From 5a3947cce1289c72313364f803751e8db30430be Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Mon, 22 Aug 2016 15:23:15 +0300 Subject: openssh: Upgrade 7.2p2 -> 7.3p1 Remove CVE-2015-8325.patch as it's included upstream. Rebase another patch. (From OE-Core rev: 4b695379dcf378e8d77deaf7e558e8cbd314683c) Signed-off-by: Jussi Kukkonen Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- .../openssh/openssh/CVE-2015-8325.patch | 39 ----- ...h-7.1p1-conditional-compile-des-in-cipher.patch | 30 ++-- meta/recipes-connectivity/openssh/openssh_7.2p2.bb | 164 --------------------- meta/recipes-connectivity/openssh/openssh_7.3p1.bb | 163 ++++++++++++++++++++ 4 files changed, 179 insertions(+), 217 deletions(-) delete mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch delete mode 100644 meta/recipes-connectivity/openssh/openssh_7.2p2.bb create mode 100644 meta/recipes-connectivity/openssh/openssh_7.3p1.bb (limited to 'meta') diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch deleted file mode 100644 index 226389718d..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001 -From: Damien Miller -Date: Wed, 13 Apr 2016 10:39:57 +1000 -Subject: ignore PAM environment vars when UseLogin=yes - -If PAM is configured to read user-specified environment variables -and UseLogin=yes in sshd_config, then a hostile local user may -attack /bin/login via LD_PRELOAD or similar environment variables -set via PAM. - -CVE-2015-8325, found by Shayan Sadigh, via Colin Watson - - - -https://anongit.mindrot.org/openssh.git/commit/session.c?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 - -CVE: CVE-2015-8325 -Upstream-Status: Backport -Signed-off-by: Jussi Kukkonen ---- - session.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/session.c b/session.c -index 4859245..4653b09 100644 ---- a/session.c -+++ b/session.c -@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell) - * Pull in any environment variables that may have - * been set by PAM. - */ -- if (options.use_pam) { -+ if (options.use_pam && !options.use_login) { - char **p; - - p = fetch_pam_child_environment(); --- -cgit v0.11.2 - diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch index 2e59589479..2773c14e5a 100644 --- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch +++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch @@ -1,18 +1,18 @@ -From 1cd94ed4750d5392cf3c09ed64d2c162a0833bdb Mon Sep 17 00:00:00 2001 +From d7eb26785ad4f25fb09fae46726ab8ca3fe16921 Mon Sep 17 00:00:00 2001 From: Haiqing Bai -Date: Fri, 18 Mar 2016 15:49:31 +0800 -Subject: [PATCH 2/3] remove des in cipher. +Date: Mon, 22 Aug 2016 14:11:16 +0300 +Subject: [PATCH] Remove des in cipher. Upstream-Status: Pending Signed-off-by: Haiqing Bai - +Signed-off-by: Jussi Kukkonen --- cipher.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/cipher.c b/cipher.c -index 02dae6f..63d3c29 100644 +index 031bda9..6cd667a 100644 --- a/cipher.c +++ b/cipher.c @@ -53,8 +53,10 @@ @@ -26,7 +26,7 @@ index 02dae6f..63d3c29 100644 #endif struct sshcipher { -@@ -79,13 +81,17 @@ struct sshcipher { +@@ -79,15 +81,19 @@ struct sshcipher { static const struct sshcipher ciphers[] = { #ifdef WITH_SSH1 @@ -34,17 +34,19 @@ index 02dae6f..63d3c29 100644 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, +#endif /* OPENSSL_NO_DES */ + # ifndef OPENSSL_NO_BF { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, + # endif /* OPENSSL_NO_BF */ #endif /* WITH_SSH1 */ #ifdef WITH_OPENSSL { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, +#ifndef OPENSSL_NO_DES { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, +#endif /* OPENSSL_NO_DES */ + # ifndef OPENSSL_NO_BF { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, - { "cast128-cbc", -@@ -163,8 +169,10 @@ cipher_keylen(const struct sshcipher *c) +@@ -171,8 +177,10 @@ cipher_keylen(const struct sshcipher *c) u_int cipher_seclen(const struct sshcipher *c) { @@ -55,7 +57,7 @@ index 02dae6f..63d3c29 100644 return cipher_keylen(c); } -@@ -201,11 +209,13 @@ u_int +@@ -209,11 +217,13 @@ u_int cipher_mask_ssh1(int client) { u_int mask = 0; @@ -69,7 +71,7 @@ index 02dae6f..63d3c29 100644 return mask; } -@@ -546,7 +556,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) +@@ -553,7 +563,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) switch (c->number) { #ifdef WITH_OPENSSL case SSH_CIPHER_SSH2: @@ -79,7 +81,7 @@ index 02dae6f..63d3c29 100644 case SSH_CIPHER_BLOWFISH: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); if (evplen == 0) -@@ -569,8 +581,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) +@@ -576,8 +588,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) break; #endif #ifdef WITH_SSH1 @@ -90,7 +92,7 @@ index 02dae6f..63d3c29 100644 #endif default: return SSH_ERR_INVALID_ARGUMENT; -@@ -594,7 +608,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) +@@ -601,7 +615,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) switch (c->number) { #ifdef WITH_OPENSSL case SSH_CIPHER_SSH2: @@ -100,7 +102,7 @@ index 02dae6f..63d3c29 100644 case SSH_CIPHER_BLOWFISH: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); if (evplen <= 0) -@@ -609,8 +625,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) +@@ -616,8 +632,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) break; #endif #ifdef WITH_SSH1 @@ -112,5 +114,5 @@ index 02dae6f..63d3c29 100644 default: return SSH_ERR_INVALID_ARGUMENT; -- -1.9.1 +2.1.4 diff --git a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb deleted file mode 100644 index 3df825b777..0000000000 --- a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb +++ /dev/null @@ -1,164 +0,0 @@ -SUMMARY = "A suite of security-related network utilities based on \ -the SSH protocol including the ssh client and sshd server" -DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ -Ssh (Secure Shell) is a program for logging into a remote machine \ -and for executing commands on a remote machine." -HOMEPAGE = "http://www.openssh.com/" -SECTION = "console/network" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" - -DEPENDS = "zlib openssl" -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" - -SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ - file://sshd_config \ - file://ssh_config \ - file://init \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ - file://sshd.socket \ - file://sshd@.service \ - file://sshdgenkeys.service \ - file://volatiles.99_sshd \ - file://add-test-support-for-busybox.patch \ - file://run-ptest \ - file://CVE-2015-8325.patch \ - file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ - file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ - " - -PAM_SRC_URI = "file://sshd" - -SRC_URI[md5sum] = "13009a9156510d8f27e752659075cced" -SRC_URI[sha256sum] = "a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c" - -inherit useradd update-rc.d update-alternatives systemd - -USERADD_PACKAGES = "${PN}-sshd" -USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" -INITSCRIPT_PACKAGES = "${PN}-sshd" -INITSCRIPT_NAME_${PN}-sshd = "sshd" -INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" - -SYSTEMD_PACKAGES = "${PN}-sshd" -SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" - -inherit autotools-brokensep ptest - -# LFS support: -CFLAGS += "-D__FILE_OFFSET_BITS=64" - -# login path is hardcoded in sshd -EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ - --without-zlib-version-check \ - --with-privsep-path=/var/run/sshd \ - --sysconfdir=${sysconfdir}/ssh \ - --with-xauth=/usr/bin/xauth \ - --disable-strip \ - " - -# Since we do not depend on libbsd, we do not want configure to use it -# just because it finds libutil.h. But, specifying --disable-libutil -# causes compile errors, so... -CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" - -# passwd path is hardcoded in sshd -CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" - -# We don't want to depend on libblockfile -CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" - -# This is a workaround for uclibc because including stdio.h -# pulls in pthreads.h and causes conflicts in function prototypes. -# This results in compilation failure, so unless this is fixed, -# disable pam for uclibc. -EXTRA_OECONF_append_libc-uclibc=" --without-pam" - -do_configure_prepend () { - export LD="${CC}" - install -m 0644 ${WORKDIR}/sshd_config ${B}/ - install -m 0644 ${WORKDIR}/ssh_config ${B}/ - if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then - cp aclocal.m4 acinclude.m4 - fi -} - -do_compile_ptest() { - # skip regress/unittests/ binaries: this will silently skip - # unittests in run-ptests which is good because they are so slow. - oe_runmake regress/modpipe regress/setuid-allowed regress/netcat -} - -do_install_append () { - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then - install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd - sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config - fi - - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then - sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config - fi - - install -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd - rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin - rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} - install -d ${D}/${sysconfdir}/default/volatiles - install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd - install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} - - # Create config files for read-only rootfs - install -d ${D}${sysconfdir}/ssh - install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly - sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - - install -d ${D}${systemd_unitdir}/system - install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system - install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system - install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system - sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ - -e 's,@SBINDIR@,${sbindir},g' \ - -e 's,@BINDIR@,${bindir},g' \ - ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service -} - -do_install_ptest () { - sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh - cp -r regress ${D}${PTEST_PATH} -} - -ALLOW_EMPTY_${PN} = "1" - -PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" -FILES_${PN}-scp = "${bindir}/scp.${BPN}" -FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" -FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" -FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" -FILES_${PN}-sftp = "${bindir}/sftp" -FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" -FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" -FILES_${PN}-keygen = "${bindir}/ssh-keygen" - -RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" -RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" -RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make" - -RPROVIDES_${PN}-ssh = "ssh" -RPROVIDES_${PN}-sshd = "sshd" - -RCONFLICTS_${PN} = "dropbear" -RCONFLICTS_${PN}-sshd = "dropbear" -RCONFLICTS_${PN}-keygen = "ssh-keygen" - -CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" -CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" - -ALTERNATIVE_PRIORITY = "90" -ALTERNATIVE_${PN}-scp = "scp" -ALTERNATIVE_${PN}-ssh = "ssh" - diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb new file mode 100644 index 0000000000..b31972649d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb @@ -0,0 +1,163 @@ +SUMMARY = "A suite of security-related network utilities based on \ +the SSH protocol including the ssh client and sshd server" +DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ +Ssh (Secure Shell) is a program for logging into a remote machine \ +and for executing commands on a remote machine." +HOMEPAGE = "http://www.openssh.com/" +SECTION = "console/network" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" + +DEPENDS = "zlib openssl" +DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ + file://sshd_config \ + file://ssh_config \ + file://init \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://sshd.socket \ + file://sshd@.service \ + file://sshdgenkeys.service \ + file://volatiles.99_sshd \ + file://add-test-support-for-busybox.patch \ + file://run-ptest \ + file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ + file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ + " + +PAM_SRC_URI = "file://sshd" + +SRC_URI[md5sum] = "dfadd9f035d38ce5d58a3bf130b86d08" +SRC_URI[sha256sum] = "3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc" + +inherit useradd update-rc.d update-alternatives systemd + +USERADD_PACKAGES = "${PN}-sshd" +USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" +INITSCRIPT_PACKAGES = "${PN}-sshd" +INITSCRIPT_NAME_${PN}-sshd = "sshd" +INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" + +SYSTEMD_PACKAGES = "${PN}-sshd" +SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" + +inherit autotools-brokensep ptest + +# LFS support: +CFLAGS += "-D__FILE_OFFSET_BITS=64" + +# login path is hardcoded in sshd +EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ + --without-zlib-version-check \ + --with-privsep-path=/var/run/sshd \ + --sysconfdir=${sysconfdir}/ssh \ + --with-xauth=/usr/bin/xauth \ + --disable-strip \ + " + +# Since we do not depend on libbsd, we do not want configure to use it +# just because it finds libutil.h. But, specifying --disable-libutil +# causes compile errors, so... +CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" + +# passwd path is hardcoded in sshd +CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" + +# We don't want to depend on libblockfile +CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" + +# This is a workaround for uclibc because including stdio.h +# pulls in pthreads.h and causes conflicts in function prototypes. +# This results in compilation failure, so unless this is fixed, +# disable pam for uclibc. +EXTRA_OECONF_append_libc-uclibc=" --without-pam" + +do_configure_prepend () { + export LD="${CC}" + install -m 0644 ${WORKDIR}/sshd_config ${B}/ + install -m 0644 ${WORKDIR}/ssh_config ${B}/ + if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then + cp aclocal.m4 acinclude.m4 + fi +} + +do_compile_ptest() { + # skip regress/unittests/ binaries: this will silently skip + # unittests in run-ptests which is good because they are so slow. + oe_runmake regress/modpipe regress/setuid-allowed regress/netcat +} + +do_install_append () { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then + install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd + sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config + fi + + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then + sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config + fi + + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd + rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin + rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} + install -d ${D}/${sysconfdir}/default/volatiles + install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd + install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} + + # Create config files for read-only rootfs + install -d ${D}${sysconfdir}/ssh + install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly + sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + + install -d ${D}${systemd_unitdir}/system + install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system + install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system + install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ + -e 's,@SBINDIR@,${sbindir},g' \ + -e 's,@BINDIR@,${bindir},g' \ + ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service +} + +do_install_ptest () { + sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh + cp -r regress ${D}${PTEST_PATH} +} + +ALLOW_EMPTY_${PN} = "1" + +PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" +FILES_${PN}-scp = "${bindir}/scp.${BPN}" +FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" +FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" +FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" +FILES_${PN}-sftp = "${bindir}/sftp" +FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" +FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" +FILES_${PN}-keygen = "${bindir}/ssh-keygen" + +RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" +RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" +RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make" + +RPROVIDES_${PN}-ssh = "ssh" +RPROVIDES_${PN}-sshd = "sshd" + +RCONFLICTS_${PN} = "dropbear" +RCONFLICTS_${PN}-sshd = "dropbear" +RCONFLICTS_${PN}-keygen = "ssh-keygen" + +CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" +CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" + +ALTERNATIVE_PRIORITY = "90" +ALTERNATIVE_${PN}-scp = "scp" +ALTERNATIVE_${PN}-ssh = "ssh" + -- cgit 1.2.3-korg