diff options
Diffstat (limited to 'yocto-poky/meta/recipes-connectivity/openssh')
14 files changed, 0 insertions, 1054 deletions
diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch b/yocto-poky/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch deleted file mode 100644 index 9fac69c3d..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch +++ /dev/null @@ -1,65 +0,0 @@ -From f98a09cacff7baad8748c9aa217afd155a4d493f Mon Sep 17 00:00:00 2001 -From: "mmcc@openbsd.org" <mmcc@openbsd.org> -Date: Tue, 20 Oct 2015 03:36:35 +0000 -Subject: [PATCH] upstream commit - -Replace a function-local allocation with stack memory. - -ok djm@ - -Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e -Upstream-Status: Backport -CVE: CVE-2016-1907 - -[YOCTO #8935] - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - clientloop.c | 9 ++------- - 1 file changed, 2 insertions(+), 7 deletions(-) - -diff --git a/clientloop.c b/clientloop.c -index 87ceb3d..1e05cba 100644 ---- a/clientloop.c -+++ b/clientloop.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */ -+/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */ - /* - * Author: Tatu Ylonen <ylo@cs.hut.fi> - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland -@@ -311,11 +311,10 @@ client_x11_get_proto(const char *display, const char *xauth_path, - static char proto[512], data[512]; - FILE *f; - int got_data = 0, generated = 0, do_unlink = 0, i; -- char *xauthdir, *xauthfile; -+ char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = ""; - struct stat st; - u_int now, x11_timeout_real; - -- xauthdir = xauthfile = NULL; - *_proto = proto; - *_data = data; - proto[0] = data[0] = '\0'; -@@ -343,8 +342,6 @@ client_x11_get_proto(const char *display, const char *xauth_path, - display = xdisplay; - } - if (trusted == 0) { -- xauthdir = xmalloc(PATH_MAX); -- xauthfile = xmalloc(PATH_MAX); - mktemp_proto(xauthdir, PATH_MAX); - /* - * The authentication cookie should briefly outlive -@@ -407,8 +404,6 @@ client_x11_get_proto(const char *display, const char *xauth_path, - unlink(xauthfile); - rmdir(xauthdir); - } -- free(xauthdir); -- free(xauthfile); - - /* - * If we didn't get authentication data, just make up some --- -1.9.1 - diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch b/yocto-poky/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch deleted file mode 100644 index 3dfc51af7..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch +++ /dev/null @@ -1,329 +0,0 @@ -From ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" <djm@openbsd.org> -Date: Wed, 13 Jan 2016 23:04:47 +0000 -Subject: [PATCH] upstream commit - -eliminate fallback from untrusted X11 forwarding to trusted - forwarding when the X server disables the SECURITY extension; Reported by - Thomas Hoger; ok deraadt@ - -Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938 -Upstream-Status: Backport -CVE: CVE-2016-1907 - -[YOCTO #8935] - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - clientloop.c | 114 ++++++++++++++++++++++++++++++++++++----------------------- - clientloop.h | 4 +-- - mux.c | 22 ++++++------ - ssh.c | 23 +++++------- - 4 files changed, 93 insertions(+), 70 deletions(-) - -Index: openssh-7.1p2/clientloop.c -=================================================================== ---- openssh-7.1p2.orig/clientloop.c -+++ openssh-7.1p2/clientloop.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */ -+/* $OpenBSD: clientloop.c,v 1.279 2016/01/13 23:04:47 djm Exp $ */ - /* - * Author: Tatu Ylonen <ylo@cs.hut.fi> - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland -@@ -288,6 +288,9 @@ client_x11_display_valid(const char *dis - { - size_t i, dlen; - -+ if (display == NULL) -+ return 0; -+ - dlen = strlen(display); - for (i = 0; i < dlen; i++) { - if (!isalnum((u_char)display[i]) && -@@ -301,34 +304,33 @@ client_x11_display_valid(const char *dis - - #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" - #define X11_TIMEOUT_SLACK 60 --void -+int - client_x11_get_proto(const char *display, const char *xauth_path, - u_int trusted, u_int timeout, char **_proto, char **_data) - { -- char cmd[1024]; -- char line[512]; -- char xdisplay[512]; -+ char cmd[1024], line[512], xdisplay[512]; -+ char xauthfile[PATH_MAX], xauthdir[PATH_MAX]; - static char proto[512], data[512]; - FILE *f; -- int got_data = 0, generated = 0, do_unlink = 0, i; -- char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = ""; -+ int got_data = 0, generated = 0, do_unlink = 0, i, r; - struct stat st; - u_int now, x11_timeout_real; - - *_proto = proto; - *_data = data; -- proto[0] = data[0] = '\0'; -+ proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0'; - -- if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) { -- debug("No xauth program."); -- } else if (!client_x11_display_valid(display)) { -- logit("DISPLAY '%s' invalid, falling back to fake xauth data", -+ if (!client_x11_display_valid(display)) { -+ logit("DISPLAY \"%s\" invalid; disabling X11 forwarding", - display); -- } else { -- if (display == NULL) { -- debug("x11_get_proto: DISPLAY not set"); -- return; -- } -+ return -1; -+ } -+ if (xauth_path != NULL && stat(xauth_path, &st) == -1) { -+ debug("No xauth program."); -+ xauth_path = NULL; -+ } -+ -+ if (xauth_path != NULL) { - /* - * Handle FamilyLocal case where $DISPLAY does - * not match an authorization entry. For this we -@@ -337,43 +339,60 @@ client_x11_get_proto(const char *display - * is not perfect. - */ - if (strncmp(display, "localhost:", 10) == 0) { -- snprintf(xdisplay, sizeof(xdisplay), "unix:%s", -- display + 10); -+ if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s", -+ display + 10)) < 0 || -+ (size_t)r >= sizeof(xdisplay)) { -+ error("%s: display name too long", __func__); -+ return -1; -+ } - display = xdisplay; - } - if (trusted == 0) { -- mktemp_proto(xauthdir, PATH_MAX); - /* -+ * Generate an untrusted X11 auth cookie. -+ * - * The authentication cookie should briefly outlive - * ssh's willingness to forward X11 connections to - * avoid nasty fail-open behaviour in the X server. - */ -+ mktemp_proto(xauthdir, sizeof(xauthdir)); -+ if (mkdtemp(xauthdir) == NULL) { -+ error("%s: mkdtemp: %s", -+ __func__, strerror(errno)); -+ return -1; -+ } -+ do_unlink = 1; -+ if ((r = snprintf(xauthfile, sizeof(xauthfile), -+ "%s/xauthfile", xauthdir)) < 0 || -+ (size_t)r >= sizeof(xauthfile)) { -+ error("%s: xauthfile path too long", __func__); -+ unlink(xauthfile); -+ rmdir(xauthdir); -+ return -1; -+ } -+ - if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK) - x11_timeout_real = UINT_MAX; - else - x11_timeout_real = timeout + X11_TIMEOUT_SLACK; -- if (mkdtemp(xauthdir) != NULL) { -- do_unlink = 1; -- snprintf(xauthfile, PATH_MAX, "%s/xauthfile", -- xauthdir); -- snprintf(cmd, sizeof(cmd), -- "%s -f %s generate %s " SSH_X11_PROTO -- " untrusted timeout %u 2>" _PATH_DEVNULL, -- xauth_path, xauthfile, display, -- x11_timeout_real); -- debug2("x11_get_proto: %s", cmd); -- if (x11_refuse_time == 0) { -- now = monotime() + 1; -- if (UINT_MAX - timeout < now) -- x11_refuse_time = UINT_MAX; -- else -- x11_refuse_time = now + timeout; -- channel_set_x11_refuse_time( -- x11_refuse_time); -- } -- if (system(cmd) == 0) -- generated = 1; -+ if ((r = snprintf(cmd, sizeof(cmd), -+ "%s -f %s generate %s " SSH_X11_PROTO -+ " untrusted timeout %u 2>" _PATH_DEVNULL, -+ xauth_path, xauthfile, display, -+ x11_timeout_real)) < 0 || -+ (size_t)r >= sizeof(cmd)) -+ fatal("%s: cmd too long", __func__); -+ debug2("%s: %s", __func__, cmd); -+ if (x11_refuse_time == 0) { -+ now = monotime() + 1; -+ if (UINT_MAX - timeout < now) -+ x11_refuse_time = UINT_MAX; -+ else -+ x11_refuse_time = now + timeout; -+ channel_set_x11_refuse_time(x11_refuse_time); - } -+ if (system(cmd) == 0) -+ generated = 1; - } - - /* -@@ -395,9 +414,7 @@ client_x11_get_proto(const char *display - got_data = 1; - if (f) - pclose(f); -- } else -- error("Warning: untrusted X11 forwarding setup failed: " -- "xauth key data not generated"); -+ } - } - - if (do_unlink) { -@@ -405,6 +422,13 @@ client_x11_get_proto(const char *display - rmdir(xauthdir); - } - -+ /* Don't fall back to fake X11 data for untrusted forwarding */ -+ if (!trusted && !got_data) { -+ error("Warning: untrusted X11 forwarding setup failed: " -+ "xauth key data not generated"); -+ return -1; -+ } -+ - /* - * If we didn't get authentication data, just make up some - * data. The forwarding code will check the validity of the -@@ -427,6 +451,8 @@ client_x11_get_proto(const char *display - rnd >>= 8; - } - } -+ -+ return 0; - } - - /* -Index: openssh-7.1p2/clientloop.h -=================================================================== ---- openssh-7.1p2.orig/clientloop.h -+++ openssh-7.1p2/clientloop.