Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 1 | SUMMARY = "A suite of security-related network utilities based on \ |
| 2 | the SSH protocol including the ssh client and sshd server" |
| 3 | DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ |
| 4 | Ssh (Secure Shell) is a program for logging into a remote machine \ |
| 5 | and for executing commands on a remote machine." |
| 6 | HOMEPAGE = "http://www.openssh.com/" |
| 7 | SECTION = "console/network" |
| 8 | LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT" |
Patrick Williams | 2390b1b | 2022-11-03 13:47:49 -0500 | [diff] [blame] | 9 | LIC_FILES_CHKSUM = "file://LICENCE;md5=072979064e691d342002f43cd89c0394" |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 10 | |
| 11 | DEPENDS = "zlib openssl virtual/crypt" |
| 12 | DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" |
| 13 | |
| 14 | SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ |
| 15 | file://sshd_config \ |
| 16 | file://ssh_config \ |
| 17 | file://init \ |
| 18 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
| 19 | file://sshd.socket \ |
| 20 | file://sshd@.service \ |
| 21 | file://sshdgenkeys.service \ |
| 22 | file://volatiles.99_sshd \ |
| 23 | file://run-ptest \ |
| 24 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ |
| 25 | file://sshd_check_keys \ |
| 26 | file://add-test-support-for-busybox.patch \ |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 27 | " |
Andrew Geissler | fc113ea | 2023-03-31 09:59:46 -0500 | [diff] [blame] | 28 | SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8" |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 29 | |
| 30 | # This CVE is specific to OpenSSH with the pam opie which we don't build/use here |
| 31 | CVE_CHECK_IGNORE += "CVE-2007-2768" |
| 32 | |
| 33 | # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 |
| 34 | # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded |
| 35 | CVE_CHECK_IGNORE += "CVE-2014-9278" |
| 36 | |
| 37 | # CVE only applies to some distributed RHEL binaries |
| 38 | CVE_CHECK_IGNORE += "CVE-2008-3844" |
| 39 | |
| 40 | PAM_SRC_URI = "file://sshd" |
| 41 | |
| 42 | inherit manpages useradd update-rc.d update-alternatives systemd |
| 43 | |
| 44 | USERADD_PACKAGES = "${PN}-sshd" |
| 45 | USERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" |
| 46 | INITSCRIPT_PACKAGES = "${PN}-sshd" |
| 47 | INITSCRIPT_NAME:${PN}-sshd = "sshd" |
| 48 | INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9" |
| 49 | |
| 50 | SYSTEMD_PACKAGES = "${PN}-sshd" |
| 51 | SYSTEMD_SERVICE:${PN}-sshd = "sshd.socket" |
| 52 | |
| 53 | inherit autotools-brokensep ptest |
| 54 | |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 55 | PACKAGECONFIG ??= "" |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 56 | PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" |
| 57 | PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" |
| 58 | PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" |
| 59 | PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" |
| 60 | |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 61 | EXTRA_AUTORECONF += "--exclude=aclocal" |
| 62 | |
| 63 | # login path is hardcoded in sshd |
| 64 | EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ |
| 65 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ |
| 66 | --without-zlib-version-check \ |
| 67 | --with-privsep-path=${localstatedir}/run/sshd \ |
| 68 | --sysconfdir=${sysconfdir}/ssh \ |
| 69 | --with-xauth=${bindir}/xauth \ |
| 70 | --disable-strip \ |
| 71 | " |
| 72 | |
| 73 | # musl doesn't implement wtmp/utmp and logwtmp |
| 74 | EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog" |
| 75 | |
| 76 | # Since we do not depend on libbsd, we do not want configure to use it |
| 77 | # just because it finds libutil.h. But, specifying --disable-libutil |
| 78 | # causes compile errors, so... |
| 79 | CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" |
| 80 | |
| 81 | # passwd path is hardcoded in sshd |
| 82 | CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" |
| 83 | |
| 84 | # We don't want to depend on libblockfile |
| 85 | CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" |
| 86 | |
| 87 | do_configure:prepend () { |
| 88 | export LD="${CC}" |
