| Age | Commit message (Collapse) | Author |
|---|
|
openssh < 7.2p2
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
openssh < 7.3
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
affects openssh < 7.3
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
restart in the init script uses the check_config() function which doesn't have
the $SSHD_OPTS passed through. This causes it to check the wrong config (and
fail when read-only-rootfs is enabled.
(From OE-Core rev: cb6f78072deb8b8c22baf5c31c3bd19d7e0af236)
Signed-off-by: Matthew Campbell <mcampbell@izotope.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 772ba8d865c1e7b62496df6b8eac73b367a4dc20)
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
The OpenBSD FTP server isn't accepting connections from wget, which breaks
fetches. Luckily they also have a HTTP server on the same host.
[ YOCTO #9628 ]
(From OE-Core rev: 8b10f0af3c434145b460fd5d7a9f394dc1284260)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
opehssh <= 7.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Without the exit there will be a SKIP and a FAIL for the same test.
Also fix typo in a message.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
[YOCTO #9049]
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This issue requires three commits:
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This fixes a number of security issues.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
ssh-agent regression test case should be run by non-root user,
but non-root user will has issue to run other testcase, so
rewrite it on run-ptest
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
When distro feature x11 is set, it is better enable X11Forwarding for
ssh daemon. For contrast, dropbear enable X11 forward by default.
It does NOT need to modify ${WORKDIR}/sshd_config, so drop the modification.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The file permission should be 0644 instead of 0755.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
[YOCTO #8365]
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is a bugfix release.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
ptests were failing and many more were being silently skipped because
required binaries were not being built.
Build the binaries in regress/ and set SUDO environment variable in
run-ptests: after this all tests in regress/ are now run. Continue to
skip building binaries in regress/unittests/: unittest runtime is
excessive.
On a NUC running intel-corei7-64 core-image-sato, new results are:
PASS: 55, SKIP: 3, FAIL: 0
[YOCTO #8153]
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
7.0p1 includes the fix for CVE-2015-5600, and release note is in:
http://www.openssh.com/txt/release-7.0
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
6.9p1 is primarily a bugfix release.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The patch fixes the login fails for ssh -o Batchmode=yes when passwords is
empty and without authorized_keys file even if set "PermitEmptyPasswords yes"
in sshd_config file.
Here, to fix this issue, we remove the file auth2-none.c-avoid-authenticate-
empty-passwords-to-m.patch, that fixed broken pipe while sshd with pam,
but it isn't needed any more now, because we make it has gone by change
ChallengeResponseAuthentication value in sshd_config file.
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Its a major releaseof openssh, should be fully
compatible with 6.7 additionally works with musl
Change-Id: I903d31247b8a318b9be1c21f764ffe56b5971ca9
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If maillock.h is found, a dependency on liblockfile will be created.
liblockfile is in meta-oe, so we don't want that in an oe-core recipe.
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Rebase sshd_config and ssh_config with openssh upstream.
Check for the ed25519 key in the systemd keygen service.
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Deliver script ssh-copy-id from openssh which is useful to add an
authorized ssh key.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* Drop two CVE patches already handled upstream.
* Drop nostrip.patch which no longer applies and use the existing
--disable-strip configure option instead.
* OpenSSH 6.7+ no longer supports tcp wrappers. We could apply the
Debian patch to add support back in, but it seems best to follow
upstream here unless we have a good reason to do otherwise.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
Using the export LD in the recipe does not allow for secodnary toolchain
overriding LD later, by setting it in the do_configure_append the export
is used by autotools setting LD based on the env, but would allow for
override later.
[YOCTO #6997]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Currently, we install our own ssh_config and sshd_config into ${S} in
do_compile_append() task. So when finishing compiling, their .out files
are generated by the original files, rather than by our own files.
In most cases, installing "$(CONFIGFILES)" in Makefile will generate .out
files again, and then installing "install-sysconf", which will install
these two files into $(DESTDIR), thus we get what we expect.
However, when parallel installing, "install-sysconf" may be installed
before "$(CONFIGFILES)" sometimes. In this rare case, the .out files
generated in the first time rather than those in the second time will be
installed into $(DESTDIR), and thus we get an unexpect result.
This patch fixes this bug through transfering the installing of our own
files from do_compile_append() into do_configure_prepend().
Signed-off-by: Zheng Junling <zhengjunling@huawei.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This patch was part of the 6.6p1 release.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Tell systemd just to kill the sshd process when the ssh connection drops
instead of the entire cgroup for sshd, so that any screen sessions (and
more to the point, processes within them) do not get killed.
(This is what the Fedora sshd service file does, and what we're already
doing in the dropbear service file).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Stopping sshd must only kill the listening (top-level) daemon; it must
not stop any other sshd process, because those are forked ssh
connections which may include e.g. the connection that called
/etc/init.d/sshd stop.
This initscript uses "start-stop-daemon -x <exe>" for starting/stopping.