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */ -+/* $OpenBSD: clientloop.h,v 1.32 2016/01/13 23:04:47 djm Exp $ */ - - /* - * Author: Tatu Ylonen <ylo@cs.hut.fi> -@@ -39,7 +39,7 @@ - - /* Client side main loop for the interactive session. */ - int client_loop(int, int, int); --void client_x11_get_proto(const char *, const char *, u_int, u_int, -+int client_x11_get_proto(const char *, const char *, u_int, u_int, - char **, char **); - void client_global_request_reply_fwd(int, u_int32_t, void *); - void client_session2_setup(int, int, int, const char *, struct termios *, -Index: openssh-7.1p2/mux.c -=================================================================== ---- openssh-7.1p2.orig/mux.c -+++ openssh-7.1p2/mux.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */ -+/* $OpenBSD: mux.c,v 1.58 2016/01/13 23:04:47 djm Exp $ */ - /* - * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> - * -@@ -1354,16 +1354,18 @@ mux_session_confirm(int id, int success, - char *proto, *data; - - /* Get reasonable local authentication information. */ -- client_x11_get_proto(display, options.xauth_location, -+ if (client_x11_get_proto(display, options.xauth_location, - options.forward_x11_trusted, options.forward_x11_timeout, -- &proto, &data); -- /* Request forwarding with authentication spoofing. */ -- debug("Requesting X11 forwarding with authentication " -- "spoofing."); -- x11_request_forwarding_with_spoofing(id, display, proto, -- data, 1); -- client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN); -- /* XXX exit_on_forward_failure */ -+ &proto, &data) == 0) { -+ /* Request forwarding with authentication spoofing. */ -+ debug("Requesting X11 forwarding with authentication " -+ "spoofing."); -+ x11_request_forwarding_with_spoofing(id, display, proto, -+ data, 1); -+ /* XXX exit_on_forward_failure */ -+ client_expect_confirm(id, "X11 forwarding", -+ CONFIRM_WARN); -+ } - } - - if (cctx->want_agent_fwd && options.forward_agent) { -Index: openssh-7.1p2/ssh.c -=================================================================== ---- openssh-7.1p2.orig/ssh.c -+++ openssh-7.1p2/ssh.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: ssh.c,v 1.420 2015/07/30 00:01:34 djm Exp $ */ -+/* $OpenBSD: ssh.c,v 1.433 2016/01/13 23:04:47 djm Exp $ */ - /* - * Author: Tatu Ylonen <ylo@cs.hut.fi> - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland -@@ -1604,6 +1604,7 @@ ssh_session(void) - struct winsize ws; - char *cp; - const char *display; -+ char *proto = NULL, *data = NULL; - - /* Enable compression if requested. */ - if (options.compression) { -@@ -1674,13 +1675,9 @@ ssh_session(void) - display = getenv("DISPLAY"); - if (display == NULL && options.forward_x11) - debug("X11 forwarding requested but DISPLAY not set"); -- if (options.forward_x11 && display != NULL) { -- char *proto, *data; -- /* Get reasonable local authentication information. */ -- client_x11_get_proto(display, options.xauth_location, -- options.forward_x11_trusted, -- options.forward_x11_timeout, -- &proto, &data); -+ if (options.forward_x11 && client_x11_get_proto(display, -+ options.xauth_location, options.forward_x11_trusted, -+ options.forward_x11_timeout, &proto, &data) == 0) { - /* Request forwarding with authentication spoofing. */ - debug("Requesting X11 forwarding with authentication " - "spoofing."); -@@ -1770,6 +1767,7 @@ ssh_session2_setup(int id, int success, - extern char **environ; - const char *display; - int interactive = tty_flag; -+ char *proto = NULL, *data = NULL; - - if (!success) - return; /* No need for error message, channels code sens one */ -@@ -1777,12 +1775,9 @@ ssh_session2_setup(int id, int success, - display = getenv("DISPLAY"); - if (display == NULL && options.forward_x11) - debug("X11 forwarding requested but DISPLAY not set"); -- if (options.forward_x11 && display != NULL) { -- char *proto, *data; -- /* Get reasonable local authentication information. */ -- client_x11_get_proto(display, options.xauth_location, -- options.forward_x11_trusted, -- options.forward_x11_timeout, &proto, &data); -+ if (options.forward_x11 && client_x11_get_proto(display, -+ options.xauth_location, options.forward_x11_trusted, -+ options.forward_x11_timeout, &proto, &data) == 0) { - /* Request forwarding with authentication spoofing. */ - debug("Requesting X11 forwarding with authentication " - "spoofing."); diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch b/yocto-poky/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch deleted file mode 100644 index f3d132e43..