aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh
Commit message (Collapse)AuthorAgeFilesLines
* openssh: configuration updatesDan McGregor2015-02-033-9/+26
| | | | | | | | Rebase sshd_config and ssh_config with openssh upstream. Check for the ed25519 key in the systemd keygen service. Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca> Signed-off-by: Ross Burton <ross.burton@intel.com>
* openssh: deliver ssh-copy-idKai Kang2015-01-161-0/+1
| | | | | | | | Deliver script ssh-copy-id from openssh which is useful to add an authorized ssh key. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: upgrade to 6.7p1Paul Eggleton2015-01-074-172/+5
| | | | | | | | | | | * Drop two CVE patches already handled upstream. * Drop nostrip.patch which no longer applies and use the existing --disable-strip configure option instead. * OpenSSH 6.7+ no longer supports tcp wrappers. We could apply the Debian patch to add support back in, but it seems best to follow upstream here unless we have a good reason to do otherwise. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* openssh: move setting LD to allow for correct overrideSaul Wold2014-12-191-1/+1
| | | | | | | | | | | | Using the export LD in the recipe does not allow for secodnary toolchain overriding LD later, by setting it in the do_configure_append the export is used by autotools setting LD based on the env, but would allow for override later. [YOCTO #6997] Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* openssh: fix using the original config files in srcdirZheng Junling2014-12-051-5/+2
| | | | | | | | | | | | | | | | | | | | | Currently, we install our own ssh_config and sshd_config into ${S} in do_compile_append() task. So when finishing compiling, their .out files are generated by the original files, rather than by our own files. In most cases, installing "$(CONFIGFILES)" in Makefile will generate .out files again, and then installing "install-sysconf", which will install these two files into $(DESTDIR), thus we get what we expect. However, when parallel installing, "install-sysconf" may be installed before "$(CONFIGFILES)" sometimes. In this rare case, the .out files generated in the first time rather than those in the second time will be installed into $(DESTDIR), and thus we get an unexpect result. This patch fixes this bug through transfering the installing of our own files from do_compile_append() into do_configure_prepend(). Signed-off-by: Zheng Junling <zhengjunling@huawei.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* openssh: drop already applied patchPaul Eggleton2014-11-202-23/+0
| | | | | | | This patch was part of the 6.6p1 release. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: avoid screen sessions being killed on disconnect with systemdPaul Eggleton2014-10-181-0/+1
| | | | | | | | | | | | Tell systemd just to kill the sshd process when the ssh connection drops instead of the entire cgroup for sshd, so that any screen sessions (and more to the point, processes within them) do not get killed. (This is what the Fedora sshd service file does, and what we're already doing in the dropbear service file). Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* openssh: use pidfile in initscriptRichard Tollerton2014-07-191-5/+7
| | | | | | | | | | | | | | | | | | | | | | Stopping sshd must only kill the listening (top-level) daemon; it must not stop any other sshd process, because those are forked ssh connections which may include e.g. the connection that called /etc/init.d/sshd stop. This initscript uses "start-stop-daemon -x <exe>" for starting/stopping. When that is provided by busybox, this behavior is broken: `/etc/init.d/sshd stop` stops *all* sshd processes. This was caused by a fix to busybox 1.20: 17eedcad9406c43beddab3906c8c693626c351fb "ssd: compat: match -x EXECUTABLE by /proc/pid/exe too". The fix is to use a pidfile. All initscripts in upstream openssh do this, as does dropbear. Acked-by: Gratian Crisan <gratian.crisan@ni.com> Acked-by: Ken Sharp <ken.sharp@ni.com> Signed-off-by: Richard Tollerton <rich.tollerton@ni.com> Signed-off-by: Ben Shelton <ben.shelton@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: avoid checking empty passwords to mess up with PAM modulesChen Qi2014-07-032-1/+32
| | | | | | | | | | | | | | | | | | | | | Previously, even if PAM is enabled for ssh, the daemon still tries to authenticate an empty password. This leads to authentication failure which would mess up with PAM modules. As a result, if 'UsePAM', 'PermitEmptyPasswords' and 'PasswordAuthentication' are enabled, no user can login correctly. We would meet the following error message at the client side. Write failed: Broken Pipe This patch fixes the above problem by checking whether PAM is enabled before authenticating an empty password. After all, if PAM is enabled, the task of authenticating passwords should be handled to PAM modules. [YOCTO #6466] Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: move packaging definitions to the endPaul Eggleton2014-05-151-7/+7
| | | | | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: update to 6.6p1Paul Eggleton2014-05-151-2/+2
| | | | | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: fix for CVE-2014-2653Chen Qi2014-05-132-1/+116
| | | | | | | | | The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: fix for CVE-2014-2532Chen Qi2014-05-132-1/+24
| | | | | | | | | | sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: add /var/log/lastlog to volatile listSaul Wold2014-05-081-0/+1