When that is provided by busybox, this behavior is broken:
`/etc/init.d/sshd stop` stops *all* sshd processes. This was caused by a
fix to busybox 1.20: 17eedcad9406c43beddab3906c8c693626c351fb
"ssd: compat: match -x EXECUTABLE by /proc/pid/exe too".
The fix is to use a pidfile. All initscripts in upstream openssh do this,
as does dropbear.
Acked-by: Gratian Crisan <gratian.crisan@ni.com>
Acked-by: Ken Sharp <ken.sharp@ni.com>
Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
Signed-off-by: Ben Shelton <ben.shelton@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Previously, even if PAM is enabled for ssh, the daemon still tries to
authenticate an empty password. This leads to authentication failure
which would mess up with PAM modules.
As a result, if 'UsePAM', 'PermitEmptyPasswords' and 'PasswordAuthentication'
are enabled, no user can login correctly. We would meet the following error
message at the client side.
Write failed: Broken Pipe
This patch fixes the above problem by checking whether PAM is enabled before
authenticating an empty password. After all, if PAM is enabled, the task of
authenticating passwords should be handled to PAM modules.
[YOCTO #6466]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and
earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking
by presenting an unacceptable HostCertificate.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
sshd in OpenSSH before 6.6 does not properly support wildcards on
AcceptEnv lines in sshd_config, which allows remote attackers to
bypass intended environment restrictions by using a substring located
before a wildcard character.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The /var/log/messages reports /var/log/lastlog as missing, since openssh
needs this file, create it as a volatile.
[YOCTO #6172]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The base_contains is kept as a compatibility method and we ought to
not use it in OE-Core so we can remove it from base metadata in
future.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Install openssh test-suite and run it as ptest.
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If you do a readelf -x .rodata /path/.../to/openssh/6.5p1-r0/packages-split/openssh-sshd/usr/sbin/sshd
You'll see two references to OE's sysroots/${BUILD_SYS} login and passwd binaries.
First one can be overridden with LOGIN_PROGRAM environment variable (see configure.ac),
second needs a cached variable definition.
Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The readonly sshd config sshd_config_readonly needs to be created from
the installed sshd_config as make install will adjust the paths in
the config file. This fixes the path for sftp-server being correct
in sshd_config but incorrect in sshd_config_readonly.
Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We do not DEPEND on libbsd, so we do not want to
build with it just because libutil.h is found by configure.
As noted in the patch, specifying --disable-libutil to
configure does not work, so we provide "cached" configure
variables.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
[YOCTO #5983]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch goes through the OE-Core recipes and marks those which use autotools
but don't support a separate build directory (${S} != ${B}). A new class,
autotools-brokensep is used for this purpose.
This doesn't introduce any change in behaviour in its own right.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Everything is setup to use PAM except for the server config. If 'pam' is
in DISTRO_FEATURES the configs will be changed to enable it.
Syslog will now show:
Feb 19 09:28:36 beast sshd[2980]: pam_unix(sshd:session): session opened for user koen by (uid=0)
And more importantly:
koen@beast:~$ loginctl
SESSION UID USER SEAT
c1 1000 koen seat0
c3 1000 koen seat0
c13 1000 koen
3 sessions listed.
Systemd now registers the session properly so it won't kill things like 'screen'
and 'tmux' when disconnecting the ssh session.
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
/etc/pam.d/opensshd lists keyinit and uid as required, so add them to
RDEPENDS when PAM is enabled.
Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Without this PAM integration is broken after installing openssh-sshd
Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Instead of manually adding initscripts to RDEPENDS of each package,
we should make it automatically handled by the update-rc.d.bbclass.
This solution would have the benefit of backward compatibility. In
other words, users need not modify their recipes.
This reverts commit 16080a3485bd793edd66ed8361f1e8b86a9e19ea.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
This patch contains a few fixes for the systemd unit files of openssh.
The fixes use the same unit files in Fedora 20 as a reference.
1) Remove sshdgenkeys.service and sshd@.service from SYSTEMD_SERVICE.
2) Fix the dependency and logic of sshdgenkeys.service.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Now that the initscripts-functions has been packaged separately,
packages which may use the functions script should have a runtime
dependency on it.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
ssh-rand-helper was removed in OpenSSH 6.0 according to the upstream
changelog, so the configure option to enable/disable it was removed.
Fixes the following warning:
WARNING: QA Issue: openssh: configure was passed unrecognised options: --with-rand-helper
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
Armin Kuster
Matthew Campbell
Ross Burton
Jussi Kukkonen
Alexander Kanavin
Roy Li
Kai Kang
Chen Qi
Wenlin Kang
Khem Raj
Dan McGregor
Paul Eggleton
Saul Wold
Zheng Junling
Richard Tollerton
Otavio Salvador
Maxin B. John
Matthieu Crapet
Jonathan Liu
Joe Slater
Richard Purdie
Koen Kooi