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d77148e3a3ef6c29b26ec74331455394581aa257 Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" <djm@openbsd.org> -Date: Sun, 8 Nov 2015 21:59:11 +0000 -Subject: [PATCH] upstream commit - -fix OOB read in packet code caused by missing return - statement found by Ben Hawkes; ok markus@ deraadt@ - -Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62 - -Upstream-Status: Backport -CVE: CVE-2016-1907 - -[YOCTO #8935] - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - packet.c | 1 + - 1 file changed, 1 insertion(+) - -Index: openssh-7.1p2/packet.c -=================================================================== ---- openssh-7.1p2.orig/packet.c -+++ openssh-7.1p2/packet.c -@@ -1855,6 +1855,7 @@ ssh_packet_process_incoming(struct ssh * - if (len >= state->packet_discard) { - if ((r = ssh_packet_stop_discard(ssh)) != 0) - return r; -+ return SSH_ERR_CONN_CORRUPT; - } - state->packet_discard -= len; - return 0; diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/yocto-poky/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch deleted file mode 100644 index adc25c668..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch +++ /dev/null @@ -1,69 +0,0 @@ -Adjust test cases to work with busybox. - -- Replace dd parameter "obs" with "bs". -- Replace "head -<num>" with "head -n <num>". - -Signed-off-by: Maxin B. John <maxin.john@enea.com> -Upstream-Status: Pending - -Index: openssh-6.8p1/regress/cipher-speed.sh -=================================================================== ---- openssh-6.8p1.orig/regress/cipher-speed.sh -+++ openssh-6.8p1/regress/cipher-speed.sh -@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for - printf "%-60s" "$c/$m:" - ( ${SSH} -o 'compression no' \ - -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ -- exec sh -c \'"dd of=/dev/null obs=32k"\' \ -+ exec sh -c \'"dd of=/dev/null bs=32k"\' \ - < ${DATA} ) 2>&1 | getbytes - - if [ $? -ne 0 ]; then -@@ -42,7 +42,7 @@ for c in $ciphers; do - printf "%-60s" "$c:" - ( ${SSH} -o 'compression no' \ - -F $OBJ/ssh_proxy -1 -c $c somehost \ -- exec sh -c \'"dd of=/dev/null obs=32k"\' \ -+ exec sh -c \'"dd of=/dev/null bs=32k"\' \ - < ${DATA} ) 2>&1 | getbytes - if [ $? -ne 0 ]; then - fail "ssh -1 failed with cipher $c" -Index: openssh-6.8p1/regress/transfer.sh -=================================================================== ---- openssh-6.8p1.orig/regress/transfer.sh -+++ openssh-6.8p1/regress/transfer.sh -@@ -15,7 +15,7 @@ for p in ${SSH_PROTOCOLS}; do - for s in 10 100 1k 32k 64k 128k 256k; do - trace "proto $p dd-size ${s}" - rm -f ${COPY} -- dd if=$DATA obs=${s} 2> /dev/null | \ -+ dd if=$DATA bs=${s} 2> /dev/null | \ - ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" - if [ $? -ne 0 ]; then - fail "ssh cat $DATA failed" -Index: openssh-6.8p1/regress/yes-head.sh -=================================================================== ---- openssh-6.8p1.orig/regress/yes-head.sh -+++ openssh-6.8p1/regress/yes-head.sh -@@ -4,7 +4,7 @@ - tid="yes pipe head" - - for p in ${SSH_PROTOCOLS}; do -- lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` -+ lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)` - if [ $? -ne 0 ]; then - fail "yes|head test failed" - lines = 0; -Index: openssh-6.8p1/regress/key-options.sh -=================================================================== ---- openssh-6.8p1.orig/regress/key-options.sh -+++ openssh-6.8p1/regress/key-options.sh -@@ -54,7 +54,7 @@ for p in ${SSH_PROTOCOLS}; do - fi - - sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys -- from=`head -1 $authkeys | cut -f1 -d ' '` -+ from=`head -n 1 $authkeys | cut -f1 -d ' '` - verbose "key option proto $p $from" - r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` - if [ "$r" = "true" ]; then diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/init b/yocto-poky/meta/recipes-connectivity/openssh/openssh/init deleted file mode 100644 index 70d4a3465..