| 89 | install -m 0644 ${WORKDIR}/sshd_config ${B}/ |
| 90 | install -m 0644 ${WORKDIR}/ssh_config ${B}/ |
| 91 | } |
| 92 | |
| 93 | do_compile_ptest() { |
| 94 | oe_runmake regress-binaries regress-unit-binaries |
| 95 | } |
| 96 | |
| 97 | do_install:append () { |
| 98 | if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then |
| 99 | install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd |
| 100 | sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config |
| 101 | fi |
| 102 | |
| 103 | if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then |
| 104 | sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config |
| 105 | fi |
| 106 | |
| 107 | install -d ${D}${sysconfdir}/init.d |
| 108 | install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd |
| 109 | rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin |
| 110 | rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} |
| 111 | install -d ${D}/${sysconfdir}/default/volatiles |
| 112 | install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd |
| 113 | install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} |
| 114 | |
| 115 | # Create config files for read-only rootfs |
| 116 | install -d ${D}${sysconfdir}/ssh |
| 117 | install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly |
| 118 | sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly |
| 119 | echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly |
| 120 | echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly |
| 121 | echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly |
| 122 | |
| 123 | install -d ${D}${systemd_system_unitdir} |
| 124 | install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir} |
| 125 | install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir} |
| 126 | install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir} |
| 127 | sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ |
| 128 | -e 's,@SBINDIR@,${sbindir},g' \ |
| 129 | -e 's,@BINDIR@,${bindir},g' \ |
| 130 | -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ |
| 131 | ${D}${systemd_system_unitdir}/sshd.socket ${D}${systemd_system_unitdir}/*.service |
| 132 | |
| 133 | sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ |
| 134 | ${D}${sysconfdir}/init.d/sshd |
| 135 | |
| 136 | install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys |
| 137 | } |
| 138 | |
| 139 | do_install_ptest () { |
| 140 | sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh |
| 141 | cp -r regress ${D}${PTEST_PATH} |
| 142 | cp config.h ${D}${PTEST_PATH} |
| 143 | } |
| 144 | |
| 145 | ALLOW_EMPTY:${PN} = "1" |
| 146 | |
| 147 | PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" |
| 148 | FILES:${PN}-scp = "${bindir}/scp.${BPN}" |
| 149 | FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" |
| 150 | FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" |
| 151 | FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" |
| 152 | FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" |
| 153 | FILES:${PN}-sftp = "${bindir}/sftp" |
| 154 | FILES:${PN}-sftp-server = "${libexecdir}/sftp-server" |
| 155 | FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" |
| 156 | FILES:${PN}-keygen = "${bindir}/ssh-keygen" |
| 157 | |
Andrew Geissler | d583833 | 2022-05-27 11:33:10 -0500 | [diff] [blame] | 158 | RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server" |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 159 | RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 160 | # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies |
Andrew Geissler | fc113ea | 2023-03-31 09:59:46 -0500 | [diff] [blame] | 161 | RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils openssl-bin" |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 162 | |
| 163 | RPROVIDES:${PN}-ssh = "ssh" |
| 164 | RPROVIDES:${PN}-sshd = "sshd" |
| 165 | |
| 166 | RCONFLICTS:${PN} = "dropbear" |
| 167 | RCONFLICTS:${PN}-sshd = "dropbear" |
| 168 | |
| 169 | CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config" |
| 170 | CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config" |
| 171 | |
| 172 | ALTERNATIVE_PRIORITY = "90" |
| 173 | ALTERNATIVE:${PN}-scp = "scp" |
| 174 | ALTERNATIVE:${PN}-ssh = "ssh" |
| 175 | |
| 176 | BBCLASSEXTEND += "nativesdk" |