blob: 975faed5473b9b9413b9a444fa0639f0d18f7dd1 [file] [log] [blame]
Andrew Geissler9aee5002022-03-30 16:27:02 +00001SUMMARY = "A suite of security-related network utilities based on \
2the SSH protocol including the ssh client and sshd server"
3DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \
4Ssh (Secure Shell) is a program for logging into a remote machine \
5and for executing commands on a remote machine."
6HOMEPAGE = "http://www.openssh.com/"
7SECTION = "console/network"
8LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT"
9LIC_FILES_CHKSUM = "file://LICENCE;md5=8baf365614c9bdd63705f298c9afbfb9"
10
11DEPENDS = "zlib openssl virtual/crypt"
12DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
13
14SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
15 file://sshd_config \
16 file://ssh_config \
17 file://init \
18 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
19 file://sshd.socket \
20 file://sshd@.service \
21 file://sshdgenkeys.service \
22 file://volatiles.99_sshd \
23 file://run-ptest \
24 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
25 file://sshd_check_keys \
26 file://add-test-support-for-busybox.patch \
Andrew Geissler9aee5002022-03-30 16:27:02 +000027 "
Patrick Williams03907ee2022-05-01 06:28:52 -050028SRC_URI[sha256sum] = "03974302161e9ecce32153cfa10012f1e65c8f3750f573a73ab1befd5972a28a"
Andrew Geissler9aee5002022-03-30 16:27:02 +000029
30# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
31CVE_CHECK_IGNORE += "CVE-2007-2768"
32
33# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
34# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
35CVE_CHECK_IGNORE += "CVE-2014-9278"
36
37# CVE only applies to some distributed RHEL binaries
38CVE_CHECK_IGNORE += "CVE-2008-3844"
39
40PAM_SRC_URI = "file://sshd"
41
42inherit manpages useradd update-rc.d update-alternatives systemd
43
44USERADD_PACKAGES = "${PN}-sshd"
45USERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
46INITSCRIPT_PACKAGES = "${PN}-sshd"
47INITSCRIPT_NAME:${PN}-sshd = "sshd"
48INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9"
49
50SYSTEMD_PACKAGES = "${PN}-sshd"
51SYSTEMD_SERVICE:${PN}-sshd = "sshd.socket"
52
53inherit autotools-brokensep ptest
54
55PACKAGECONFIG ??= "rng-tools"
56PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
57PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
58PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
59PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
60
61# Add RRECOMMENDS to rng-tools for sshd package
62PACKAGECONFIG[rng-tools] = ""
63
64EXTRA_AUTORECONF += "--exclude=aclocal"
65
66# login path is hardcoded in sshd
67EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
68 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
69 --without-zlib-version-check \
70 --with-privsep-path=${localstatedir}/run/sshd \
71 --sysconfdir=${sysconfdir}/ssh \
72 --with-xauth=${bindir}/xauth \
73 --disable-strip \
74 "
75
76# musl doesn't implement wtmp/utmp and logwtmp
77EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
78
79# Since we do not depend on libbsd, we do not want configure to use it
80# just because it finds libutil.h. But, specifying --disable-libutil
81# causes compile errors, so...
82CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no"
83
84# passwd path is hardcoded in sshd
85CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
86
87# We don't want to depend on libblockfile
88CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
89
90do_configure:prepend () {
91 export LD="${CC}"
92 install -m 0644 ${WORKDIR}/sshd_config ${B}/
93 install -m 0644 ${WORKDIR}/ssh_config ${B}/
94}
95
96do_compile_ptest() {
97 oe_runmake regress-binaries regress-unit-binaries
98}
99
100do_install:append () {
101 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
102 install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
103 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
104 fi
105
106 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
107 sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
108 fi
109
110 install -d ${D}${sysconfdir}/init.d
111 install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
112 rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
113 rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
114 install -d ${D}/${sysconfdir}/default/volatiles
115 install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
116 install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
117
118 # Create config files for read-only rootfs
119 install -d ${D}${sysconfdir}/ssh
120 install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
121 sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
122 echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
123 echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
124 echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
125
126 install -d ${D}${systemd_system_unitdir}
127 install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir}
128 install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir}
129 install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
130 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
131 -e 's,@SBINDIR@,${sbindir},g' \
132 -e 's,@BINDIR@,${bindir},g' \
133 -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
134 ${D}${systemd_system_unitdir}/sshd.socket ${D}${systemd_system_unitdir}/*.service
135
136 sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
137 ${D}${sysconfdir}/init.d/sshd
138
139 install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
140}
141
142do_install_ptest () {
143 sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh
144 cp -r regress ${D}${PTEST_PATH}
145 cp config.h ${D}${PTEST_PATH}
146}
147
148ALLOW_EMPTY:${PN} = "1"
149
150PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
151FILES:${PN}-scp = "${bindir}/scp.${BPN}"
152FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
153FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
154FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
155FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
156FILES:${PN}-sftp = "${bindir}/sftp"
157FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
158FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
159FILES:${PN}-keygen = "${bindir}/ssh-keygen"
160
161RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
162RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
163RRECOMMENDS:${PN}-sshd:append:class-target = "\
164 ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
165"
166
167# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
168RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
169
170RPROVIDES:${PN}-ssh = "ssh"
171RPROVIDES:${PN}-sshd = "sshd"
172
173RCONFLICTS:${PN} = "dropbear"
174RCONFLICTS:${PN}-sshd = "dropbear"
175
176CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
177CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
178
179ALTERNATIVE_PRIORITY = "90"
180ALTERNATIVE:${PN}-scp = "scp"
181ALTERNATIVE:${PN}-ssh = "ssh"
182
183BBCLASSEXTEND += "nativesdk"