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/init +++ /dev/null @@ -1,115 +0,0 @@ -#! /bin/sh -set -e - -PIDFILE=/var/run/sshd.pid - -# source function library -. /etc/init.d/functions - -# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon - -test -x /usr/sbin/sshd || exit 0 -( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 - -# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS -if test -f /etc/default/ssh; then - . /etc/default/ssh -fi - -[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh -mkdir -p $SYSCONFDIR - -HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key -HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key -HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key -HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key - -check_for_no_start() { - # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists - if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then - echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)" - exit 0 - fi -} - -check_privsep_dir() { - # Create the PrivSep empty dir if necessary - if [ ! -d /var/run/sshd ]; then - mkdir /var/run/sshd - chmod 0755 /var/run/sshd - fi -} - -check_config() { - /usr/sbin/sshd -t || exit 1 -} - -check_keys() { - # create keys if necessary - if [ ! -f $HOST_KEY_RSA ]; then - echo " generating ssh RSA key..." - ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa - fi - if [ ! -f $HOST_KEY_ECDSA ]; then - echo " generating ssh ECDSA key..." - ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa - fi - if [ ! -f $HOST_KEY_DSA ]; then - echo " generating ssh DSA key..." - ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa - fi - if [ ! -f $HOST_KEY_ED25519 ]; then - echo " generating ssh ED25519 key..." - ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 - fi -} - -export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" - -case "$1" in - start) - check_for_no_start - echo "Starting OpenBSD Secure Shell server: sshd" - check_keys - check_privsep_dir - start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS - echo "done." - ;; - stop) - echo -n "Stopping OpenBSD Secure Shell server: sshd" - start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd - echo "." - ;; - - reload|force-reload) - check_for_no_start - check_keys - check_config - echo -n "Reloading OpenBSD Secure Shell server's configuration" - start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd - echo "." - ;; - - restart) - check_keys - check_config - echo -n "Restarting OpenBSD Secure Shell server: sshd" - start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd - check_for_no_start - check_privsep_dir - sleep 2 - start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS - echo "." - ;; - - status) - status /usr/sbin/sshd - exit $? - ;; - - *) - echo "Usage: /etc/init.d/ssh {start|stop|status|reload|force-reload|restart}" - exit 1 -esac - -exit 0 diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/run-ptest b/yocto-poky/meta/recipes-connectivity/openssh/openssh/run-ptest deleted file mode 100755 index 36a3d2a7b..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/run-ptest +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh - -export TEST_SHELL=sh - -cd regress -sed -i "/\t\tagent-ptrace /d" Makefile -make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ - | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' - -SSHAGENT=`which ssh-agent` -GDB=`which gdb` - -if [ -z "${SSHAGENT}" -o -z "${GDB}" ]; then - echo "SKIP: agent-ptrace" - exit -fi - -useradd openssh-test - -eval `su -c "${SSHAGENT} -s" openssh-test` > /dev/null -r=$? -if [ $r -ne 0 ]; then - echo "FAIL: could not start ssh-agent: exit code $r" -else - su -c "gdb -p ${SSH_AGENT_PID}" openssh-test > /tmp/gdb.out 2>&1 << EOF - quit -EOF - r=$? - if [ $r -ne 0 ]; then - echo "gdb failed: exit code $r" - fi - egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null /tmp/gdb.out - r=$? - rm -f /tmp/gdb.out - if [ $r -ne 0 ]; then - echo "FAIL: ptrace agent" - else - echo "PASS: ptrace agent" - fi - - ${SSHAGENT} -k > /dev/null -fi -userdel openssh-test - diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/ssh_config b/yocto-poky/meta/recipes-connectivity/openssh/openssh/ssh_config deleted file mode 100644 index 9e919156d..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/ssh_config +++ /dev/null @@ -1,48 +0,0 @@ -# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ - -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -Host * - ForwardAgent yes - ForwardX11 yes -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -# ProxyCommand ssh -q -W %h:%p gateway.example.com -# RekeyLimit 1G 1h diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd b/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd deleted file mode 100644 index 4882e58b4..