| | | | | | | | | The /var/log/messages reports /var/log/lastlog as missing, since openssh needs this file, create it as a volatile. [YOCTO #6172] Signed-off-by: Saul Wold <sgw@linux.intel.com>
* Globally replace 'base_contains' calls with 'bb.utils.contains'Otavio Salvador2014-04-251-5/+5
| | | | | | | | | The base_contains is kept as a compatibility method and we ought to not use it in OE-Core so we can remove it from base metadata in future. Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: enable ptest supportMaxin B. John2014-04-253-2/+78
| | | | | | | Install openssh test-suite and run it as ptest. Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh-sshd: host contamination fixMatthieu Crapet2014-04-231-5/+7
| | | | | | | | | | | If you do a readelf -x .rodata /path/.../to/openssh/6.5p1-r0/packages-split/openssh-sshd/usr/sbin/sshd You'll see two references to OE's sysroots/${BUILD_SYS} login and passwd binaries. First one can be overridden with LOGIN_PROGRAM environment variable (see configure.ac), second needs a cached variable definition. Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: fix sshd_config_readonly creationJonathan Liu2014-04-101-1/+1
| | | | | | | | | | The readonly sshd config sshd_config_readonly needs to be created from the installed sshd_config as make install will adjust the paths in the config file. This fixes the path for sftp-server being correct in sshd_config but incorrect in sshd_config_readonly. Signed-off-by: Jonathan Liu <net147@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: build without libbsdJoe Slater2014-03-311-0/+6
| | | | | | | | | | | We do not DEPEND on libbsd, so we do not want to build with it just because libutil.h is found by configure. As noted in the patch, specifying --disable-libutil to configure does not work, so we provide "cached" configure variables. Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: Update init file to add ED25519 Key generationSaul Wold2014-03-191-1/+6
| | | | | | | [YOCTO #5983] Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: upgrade to 6.5p1Paul Eggleton2014-02-2811-2/+2
| | | | | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* autotools-brokensep: Mark recipes with broken separate build dir supportRichard Purdie2014-02-281-1/+1
| | | | | | | | | | This patch goes through the OE-Core recipes and marks those which use autotools but don't support a separate build directory (${S} != ${B}). A new class, autotools-brokensep is used for this purpose. This doesn't introduce any change in behaviour in its own right. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: enable PAM at runtime based on DISTRO_FEATURESKoen Kooi2014-02-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Everything is setup to use PAM except for the server config. If 'pam' is in DISTRO_FEATURES the configs will be changed to enable it. Syslog will now show: Feb 19 09:28:36 beast sshd[2980]: pam_unix(sshd:session): session opened for user koen by (uid=0) And more importantly: koen@beast:~$ loginctl SESSION UID USER SEAT c1 1000 koen seat0 c3 1000 koen seat0 c13 1000 koen 3 sessions listed. Systemd now registers the session properly so it won't kill things like 'screen' and 'tmux' when disconnecting the ssh session. Signed-off-by: Koen Kooi <koen.kooi@linaro.org> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: drag in required PAM modules.Koen Kooi2014-02-081-1/+2
| | | | | | | | /etc/pam.d/opensshd lists keyinit and uid as required, so add them to RDEPENDS when PAM is enabled. Signed-off-by: Koen Kooi <koen@dominion.thruhere.net> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: package sshd PAM config inside openssh-sshd packageKoen Kooi2014-02-081-1/+1
| | | | | | | Without this PAM integration is broken after installing openssh-sshd Signed-off-by: Koen Kooi <koen@dominion.thruhere.net> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* Revert "Add missing RDEPENDS of initscripts-functions"Chen Qi2014-02-021-1/+1
| | | | | | | | | | | | Instead of manually adding initscripts to RDEPENDS of each package, we should make it automatically handled by the update-rc.d.bbclass. This solution would have the benefit of backward compatibility. In other words, users need not modify their recipes. This reverts commit 16080a3485bd793edd66ed8361f1e8b86a9e19ea. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: fixes for systemdChen Qi2014-01-284-7/+7
| | | | | | | | | | | This patch contains a few fixes for the systemd unit files of openssh. The fixes use the same unit files in Fedora 20 as a reference. 1) Remove sshdgenkeys.service and sshd@.service from SYSTEMD_SERVICE. 2) Fix the dependency and logic of sshdgenkeys.service. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* Add missing RDEPENDS of initscripts-functionsChen Qi2014-01-061-1/+1
| | | | | | | | | Now that the initscripts-functions has been packaged separately, packages which may use the functions script should have a runtime dependency on it. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: remove unrecognised configure optionPaul Eggleton2013-12-051-2/+1
| | | | | | | | | | | ssh-rand-helper was removed in OpenSSH 6.0 according to the upstream changelog, so the configure option to enable/disable it was removed. Fixes the following warning: WARNING: QA Issue: openssh: configure was passed unrecognised options: --with-rand-helper Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/recipes: More optimal DISTRO_FEATURES referencesRichard Purdie2013-12-051-7/+5
| | | | | | | Using the contains function results in more optimal sstate checksums resulting in better cache reuse as we as more consistent code. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: upgrade to 6.4p1Paul Eggleton2013-11-1211-2/+2
| | | | | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: upgrade to 6.3p1Paul Eggleton2013-10-2912-80/+2
| | | | | | | | Removed the following backported patch(es): * mac.patch Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: fix sshd status command error promptQiang Chen2013-10-181-1/+1
| | | | | | | | | | | | | | | | | sshd status command results in error prompt: root@qemu0:~# /etc/init.d/sshd status /usr/sbin/sshd (pid 1199) is running... /etc/init.d/sshd: line 100: return: can only `return' from a function or sourced script "service --status-all" command also display wrong status for sshd. This commit fix this error prompt and make service command display right status for sshd. Signed-off-by: Qiang Chen <qiang.chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: use volatiles for managing /var/run/sshdMing Liu2013-09-172-2/+7
| | | | | | | | | | | It fixes the following failure: "fatal: Missing privilege separation directory: /var/run/sshd" when sshd is started through xinetd. Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: Add systemd supportMuhammad Shakeel2013-09-104-2/+47
| | | | | | | | -Remove dependency on meta-systemd Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: add init.d/sshd status command for LSB complianceJackie Huang2013-08-261-1/+9
| | | | | | Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: fix for read-only rootfsChen Qi2013-08-162-8/+23
| | | | | | | | | | | | | | | | | | | | | If the rootfs is read-only and the ssh keys are not available at system start-up, the init script will generate ssh keys into /etc/ssh, thus causing a 'read-only file system' error. In order for Yocto based image to work correctly for read-only rootfs, we use the following logic for openssh. If the rootfs is read-only and there are pre-generated keys under /etc/ssh, we use the pre-generated keys. Note the pre-generated keys are mainly for debugging or development purpose. If the rootfs is read-only and there are no pre-generated keys under /etc/ssh, we use /var/run/ssh as the location for ssh keys. That is, at system boot-up, the generated ssh keys will put into /var/run/ssh. [YOCTO #4887] Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: Added Upstream Status to openssh-CVE-2011-4327Andrei Dinu2013-07-271-0/+2
| | | | | | | | | | Updated Upstream Status to openssh patch. Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> [sgw - Fixed commit line] Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: fix initscript restart commandMarc Ferland2013-07-021-1/+1
| | | | | | | | start-stop-daemon should be called with '--oknodo' instead of '-oknodo'. Signed-off-by: Marc Ferland <ferlandm@sonatest.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: obey 'tcp-wrappers' PACKAGECONFIGRoy.Li2013-06-171-0/+3
| | | | | Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: fix a unaligned memory access issueRoy.Li2013-06-172-0/+77
| | | | | | | Backport patch to fix segment fault due to unaligned memory access Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh : upgrade to 6.2p2Andrei Dinu2013-06-107-2/+3
| | | | | | | upgrade from 6.2p1 -> 6.2p2 Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh : upgrade to 6.2p1Andrei Dinu2013-04-287-2/+2
| | | | | | | from 6.1p1 -> 6.2p1 Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: don't add update-rc.d to RDEPENDSMartin Jansa2013-04-021-2/+1
| | | | | | | | | | * sysvinit/systemd assumes that update-rc.d can be inhibited * with systemd enabled, sysvinit scripts are missing in packages and update-rc.d needs to be put in BAD_RECOMMENDATIONS to prevent update-rc.d trying to install them in postinst * update-rd.c shouldn't be in DEPENDS Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: fix RPROVIDESMartin Jansa2013-02-041-1/+2
| | | | | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh : upgrade to 6.1p1Andrei Dinu2013-01-287-3/+3
| | | | | Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: CVE-2011-4327Li Wang2012-11-282-1/+29
| | | | | | | | | | | | | | | | | | A security flaw was found in the way ssh-keysign, a ssh helper program for host based authentication, attempted to retrieve enough entropy information on configurations that lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would be executed to retrieve the entropy from the system environment). A local attacker could use this flaw to obtain unauthorized access to host keys via ptrace(2) process trace attached to the 'ssh-rand-helper' program. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 http://www.openssh.com/txt/portable-keysign-rand-helper.adv [YOCTO #3493] Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: openssh's init fails to restart if sshd is not runningAmy Fong2012-08-171-1/+1
| | | | | | | | | | | openssh: openssh's init fails to restart if sshd is not running Because of "set -e", it's necessary to specify the -o (or --oknodo) so that start-stop-daemon returns an exit status of 0 if no actions are taken. Signed-off-by: Amy Fong <amy.fong@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: cleanup update-alternatives deprecated codeSaul Wold2012-08-151-4/+0
| | | | Signed-off-by: Saul Wold <sgw@linux.intel.com>
* openssh: use ${localstatedir} instead of /var for packagingJavier Martinez Canillas2012-08-061-2/+2
| | | | | | | | It is considered good practice to use the build system provided variables instead of directly specify hardcoded paths. Signed-off-by: Javier Martinez Canillas <javier@dowhile0.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>