From ea1e478c85f6b991aa9031c8ebea5dc5d725200b Mon Sep 17 00:00:00 2001 From: Marcel Ziswiler Date: Thu, 6 Apr 2017 17:33:24 +0200 Subject: openssh: update 6.7p1 -> 7.4p1 This is basically a back port of the following commits from the openembedded-core master branch: openssh: upgrade to 7.4p1 openssh: fix CVE-2016-8858 openssh: fix potential signed overflow to enable compilation with -ftrapv openssh: Upgrade 7.2p2 -> 7.3p1 openssh: add ed25519 host key location to read-only sshd config openssh: conditional compile DES code. openssh: fix init script restart with read-only-rootfs openssh: update homepage and summary openssh: Backport fix for CVE-2015-8325 openssh: Upgrade 7.1p2 -> 7.2p2 openssh: change URI to http: openssh: Security Fix CVE-2016-3115 openssh: Properly skip ptrace test if tools are missing openssh: Fix regex that sets sftp-server path for tests openssh: CVE-2016-1907 openssh: update to 7.1p2 openssh: redesign ssh-agent.sh regression test case openssh: enable X11Forwarding if distro feature x11 is set openssh: fix file permission for /etc/pam.d/sshd openssh: fix sshd key generation when systemd is in use and rootfs is readonly openssh: Upgrade 7.0p1 -> 7.1p1 openssh: build regression test binaries openssh: Upgrade 6.9p1 -> 7.0p1 openssh: Upgrade 6.8p1 -> 6.9p1 openssh: fix login fails for ssh -o Batchmode=yes with empty passwords openssh: Upgrade 6.7 - > 6.8 Revert "openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565" Signed-off-by: Marcel Ziswiler --- ...ial-signed-overflow-in-pointer-arithmatic.patch | 99 +++++++++++++ recipes-connectivity/openssh/openssh/init | 2 +- ...h-7.1p1-conditional-compile-des-in-cipher.patch | 119 +++++++++++++++ ...h-7.1p1-conditional-compile-des-in-pkcs11.patch | 70 +++++++++ recipes-connectivity/openssh/openssh/run-ptest | 39 ++++- recipes-connectivity/openssh/openssh/sshd@.service | 4 +- .../openssh/openssh/sshdgenkeys.service | 21 ++- recipes-connectivity/openssh/openssh_7.4p1.bb | 164 +++++++++++++++++++++ 8 files changed, 510 insertions(+), 8 deletions(-) create mode 100644 recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch create mode 100644 recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch create mode 100644 recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch create mode 100644 recipes-connectivity/openssh/openssh_7.4p1.bb diff --git a/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch new file mode 100644 index 0000000..df64a14 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch @@ -0,0 +1,99 @@ +From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001 +From: Yuanjie Huang +Date: Wed, 24 Aug 2016 03:15:43 +0000 +Subject: [PATCH] Fix potential signed overflow in pointer arithmatic + +Pointer arithmatic results in implementation defined signed integer +type, so that 's - src' in strlcpy and others may trigger signed overflow. +In case of compilation by gcc or clang with -ftrapv option, the overflow +would lead to program abort. + +Upstream-status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608] + +Signed-off-by: Yuanjie Huang +--- + openbsd-compat/strlcat.c | 8 ++++++-- + openbsd-compat/strlcpy.c | 8 ++++++-- + openbsd-compat/strnlen.c | 8 ++++++-- + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c +index bcc1b61..e758ebf 100644 +--- a/openbsd-compat/strlcat.c ++++ b/openbsd-compat/strlcat.c +@@ -23,6 +23,7 @@ + + #include + #include ++#include + + /* + * Appends src to string dst of size siz (unlike strncat, siz is the +@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz) + s++; + } + *d = '\0'; +- +- return(dlen + (s - src)); /* count does not include NUL */ ++ /* ++ * Cast pointers to unsigned type before calculation, to avoid signed ++ * overflow when the string ends where the MSB has changed. ++ */ ++ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */ + } + + #endif /* !HAVE_STRLCAT */ +diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c +index b4b1b60..b06f374 100644 +--- a/openbsd-compat/strlcpy.c ++++ b/openbsd-compat/strlcpy.c +@@ -23,6 +23,7 @@ + + #include + #include ++#include + + /* + * Copy src to string dst of size siz. At most siz-1 characters +@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz) + while (*s++) + ; + } +- +- return(s - src - 1); /* count does not include NUL */ ++ /* ++ * Cast pointers to unsigned type before calculation, to avoid signed ++ * overflow when the string ends where the MSB has changed. ++ */ ++ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */ + } + + #endif /* !HAVE_STRLCPY */ +diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c +index 93d5155..9b8de5d 100644 +--- a/openbsd-compat/strnlen.c ++++ b/openbsd-compat/strnlen.c +@@ -23,6 +23,7 @@ + #include + + #include ++#include + + size_t + strnlen(const char *str, size_t maxlen) +@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen) + + for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--) + ; +- +- return (size_t)(cp - str); ++ /* ++ * Cast pointers to unsigned type before calculation, to avoid signed ++ * overflow when the string ends where the MSB has changed. ++ */ ++ return (size_t)((uintptr_t)cp - (uintptr_t)str); + } + #endif +-- +1.9.1 + diff --git a/recipes-connectivity/openssh/openssh/init b/recipes-connectivity/openssh/openssh/init index 70d4a34..1f63725 100644 --- a/recipes-connectivity/openssh/openssh/init +++ b/recipes-connectivity/openssh/openssh/init @@ -41,7 +41,7 @@ check_privsep_dir() { } check_config() { - /usr/sbin/sshd -t || exit 1 + /usr/sbin/sshd -t $SSHD_OPTS || exit 1 } check_keys() { diff --git a/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch new file mode 100644 index 0000000..c47ccf4 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch @@ -0,0 +1,119 @@ +From 27740c918fe5d78441bcf69e7d2eefb23ddeca4c Mon Sep 17 00:00:00 2001 +From: Dengke Du +Date: Thu, 19 Jan 2017 03:00:08 -0500 +Subject: [PATCH 1/3] Remove des in cipher. + +Upstream-status: Pending + +Signed-off-by: Haiqing Bai +Signed-off-by: Jussi Kukkonen +Signed-off-by: Dengke Du +--- + cipher.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/cipher.c b/cipher.c +index 2def333..59f6792 100644 +--- a/cipher.c ++++ b/cipher.c +@@ -53,8 +53,10 @@ + + #ifdef WITH_SSH1 + extern const EVP_CIPHER *evp_ssh1_bf(void); ++#ifndef OPENSSL_NO_DES + extern const EVP_CIPHER *evp_ssh1_3des(void); + extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); ++#endif /* OPENSSL_NO_DES */ + #endif + + struct sshcipher_ctx { +@@ -88,15 +90,19 @@ struct sshcipher { + + static const struct sshcipher ciphers[] = { + #ifdef WITH_SSH1 ++#ifndef OPENSSL_NO_DES + { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, + { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, ++#endif /* OPENSSL_NO_DES */ + # ifndef OPENSSL_NO_BF + { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, + # endif /* OPENSSL_NO_BF */ + #endif /* WITH_SSH1 */ + #ifdef WITH_OPENSSL ++#ifndef OPENSSL_NO_DES + { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, ++#endif /* OPENSSL_NO_DES */ + # ifndef OPENSSL_NO_BF + { "blowfish-cbc", + SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, +@@ -180,8 +186,10 @@ cipher_keylen(const struct sshcipher *c) + u_int + cipher_seclen(const struct sshcipher *c) + { ++#ifndef OPENSSL_NO_DES + if (strcmp("3des-cbc", c->name) == 0) + return 14; ++#endif /* OPENSSL_NO_DES */ + return cipher_keylen(c); + } + +@@ -230,11 +238,13 @@ u_int + cipher_mask_ssh1(int client) + { + u_int mask = 0; ++#ifndef OPENSSL_NO_DES + mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ + mask |= 1 << SSH_CIPHER_BLOWFISH; + if (client) { + mask |= 1 << SSH_CIPHER_DES; + } ++#endif /*OPENSSL_NO_DES*/ + return mask; + } + +@@ -606,7 +616,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) + switch (c->number) { + #ifdef WITH_OPENSSL + case SSH_CIPHER_SSH2: ++#ifndef OPENSSL_NO_DES + case SSH_CIPHER_DES: ++#endif /* OPENSSL_NO_DES */ + case SSH_CIPHER_BLOWFISH: + evplen = EVP_CIPHER_CTX_iv_length(cc->evp); + if (evplen == 0) +@@ -629,8 +641,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) + break; + #endif + #ifdef WITH_SSH1 ++#ifndef