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd +++ /dev/null @@ -1,10 +0,0 @@ -#%PAM-1.0 - -auth include common-auth -account required pam_nologin.so -account include common-account -password include common-password -session optional pam_keyinit.so force revoke -session include common-session -session required pam_loginuid.so - diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd.socket b/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd.socket deleted file mode 100644 index 12c39b26b..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd.socket +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Conflicts=sshd.service - -[Socket] -ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd -ListenStream=22 -Accept=yes - -[Install] -WantedBy=sockets.target diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd@.service b/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd@.service deleted file mode 100644 index 9d83dfb2b..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd@.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=OpenSSH Per-Connection Daemon -Wants=sshdgenkeys.service -After=sshdgenkeys.service - -[Service] -Environment="SSHD_OPTS=" -EnvironmentFile=-/etc/default/ssh -ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID -StandardInput=socket -StandardError=syslog -KillMode=process diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd_config b/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd_config deleted file mode 100644 index d48bd2b98..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd_config +++ /dev/null @@ -1,133 +0,0 @@ -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# The default requires explicit activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Ciphers and keying -#RekeyLimit default none - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#RSAAuthentication yes -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -#UsePAM no - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. -#PermitUserEnvironment no -Compression no -ClientAliveInterval 15 -ClientAliveCountMax 4 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service deleted file mode 100644 index 148e6ad63..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=OpenSSH Key Generation -RequiresMountsFor=/var /run -ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key -ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key -ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key - -[Service] -Environment="SYSCONFDIR=/etc/ssh" -EnvironmentFile=-/etc/default/ssh -ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519 -Type=oneshot -RemainAfterExit=yes diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd b/yocto-poky/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd deleted file mode 100644 index a0d2af3c6..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd +++ /dev/null @@ -1,2 +0,0 @@ -d root root 0755 /var/run/sshd none -f root root 0644 /var/log/lastlog none diff --git a/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.1p2.bb b/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.1p2.bb deleted file mode 100644 index 3b5e28a1d..000000000 --- a/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.1p2.bb +++ /dev/null @@ -1,161 +0,0 @@ -SUMMARY = "Secure rlogin/rsh/rcp/telnet replacement" -DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ -Ssh (Secure Shell) is a program for logging into a remote machine \ -and for executing commands on a remote machine." -HOMEPAGE = "http://openssh.org" -SECTION = "console/network" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" - -DEPENDS = "zlib openssl" -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" - -SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ - file://sshd_config \ - file://ssh_config \ - file://init \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ - file://sshd.socket \ - file://sshd@.service \ - file://sshdgenkeys.service \ - file://volatiles.99_sshd \ - file://add-test-support-for-busybox.patch \ - file://run-ptest \ - file://CVE-2016-1907_upstream_commit.patch \ - file://CVE-2016-1907_2.patch \ - file://CVE-2016-1907_3.patch " - -PAM_SRC_URI = "file://sshd" - -SRC_URI[md5sum] = "4d8547670e2a220d5ef805ad9e47acf2" -SRC_URI[sha256sum] = "dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd" - -inherit useradd