Age | Commit message (Collapse) | Author |
|
Fixes [YOCTO #13796]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Backport a patch from upstream to fix CVE-2019-16905
https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8bd4b87071c073a0e4d265bc00df34684a355eff)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The LICENSE file states that some code is licensed under BSD, some under
ISC, and some under MIT. The LICENSE field should reflect all of these.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Changes to libxcrypt revealed a missing dependency in the openssh recipe.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Pointer arithmatic results in implementation defined signed integer
type, so that 'd - dst’ in strlcat may trigger signed overflow if
pointer ‘d’ is near 0x7fffffff in 32 bits system. In case of ompilation
by gcc or clang with -ftrapv option, the overflow would generate
program abort.
Signed-off-by: hguo3 <heng.guo@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In minimal images the agent-ptrace test is skipped unless gdb is
installed which explains the difference in test counts. We don't
want a build dependency on gdb and the test isn't critical so just
document the dependency.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This fixes the openssh tests in minimal images since they use options
not present in the busybox versions of the commands.
[YOCTO #13295]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upgrade from openssh_7.9p1.bb to openssh_8.0p1.bb.
-openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch
-openssh/CVE-2018-20685.patch
-openssh/CVE-2019-6109.patch
-openssh/CVE-2019-6111.patch
-Removed since these are included in 8.0p1.
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Without this we see test failures due to the sudo binary being missing.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Avoid the warning:
WARNING: Nothing RPROVIDES 'nativesdk-rng-tools' (but virtual:nativesdk:/home/pokybuild/yocto-worker/build-appliance/build/meta/recipes-connectivity/openssh/openssh_7.9p1.bb RDEPENDS on or otherwise requires it)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Since openssl 1.1.1 and openssh which uses it, sshd
startup is delayed. The delays range from few seconds
to minutes and even to hours. The delays are visible
in host keys generation and when sshd process is started
in response to incoming TCP connection but is failing
to provide SSH version string and clients or tests time out.
In all cases traces show that sshd is waiting for getentropy()
system call to return from Linux kernel, which returns only
after kernel side random number pool is initialized. The pool
is initialized via various entropy source which may be
missing on embedded development boards or via rngd from
rng-tools package from userspace. HW random number generation
and kernel support help but rngd is till needed to feed that data
back to the Linux kernel.
Example from an NXP imx8 board shows that kernel random number pool
initialization can take over 400 seconds without rngd,
and with rngd it is initialized at around 4 seconds after boot.
The completion of initialization is visible in kernel dmesg with line
"random: crng init done".
More details are available from:
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912087
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897572
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=43838a23a05fbd13e47d750d3dfd77001536dd33
* http://www.man7.org/linux/man-pages/man2/getrandom.2.html
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Cc: Mark Hatle <mark.hatle@windriver.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix some missing or corrupted patch Upstream-Status values.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Also backport a patch to fix issues introduced by fix for CVE-2019-6109.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We need to run sed with the -u option to ensure the output is unbuffered else
ptest-runner may timeout thinkig things were idle. Busybox doesn't have the -u
option so we need to RDEPEND on sed (which is a good thing to do if we use it
anyway).
Alex Kanavin should get credit for discovering the problem.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This was change to git recently to obtain openssl 1.1 compatible pre-release code
(before 7.9 was out), however tarballs are preferred, and with them upstream version
checks work (openssh uses a weird git tag scheme).
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
see: https://lwn.net/Articles/768991/
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
- Convert from tarball to git repository which support
openssl 1.1.x
- There is no specific minor version that contains the
openssl fix (it was merged to master a few days agao),
rename recipe version to `7.8p1+git'
- Fix regression test binaries missing
In commit `1f7aaf7 openssh: build regression test binaries', it build
regression test binaries, since upstream add two binaries in commits
`c59aca8 Create control sockets in clean temp directories' and
`1acc058 Disable tests where fs perms are incorrect', we should update
do_compile_ptest.
[ptest log]
|/usr/lib/openssh/ptest/regress/test-exec.sh: line 330: /usr/lib/openssh/
ptest/regress/mkdtemp: No such file or directory
[ptest log]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Drop the disable-ciphers patch since it has been integrated:
cec33896 Omit 3des-cbc if OpenSSL built without DES.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
And use bitbake variables for install paths to fix nativesdk-openssh
compilation.
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Previously sshd_check_keys would create a full set of all possible
sshd host keys, even if sshd_config has been set to only enable
certain key types.
