LICENSE changed do to name being added
removed patches included in some form
(From OE-Core rev: 88770be201678bf1906e27d72e840de2cd4c43f0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Generating the host keys atomically prevents power interruptions during the
first boot from leaving the key files incomplete, which often prevents users
from being able to ssh into the device.
[YOCTO #11671]
(From OE-Core rev: 221b40f1f08ee23511ba078a1efd01686922e932)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
106b59d9 broke SSH host key generation when systemd and a read-only root file
system are in use because there isn't a way for systemd to get the optional
weak assigment of SYSCONFDIR from /etc/default/sshd and still provide a default
value if it is not specified. Instead, move the logic for determining if keys
need to be created to a helper script that both the SysV init script and the
systemd unit file can reference.
This does mean that the systemd unit file can't check for file existence to
know if it should start the service, but it wasn't able to do that correctly
anyway anymore. This should be a problem since the serivce is only run once per
power cycle by systemd, and should exit quickly if the keys already exist
(From OE-Core rev: 7e49c5879862253ae1b6a26535d07a2740a95798)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The UsePrivilegeSeparation is no longer supported (recent SSHD always runs
with previlege separation), so remove this option from the default config
file to avoid this warning:
/etc/ssh/sshd_config line 110: Deprecated option UsePrivilegeSeparation
(From OE-Core rev: 8ee1c567b67ec55be0fa2fbcef3d5e8fb4e82709)
Signed-off-by: Gary Thomas <gary@mlbassoc.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix a variety of spelling and format mistakes to improve the ease of reading the
tags programatically.
(From OE-Core rev: 6e1aaf80b0d951b48cd25cb7161ec19448295094)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
uclibc support was removed a while ago and musl works much better. Start to
remove the various overrides and patches related to uclibc which are no longer
needed.
uclibc support in a layer would still be possible. I have strong reasons to
believe nobody is still using uclibc since patches are missing and I doubt
the metadata even parses anymore.
(From OE-Core rev: 653704e9cf325cb494eb23facca19e9f05132ffd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With these changes it is possible to have a .bbappend that
- sets SYSCONFDIR to some persistent storage
- modifies SYSCONFDIR/sshd_config to use ssh host keys from
the (writable) sysconfdir
(From OE-Core rev: 106b59d9f96f70d133fa1421091ad280d27a5b6a)
Signed-off-by: André Draszik <adraszik@tycoint.com>
Reviewed-by: Stephane Ayotte <sayotte@tycoint.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1. Drop CVE patch: fix-CVE-2016-8858.patch, because the version 7.4p1 have
been fixed it.
2. Rebase the remaining patchs on the version 7.4p1.
(From OE-Core rev: b648b382046bd94f0cf5fe0aa4b77ab250f126cd)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pointer arithmatic results in implementation defined signed integer
type, so that 's - src' in strlcpy and others may trigger signed overflow.
In case of compilation by gcc or clang with -ftrapv option, the overflow
would lead to program abort.
Upstream-status: Submitted [https://bugzilla.mindrot.org/show_bug.cgi?id=2608]
(From OE-Core rev: 2ce02941300aa3e826df0c59fd8d4ce19950028e)
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
After openssl disabled DES, openssh fails to build
for some DES codes are not wrapped in conditional
compile statement "#ifndef OPENSSL_NO_DES" and "#endif".
(From OE-Core rev: cd9c62461e837967dd29a532d32990c23350acf8)
Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
restart in the init script uses the check_config() function which doesn't have
the $SSHD_OPTS passed through. This causes it to check the wrong config (and
fail when read-only-rootfs is enabled.
(From OE-Core rev: cb6f78072deb8b8c22baf5c31c3bd19d7e0af236)
Signed-off-by: Matthew Campbell <mcampbell@izotope.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The homepage variable is out of date and the summary does not mention
ssh, making the recipe difficult to find.
[ YOCTO #9610 ]
(From OE-Core rev: ce84dc09172b98ce1162e536db17148a67ba2be1)
Signed-off-by: Stephano Cetola <stephano.cetola@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
PAM environment vars must be ignored when UseLogin=yes
(From OE-Core rev: 0a06be81cb650def54a4c2059bd728c75954306f)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The OpenBSD FTP server isn't accepting connections from wget, which breaks
fetches. Luckily they also have a HTTP server on the same host.
[ YOCTO #9628 ]
(From OE-Core rev: 8b10f0af3c434145b460fd5d7a9f394dc1284260)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Without the exit there will be a SKIP and a FAIL for the same test.
Also fix typo in a message.
(From OE-Core rev: d44a2ec730fe52d2266c5e4d184cd4c881e172d1)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ssh-agent regression test case should be run by non-root user,
but non-root user will has issue to run other testcase, so
rewrite it on run-ptest
(From OE-Core rev: 5ca6bb9b73bf09c1847ec3e5a7477829bd3d77b5)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When distro feature x11 is set, it is better enable X11Forwarding for
ssh daemon. For contrast, dropbear enable X11 forward by default.