update-rc.d update-alternatives systemd - -USERADD_PACKAGES = "${PN}-sshd" -USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" -INITSCRIPT_PACKAGES = "${PN}-sshd" -INITSCRIPT_NAME_${PN}-sshd = "sshd" -INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" - -SYSTEMD_PACKAGES = "${PN}-sshd" -SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" - -inherit autotools-brokensep ptest - -# LFS support: -CFLAGS += "-D__FILE_OFFSET_BITS=64" - -# login path is hardcoded in sshd -EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ - --without-zlib-version-check \ - --with-privsep-path=/var/run/sshd \ - --sysconfdir=${sysconfdir}/ssh \ - --with-xauth=/usr/bin/xauth \ - --disable-strip \ - " - -# Since we do not depend on libbsd, we do not want configure to use it -# just because it finds libutil.h. But, specifying --disable-libutil -# causes compile errors, so... -CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" - -# passwd path is hardcoded in sshd -CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" - -# We don't want to depend on libblockfile -CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" - -# This is a workaround for uclibc because including stdio.h -# pulls in pthreads.h and causes conflicts in function prototypes. -# This results in compilation failure, so unless this is fixed, -# disable pam for uclibc. -EXTRA_OECONF_append_libc-uclibc=" --without-pam" - -do_configure_prepend () { - export LD="${CC}" - install -m 0644 ${WORKDIR}/sshd_config ${B}/ - install -m 0644 ${WORKDIR}/ssh_config ${B}/ - if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then - cp aclocal.m4 acinclude.m4 - fi -} - -do_compile_ptest() { - # skip regress/unittests/ binaries: this will silently skip - # unittests in run-ptests which is good because they are so slow. - oe_runmake regress/modpipe regress/setuid-allowed regress/netcat -} - -do_install_append () { - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then - install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd - sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config - fi - - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then - sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config - fi - - install -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd - rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin - rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} - install -d ${D}/${sysconfdir}/default/volatiles - install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd - install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} - - # Create config files for read-only rootfs - install -d ${D}${sysconfdir}/ssh - install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly - sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - - install -d ${D}${systemd_unitdir}/system - install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system - install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system - install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system - sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ - -e 's,@SBINDIR@,${sbindir},g' \ - -e 's,@BINDIR@,${bindir},g' \ - ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service -} - -do_install_ptest () { - sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh - cp -r regress ${D}${PTEST_PATH} -} - -ALLOW_EMPTY_${PN} = "1" - -PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" -FILES_${PN}-scp = "${bindir}/scp.${BPN}" -FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" -FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" -FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" -FILES_${PN}-sftp = "${bindir}/sftp" -FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" -FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" -FILES_${PN}-keygen = "${bindir}/ssh-keygen" - -RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" -RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" -RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make" - -RPROVIDES_${PN}-ssh = "ssh" -RPROVIDES_${PN}-sshd = "sshd" - -RCONFLICTS_${PN} = "dropbear" -RCONFLICTS_${PN}-sshd = "dropbear" -RCONFLICTS_${PN}-keygen = "ssh-keygen" - -CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" -CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" - -ALTERNATIVE_PRIORITY = "90" -ALTERNATIVE_${PN}-scp = "scp" -ALTERNATIVE_${PN}-ssh = "ssh" - |