Update sshd_check_keys to only create keys which have been enabled in
sshd_config (with a fallback to creating a full set of key types if
no HostKey options are defined, as before).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Changes are mostly related to the removal of support for SSH v.1
protocol, which was dropped from openssh sshd in 7.4p1:
https://www.openssh.com/txt/release-7.4
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The openssh sshd init script contains a mix of indent styles, mostly
inherited from the Debian script from which it is derived. Leave the
indent from Debian as-is, but for lines which are OE specific (e.g.
where Debian's log_daemon_msg helper has been replaced with echo)
make the indent consistent with surrounding lines.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The "ssh-keygen" package no longer seems to be provided by any recipe
in oe-core or meta-oe, so there's no clear reason for the
openssh-keygen package to conflict with it.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Openssh takes care of enabling large-file support automatically via
the AC_SYS_LARGEFILE in the configure.ac, so additional help from the
recipe is not required.
Even if it were once required, defining __FILE_OFFSET_BITS (ie with
double leading underscores) looks like a typo and probably never had
any effect anyway?
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
DSA keys have been deprecated for some time:
https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
While compiling openssl with option `no-des', it caused the openssh
build failure
...
cipher.c:85:41: error: 'EVP_des_ede3_cbc' undeclared here (not in a function);
...
OpenSSL configured that way defines OPENSSL_NO_DES to disable des
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Remove unused patch:
0001-openssh-Fix-syntax-error-on-x32.patch
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
musl doesn't implement wtmp/utmp.
Signed-off-by: Paul Barker <pbarker@toganlabs.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Instead, just stop running aclocal.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
LICENSE changed do to name being added
removed patches included in some form
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Generating the host keys atomically prevents power interruptions during the
first boot from leaving the key files incomplete, which often prevents users
from being able to ssh into the device.
[YOCTO #11671]
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
106b59d9 broke SSH host key generation when systemd and a read-only root file
system are in use because there isn't a way for systemd to get the optional
weak assigment of SYSCONFDIR from /etc/default/sshd and still provide a default
value if it is not specified. Instead, move the logic for determining if keys
need to be created to a helper script that both the SysV init script and the
systemd unit file can reference.
This does mean that the systemd unit file can't check for file existence to
know if it should start the service, but it wasn't able to do that correctly
anyway anymore. This should be a problem since the serivce is only run once per
power cycle by systemd, and should exit quickly if the keys already exist
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix compilation error during openssh x32 build due to syntax error.
Signed-off-by: sweeaun <swee.aun.khor@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The proposed openssl 1.1 patches are here:
https://github.com/openssh/openssh-portable/pull/48
Openssl maintainers are not in a hurry to get 1.1 support in;
if it doesn't show up within reasonable time, we can take a patch
from Fedora:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-November/035454.html
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The UsePrivilegeSeparation is no longer supported (recent SSHD always runs
with previlege separation), so remove this option from the default config
file to avoid this warning:
/etc/ssh/sshd_config line 110: Deprecated option UsePrivilegeSeparation
Signed-off-by: Gary Thomas <gary@mlbassoc.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix a variety of spelling and format mistakes to improve the ease of reading the
tags programatically.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
uclibc support was removed a while ago and musl works much better. Start to
remove the various overrides and patches related to uclibc which are no longer
needed.
uclibc support in a layer would still be possible. I have strong reasons to
believe nobody is still using uclibc since patches are missing and I doubt
the metadata even parses anymore.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
With these changes it is possible to have a .bbappend that
- sets SYSCONFDIR to some persistent storage
- modifies SYSCONFDIR/sshd_config to use ssh host keys from
the (writable) sysconfdir
Signed-off-by: André Draszik <adraszik@tycoint.com>
Reviewed-by: Stephane Ayotte <sayotte@tycoint.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
1. Drop CVE patch: fix-CVE-2016-8858.patch, because the version 7.4p1 have
been fixed it.
2. Rebase the remaining patchs on the version 7.4p1.
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport patch to fix CVE-2016-8858 of openssh.
Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=1384860
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Pointer arithmatic results in implementation defined signed integer
type, so that 's - src' in strlcpy and others may trigger signed overflow.
In case of compilation by gcc or clang with -ftrapv option, the overflow
would lead to program abort.
Upstream-status: Submitted [https://bugzilla.mindrot.org/show_bug.cgi?id=2608]
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Remove CVE-2015-8325.patch as it's included upstream. Rebase another
patch.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
It's simply been missing.
Signed-off-by: André Draszik <git@andred.net>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
After openssl disabled DES, openssh fails to build
for some DES codes are not wrapped in conditional
compile statement "#ifndef OPENSSL_NO_DES" and "#endif".
Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
restart in the init script uses the check_config() function which doesn't have
the $SSHD_OPTS passed through. This causes it to check the wrong config (and
fail when read-only-rootfs is enabled.
Signed-off-by: Matthew Campbell <mcampbell@izotope.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The homepage variable is out of date and the summary does not mention
ssh, making the recipe difficult to find.
[ YOCTO #9610 ]
Signed-off-by: Stephano Cetola <stephano.cetola@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|