It does NOT need to modify ${WORKDIR}/sshd_config, so drop the modification.
(From OE-Core rev: 0dc68d745f97753fc9fde896f6ee1943c1e071b3)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ptests were failing and many more were being silently skipped because
required binaries were not being built.
Build the binaries in regress/ and set SUDO environment variable in
run-ptests: after this all tests in regress/ are now run. Continue to
skip building binaries in regress/unittests/: unittest runtime is
excessive.
On a NUC running intel-corei7-64 core-image-sato, new results are:
PASS: 55, SKIP: 3, FAIL: 0
[YOCTO #8153]
(From OE-Core rev: 1f7aaf76f4aa7875f05f4b838a5ec4594a4c35dc)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch fixes the login fails for ssh -o Batchmode=yes when passwords is
empty and without authorized_keys file even if set "PermitEmptyPasswords yes"
in sshd_config file.
Here, to fix this issue, we remove the file auth2-none.c-avoid-authenticate-
empty-passwords-to-m.patch, that fixed broken pipe while sshd with pam,
but it isn't needed any more now, because we make it has gone by change
ChallengeResponseAuthentication value in sshd_config file.
(From OE-Core rev: f879a7406d8fce37e8baf5fe724d7ed0042d57f8)
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Its a major releaseof openssh, should be fully
compatible with 6.7 additionally works with musl
Change-Id: I903d31247b8a318b9be1c21f764ffe56b5971ca9
(From OE-Core rev: 4ac2974f463f8e2970d9e44e3b273c672a3cab8c)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If maillock.h is found, a dependency on liblockfile will be created.
liblockfile is in meta-oe, so we don't want that in an oe-core recipe.
(From OE-Core rev: b2cee9b9f08dff41e46e227b1ffa5e46e98faa89)
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rebase sshd_config and ssh_config with openssh upstream.
Check for the ed25519 key in the systemd keygen service.
(From OE-Core rev: 046dd5567d9de0596023846e7f0c6df7f01a9f5b)
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Deliver script ssh-copy-id from openssh which is useful to add an
authorized ssh key.
(From OE-Core rev: 16562034a2c28cbfc6c90f9324c42c08e0655b7d)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Drop two CVE patches already handled upstream.
* Drop nostrip.patch which no longer applies and use the existing
--disable-strip configure option instead.
* OpenSSH 6.7+ no longer supports tcp wrappers. We could apply the
Debian patch to add support back in, but it seems best to follow
upstream here unless we have a good reason to do otherwise.
(From OE-Core rev: 59e0833e24e4945569d36928dc0f231e822670ba)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Using the export LD in the recipe does not allow for secodnary toolchain
overriding LD later, by setting it in the do_configure_append the export
is used by autotools setting LD based on the env, but would allow for
override later.
[YOCTO #6997]
(From OE-Core rev: 9b37e630f5f6e37e928f825c4f67481cf58c98a1)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently, we install our own ssh_config and sshd_config into ${S} in
do_compile_append() task. So when finishing compiling, their .out files
are generated by the original files, rather than by our own files.
In most cases, installing "$(CONFIGFILES)" in Makefile will generate .out
files again, and then installing "install-sysconf", which will install
these two files into $(DESTDIR), thus we get what we expect.
However, when parallel installing, "install-sysconf" may be installed
before "$(CONFIGFILES)" sometimes. In this rare case, the .out files
generated in the first time rather than those in the second time will be
installed into $(DESTDIR), and thus we get an unexpect result.
This patch fixes this bug through transfering the installing of our own
files from do_compile_append() into do_configure_prepend().
(From OE-Core rev: 6a60a4ba8d8e529882daa33140c9a2fc08714fb2)
Signed-off-by: Zheng Junling <zhengjunling@huawei.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Tell systemd just to kill the sshd process when the ssh connection drops
instead of the entire cgroup for sshd, so that any screen sessions (and
more to the point, processes within them) do not get killed.
(This is what the Fedora sshd service file does, and what we're already
doing in the dropbear service file).
(From OE-Core rev: 3c238dff41fbd3687457989c7b17d22b2cc844be)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Stopping sshd must only kill the listening (top-level) daemon; it must
not stop any other sshd process, because those are forked ssh
connections which may include e.g. the connection that called
/etc/init.d/sshd stop.
This initscript uses "start-stop-daemon -x <exe>" for starting/stopping.
When that is provided by busybox, this behavior is broken:
`/etc/init.d/sshd stop` stops *all* sshd processes. This was caused by a
fix to busybox 1.20: 17eedcad9406c43beddab3906c8c693626c351fb
"ssd: compat: match -x EXECUTABLE by /proc/pid/exe too".
The fix is to use a pidfile. All initscripts in upstream openssh do this,
as does dropbear.
Acked-by: Gratian Crisan <gratian.crisan@ni.com>
Acked-by: Ken Sharp <ken.sharp@ni.com>
(From OE-Core rev: 993405285e547403d5c753adfa91c26c43be13f6)
Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
Signed-off-by: Ben Shelton <ben.shelton@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