OPENSSL_NO_DES + case SSH_CIPHER_3DES: + return ssh1_3des_iv(cc->evp, 0, iv, 24); ++#endif /* OPENSSL_NO_DES */ + #endif + default: + return SSH_ERR_INVALID_ARGUMENT; +@@ -654,7 +668,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) + switch (c->number) { + #ifdef WITH_OPENSSL + case SSH_CIPHER_SSH2: ++#ifndef OPENSSL_NO_DES + case SSH_CIPHER_DES: ++#endif /* OPENSSL_NO_DES */ + case SSH_CIPHER_BLOWFISH: + evplen = EVP_CIPHER_CTX_iv_length(cc->evp); + if (evplen <= 0) +@@ -675,8 +691,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) + break; + #endif + #ifdef WITH_SSH1 ++#ifndef OPENSSL_NO_DES + case SSH_CIPHER_3DES: + return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24); ++#endif /* OPENSSL_NO_DES */ + #endif + default: + return SSH_ERR_INVALID_ARGUMENT; +-- +2.8.1 + diff --git a/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch new file mode 100644 index 0000000..6281861 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch @@ -0,0 +1,70 @@ +From e816fc06e4f8070b09e677ead4d21768784e4c99 Mon Sep 17 00:00:00 2001 +From: Dengke Du +Date: Thu, 19 Jan 2017 03:21:40 -0500 +Subject: [PATCH 2/3] remove des in pkcs11. + +Upstream-status: Pending + +Signed-off-by: Haiqing Bai +Signed-off-by: Dengke Du +--- + pkcs11.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/pkcs11.h b/pkcs11.h +index b01d58f..98b36e6 100644 +--- a/pkcs11.h ++++ b/pkcs11.h +@@ -342,9 +342,11 @@ typedef unsigned long ck_key_type_t; + #define CKK_GENERIC_SECRET (0x10) + #define CKK_RC2 (0x11) + #define CKK_RC4 (0x12) ++#ifndef OPENSSL_NO_DES + #define CKK_DES (0x13) + #define CKK_DES2 (0x14) + #define CKK_DES3 (0x15) ++#endif /* OPENSSL_NO_DES */ + #define CKK_CAST (0x16) + #define CKK_CAST3 (0x17) + #define CKK_CAST128 (0x18) +@@ -512,6 +514,7 @@ typedef unsigned long ck_mechanism_type_t; + #define CKM_RC2_CBC_PAD (0x105) + #define CKM_RC4_KEY_GEN (0x110) + #define CKM_RC4 (0x111) ++#ifndef OPENSSL_NO_DES + #define CKM_DES_KEY_GEN (0x120) + #define CKM_DES_ECB (0x121) + #define CKM_DES_CBC (0x122) +@@ -525,6 +528,7 @@ typedef unsigned long ck_mechanism_type_t; + #define CKM_DES3_MAC (0x134) + #define CKM_DES3_MAC_GENERAL (0x135) + #define CKM_DES3_CBC_PAD (0x136) ++#endif /* OPENSSL_NO_DES */ + #define CKM_CDMF_KEY_GEN (0x140) + #define CKM_CDMF_ECB (0x141) + #define CKM_CDMF_CBC (0x142) +@@ -610,8 +614,10 @@ typedef unsigned long ck_mechanism_type_t; + #define CKM_MD5_KEY_DERIVATION (0x390) + #define CKM_MD2_KEY_DERIVATION (0x391) + #define CKM_SHA1_KEY_DERIVATION (0x392) ++#ifndef OPENSSL_NO_DES + #define CKM_PBE_MD2_DES_CBC (0x3a0) + #define CKM_PBE_MD5_DES_CBC (0x3a1) ++#endif /* OPENSSL_NO_DES */ + #define CKM_PBE_MD5_CAST_CBC (0x3a2) + #define CKM_PBE_MD5_CAST3_CBC (0x3a3) + #define CKM_PBE_MD5_CAST5_CBC (0x3a4) +@@ -620,8 +626,10 @@ typedef unsigned long ck_mechanism_type_t; + #define CKM_PBE_SHA1_CAST128_CBC (0x3a5) + #define CKM_PBE_SHA1_RC4_128 (0x3a6) + #define CKM_PBE_SHA1_RC4_40 (0x3a7) ++#ifndef OPENSSL_NO_DES + #define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8) + #define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9) ++#endif /* OPENSSL_NO_DES */ + #define CKM_PBE_SHA1_RC2_128_CBC (0x3aa) + #define CKM_PBE_SHA1_RC2_40_CBC (0x3ab) + #define CKM_PKCS5_PBKD2 (0x3b0) +-- +2.8.1 + diff --git a/recipes-connectivity/openssh/openssh/run-ptest b/recipes-connectivity/openssh/openssh/run-ptest index 3e725cf..36a3d2a 100755 --- a/recipes-connectivity/openssh/openssh/run-ptest +++ b/recipes-connectivity/openssh/openssh/run-ptest @@ -3,5 +3,42 @@ export TEST_SHELL=sh cd regress -make -k .OBJDIR=`pwd` .CURDIR=`pwd` tests \ +sed -i "/\t\tagent-ptrace /d" Makefile +make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' + +SSHAGENT=`which ssh-agent` +GDB=`which gdb` + +if [ -z "${SSHAGENT}" -o -z "${GDB}" ]; then + echo "SKIP: agent-ptrace" + exit +fi + +useradd openssh-test + +eval `su -c "${SSHAGENT} -s" openssh-test` > /dev/null +r=$? +if [ $r -ne 0 ]; then + echo "FAIL: could not start ssh-agent: exit code $r" +else + su -c "gdb -p ${SSH_AGENT_PID}" openssh-test > /tmp/gdb.out 2>&1 << EOF + quit +EOF + r=$? + if [ $r -ne 0 ]; then + echo "gdb failed: exit code $r" + fi + egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null /tmp/gdb.out + r=$? + rm -f /tmp/gdb.out + if [ $r -ne 0 ]; then + echo "FAIL: ptrace agent" + else + echo "PASS: ptrace agent" + fi + + ${SSHAGENT} -k > /dev/null +fi +userdel openssh-test + diff --git a/recipes-connectivity/openssh/openssh/sshd@.service b/recipes-connectivity/openssh/openssh/sshd@.service index bb2d68e..9d83dfb 100644 --- a/recipes-connectivity/openssh/openssh/sshd@.service +++ b/recipes-connectivity/openssh/openssh/sshd@.service @@ -4,7 +4,9 @@ Wants=sshdgenkeys.service After=sshdgenkeys.service [Service] -ExecStart=-@SBINDIR@/sshd -i +Environment="SSHD_OPTS=" +EnvironmentFile=-/etc/default/ssh +ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID StandardInput=socket StandardError=syslog diff --git a/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/recipes-connectivity/openssh/openssh/sshdgenkeys.service index d65086f..148e6ad 100644 --- a/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ b/recipes-connectivity/openssh/openssh/sshdgenkeys.service @@ -1,11 +1,22 @@ [Unit] Description=OpenSSH Key Generation -ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key -ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key -ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key -ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key +RequiresMountsFor=/var /run +ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key +ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key +ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key +ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key +ConditionPathExists=!/etc/ssh/ssh_host_rsa_key +ConditionPathExists=!/etc/ssh/ssh_host_dsa_key +ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key +ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key [Service] -ExecStart=@BINDIR@/ssh-keygen -A +Environment="SYSCONFDIR=/etc/ssh" +EnvironmentFile=-/etc/default/ssh +ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR +ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa +ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa +ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa +ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519 Type=oneshot RemainAfterExit=yes diff --git a/recipes-connectivity/openssh/openssh_7.4p1.bb b/recipes-connectivity/openssh/openssh_7.4p1.bb new file mode 100644 index 0000000..3b3d667 --- /dev/null +++ b/recipes-connectivity/openssh/openssh_7.4p1.bb @@ -0,0 +1,164 @@ +SUMMARY = "A suite of security-related network utilities based on \ +the SSH protocol including the ssh client and sshd server" +DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ +Ssh (Secure Shell) is a program for logging into a remote machine \ +and for executing commands on a remote machine." +HOMEPAGE = "http://www.openssh.com/" +SECTION = "console/network" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" + +DEPENDS = "zlib openssl" +DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ + file://sshd_config \ + file://ssh_config \ + file://init \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://sshd.socket \ + file://sshd@.service \ + file://sshdgenkeys.service \ + file://volatiles.99_sshd \ + file://add-test-support-for-busybox.patch \ + file://run-ptest \ + file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ + file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ + file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ + " + +PAM_SRC_URI = "file://sshd" + +SRC_URI[md5sum] = "b2db2a83caf66a208bb78d6d287cdaa3" +SRC_URI[sha256sum] = "1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1" + +inherit useradd update-rc.d update-alternatives systemd + +USERADD_PACKAGES = "${PN}-sshd" +USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" +INITSCRIPT_PACKAGES = "${PN}-sshd" +INITSCRIPT_NAME_${PN}-sshd = "sshd" +INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" + +SYSTEMD_PACKAGES = "${PN}-sshd" +SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" + +inherit autotools-brokensep ptest + +# LFS support: +CFLAGS += "-D__FILE_OFFSET_BITS=64" + +# login path is hardcoded in sshd +EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ + --without-zlib-version-check \ + --with-privsep-path=/var/run/sshd \ + --sysconfdir=${sysconfdir}/ssh \ + --with-xauth=/usr/bin/xauth \ + --disable-strip \ + " + +# Since we do not depend on libbsd, we do not want configure to use it +# just because it finds libutil.h. But, specifying --disable-libutil +# causes compile errors, so... +CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" + +# passwd path is hardcoded in sshd +CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" + +# We don't want to depend on libblockfile +CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" + +# This is a workaround for uclibc because including stdio.h +# pulls in pthreads.h and causes conflicts in function prototypes. +# This results in compilation failure, so unless this is fixed, +# disable pam for uclibc. +EXTRA_OECONF_append_libc-uclibc=" --without-pam" + +do_configure_prepend () { + export LD="${CC}" + install -m 0644 ${WORKDIR}/sshd_config ${B}/ + install -m 0644 ${WORKDIR}/ssh_config ${B}/ + if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then + cp aclocal.m4 acinclude.m4 + fi +} + +do_compile_ptest() { + # skip regress/unittests/ binaries: this will silently skip + # unittests in run-ptests which is good because they are so slow. + oe_runmake regress/modpipe regress/setuid-allowed regress/netcat +} + +do_install_append () { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then + install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd + sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config + fi + + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then + sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config + fi + + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd + rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin + rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} + install -d ${D}/${sysconfdir}/default/volatiles + install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd + install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} + + # Create config files for read-only rootfs + install -d ${D}${sysconfdir}/ssh + install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly + sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + + install -d ${D}${systemd_unitdir}/system + install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system + install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system + install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ + -e 's,@SBINDIR@,${sbindir},g' \ + -e 's,@BINDIR@,${bindir},g' \ + ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service +} + +do_install_ptest () { + sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh + cp -r regress ${D}${PTEST_PATH} +} + +ALLOW_EMPTY_${PN} = "1" + +PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" +FILES_${PN}-scp = "${bindir}/scp.${BPN}" +FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" +FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" +FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" +FILES_${PN}-sftp = "${bindir}/sftp" +FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" +FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" +FILES_${PN}-keygen = "${bindir}/ssh-keygen" + +RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" +RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" +RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make" + +RPROVIDES_${PN}-ssh = "ssh" +RPROVIDES_${PN}-sshd = "sshd" + +RCONFLICTS_${PN} = "dropbear" +RCONFLICTS_${PN}-sshd = "dropbear" +RCONFLICTS_${PN}-keygen = "ssh-keygen" + +CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" +CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" + +ALTERNATIVE_PRIORITY = "90" +ALTERNATIVE_${PN}-scp = "scp" +ALTERNATIVE_${PN}-ssh = "ssh" + -- cgit v1.2.3