh/openssh-6.1p1/sshd b/meta/recipes-connectivity/openssh/openssh-6.1p1/sshd new file mode 100644 index 0000000000..4882e58b48 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.1p1/sshd @@ -0,0 +1,10 @@ +#%PAM-1.0 + +auth include common-auth +account required pam_nologin.so +account include common-account +password include common-password +session optional pam_keyinit.so force revoke +session include common-session +session required pam_loginuid.so + diff --git a/meta/recipes-connectivity/openssh/openssh-6.1p1/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.1p1/sshd_config new file mode 100644 index 0000000000..4f9b626fbd --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.1p1/sshd_config @@ -0,0 +1,119 @@ +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# Disable legacy (protocol version 1) support in the server for new +# installations. In future the default will change to require explicit +# activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +UsePrivilegeSeparation yes +#PermitUserEnvironment no +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb deleted file mode 100644 index df77040099..0000000000 --- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb +++ /dev/null @@ -1,107 +0,0 @@ -SUMMARY = "Secure rlogin/rsh/rcp/telnet replacement" -DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ -Ssh (Secure Shell) is a program for logging into a remote machine \ -and for executing commands on a remote machine." -HOMEPAGE = "http://openssh.org" -SECTION = "console/network" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" - -PR = "r4" - -DEPENDS = "zlib openssl" -DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" - -RPROVIDES = "ssh sshd" - -RCONFLICTS_${PN} = "dropbear" -RCONFLICTS_${PN}-sshd = "dropbear" -RCONFLICTS_${PN}-keygen = "ssh-keygen" - -SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ - file://nostrip.patch \ - file://sshd_config \ - file://ssh_config \ - file://init \ - file://openssh-CVE-2011-4327.patch \ - ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" - -PAM_SRC_URI = "file://sshd" -SRC_URI[md5sum] = "3c9347aa67862881c5da3f3b1c08da7b" -SRC_URI[sha256sum] = "589d48e952d6c017e667873486b5df63222f9133d417d0002bd6429d9bd882de" - -inherit useradd update-rc.d update-alternatives - -USERADD_PACKAGES = "${PN}-sshd" -USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" -INITSCRIPT_PACKAGES = "${PN}-sshd" -INITSCRIPT_NAME_${PN}-sshd = "sshd" -INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" - -inherit autotools - -# LFS support: -CFLAGS += "-D__FILE_OFFSET_BITS=64" -export LD = "${CC}" - -EXTRA_OECONF = "--with-rand-helper=no \ - ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ - --without-zlib-version-check \ - --with-privsep-path=/var/run/sshd \ - --sysconfdir=${sysconfdir}/ssh \ - --with-xauth=/usr/bin/xauth" - -# This is a workaround for uclibc because including stdio.h -# pulls in pthreads.h and causes conflicts in function prototypes. -# This results in compilation failure, so unless this is fixed, -# disable pam for uclibc. -EXTRA_OECONF_append_libc-uclibc=" --without-pam" - -do_configure_prepend () { - if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then - cp aclocal.m4 acinclude.m4 - fi -} - -do_compile_append () { - install -m 0644 ${WORKDIR}/sshd_config ${S}/ - install -m 0644 ${WORKDIR}/ssh_config ${S}/ -} - -do_install_append () { - for i in ${DISTRO_FEATURES}; - do - if [ ${i} = "pam" ]; then - install -d ${D}${sysconfdir}/pam.d - install -m 0755 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd - fi - done - install -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd - rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin - rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} -} - -ALLOW_EMPTY_${PN} = "1" - -PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" -FILES_${PN}-scp = "${bindir}/scp.${BPN}" -FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" -FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd" -FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config" -FILES_${PN}-sftp = "${bindir}/sftp" -FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" -FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" -FILES_${PN}-keygen = "${bindir}/ssh-keygen" - -RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" -DEPENDS_${PN}-sshd += "update-rc.d" -RDEPENDS_${PN}-sshd += "update-rc.d ${PN}-keygen" - -CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" -CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" - -ALTERNATIVE_PRIORITY = "90" -ALTERNATIVE_${PN}-scp = "scp" -ALTERNATIVE_${PN}-ssh = "ssh" - diff --git a/meta/recipes-connectivity/openssh/openssh_6.1p1.bb b/meta/recipes-connectivity/openssh/openssh_6.1p1.bb new file mode 100644 index 0000000000..71d71e4464 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh_6.1p1.bb @@ -0,0 +1,107 @@ +SUMMARY = "Secure rlogin/rsh/rcp/telnet replacement" +DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ +Ssh (Secure Shell) is a program for logging into a remote machine \ +and for executing commands on a remote machine." +HOMEPAGE = "http://openssh.org" +SECTION = "console/network" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" + +PR = "r0" + +DEPENDS = "zlib openssl" +DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +RPROVIDES = "ssh sshd" + +RCONFLICTS_${PN} = "dropbear" +RCONFLICTS_${PN}-sshd = "dropbear" +RCONFLICTS_${PN}-keygen = "ssh-keygen" + +SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ + file://nostrip.patch \ + file://sshd_config \ + file://ssh_config \ + file://init \ + file://openssh-CVE-2011-4327.patch \ + ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" + +PAM_SRC_URI = "file://sshd" + +SRC_URI[md5sum] = "3345cbf4efe90ffb06a78670ab2d05d5" +SRC_URI[sha256sum] = "d1c157f6c0852e90c191cc7c9018a583b51e3db4035489cb262639d337a1c411" +inherit useradd update-rc.d update-alternatives + +USERADD_PACKAGES = "${PN}-sshd" +USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" +INITSCRIPT_PACKAGES = "${PN}-sshd" +INITSCRIPT_NAME_${PN}-sshd = "sshd" +INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" + +inherit autotools + +# LFS support: +CFLAGS += "-D__FILE_OFFSET_BITS=64" +export LD = "${CC}" + +EXTRA_OECONF = "--with-rand-helper=no \ + ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ + --without-zlib-version-check \ + --with-privsep-path=/var/run/sshd \ + --sysconfdir=${sysconfdir}/ssh \ + --with-xauth=/usr/bin/xauth" + +# This is a workaround for uclibc because including stdio.h +# pulls in pthreads.h and causes conflicts in function prototypes. +# This results in compilation failure, so unless this is fixed, +# disable pam for uclibc. +EXTRA_OECONF_append_libc-uclibc=" --without-pam" + +do_configure_prepend () { + if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then + cp aclocal.m4 acinclude.m4 + fi +} + +do_compile_append () { + install -m 0644 ${WORKDIR}/sshd_config ${S}/ + install -m 0644 ${WORKDIR}/ssh_config ${S}/ +} + +do_install_append () { + for i in ${DISTRO_FEATURES}; + do + if [ ${i} = "pam" ]; then + install -d ${D}${sysconfdir}/pam.d + install -m 0755 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd + fi + done + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd + rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin + rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} +} + +ALLOW_EMPTY_${PN} = "1" + +PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" +FILES_${PN}-scp = "${bindir}/scp.${BPN}" +FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" +FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd" +FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config" +FILES_${PN}-sftp = "${bindir}/sftp" +FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" +FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" +FILES_${PN}-keygen = "${bindir}/ssh-keygen" + +RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" +DEPENDS_${PN}-sshd += "update-rc.d" +RDEPENDS_${PN}-sshd += "update-rc.d ${PN}-keygen" + +CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" +CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" + +ALTERNATIVE_PRIORITY = "90" +ALTERNATIVE_${PN}-scp = "scp" +ALTERNATIVE_${PN}-ssh = "ssh" + -- cgit v1.2.3