From: Martin Jansa <martin.jansa@gmail.com>
To: Markus Hubig <mhubig@imko.de>
Cc: yocto@yoctoproject.org
Subject: Re: [PATCH] Restructures the openssh recipe to suport systemd.
Date: Thu, 11 Jul 2013 14:28:07 +0200 [thread overview]
Message-ID: <20130711122807.GI3288@jama> (raw)
In-Reply-To: <1373535808-1443-1-git-send-email-mhubig@imko.de>
[-- Attachment #1: Type: text/plain, Size: 44182 bytes --]
On Thu, Jul 11, 2013 at 11:43:28AM +0200, Markus Hubig wrote:
> + Adds native support for systemd in addition to sysvinit.
> * Splits the huge recipe into an inc and a small bb file.
> * Avoids the installation of the sysvinit files with systemd.
Similar patch is already on oe-core ML where it belongs and patches like
this really need to be sent with -M flag.
> Signed-off-by: Markus Hubig <mhubig@imko.de>
> ---
> .../openssh/openssh-6.2p2/init | 92 ---------------
> .../openssh/openssh-6.2p2/mac.patch | 76 -------------
> .../openssh/openssh-6.2p2/nostrip.patch | 20 ----
> .../openssh-6.2p2/openssh-CVE-2011-4327.patch | 27 -----
> .../openssh/openssh-6.2p2/ssh_config | 46 --------
> .../openssh/openssh-6.2p2/sshd | 10 --
> .../openssh/openssh-6.2p2/sshd_config | 119 --------------------
> meta/recipes-connectivity/openssh/openssh.inc | 123 +++++++++++++++++++++
> meta/recipes-connectivity/openssh/openssh/init | 92 +++++++++++++++
> .../recipes-connectivity/openssh/openssh/mac.patch | 76 +++++++++++++
> .../openssh/openssh/nostrip.patch | 20 ++++
> .../openssh/openssh/openssh-CVE-2011-4327.patch | 27 +++++
> meta/recipes-connectivity/openssh/openssh/pam | 10 ++
> .../openssh/openssh/ssh_config | 46 ++++++++
> .../openssh/openssh/sshd.socket | 11 ++
> .../openssh/openssh/sshd@.service | 9 ++
> .../openssh/openssh/sshd_config | 119 ++++++++++++++++++++
> .../openssh/openssh/sshdgenkeys.service | 10 ++
> meta/recipes-connectivity/openssh/openssh_6.2p2.bb | 113 +------------------
> 19 files changed, 549 insertions(+), 497 deletions(-)
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/init
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/sshd
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> create mode 100644 meta/recipes-connectivity/openssh/openssh.inc
> create mode 100644 meta/recipes-connectivity/openssh/openssh/init
> create mode 100644 meta/recipes-connectivity/openssh/openssh/mac.patch
> create mode 100644 meta/recipes-connectivity/openssh/openssh/nostrip.patch
> create mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
> create mode 100644 meta/recipes-connectivity/openssh/openssh/pam
> create mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
> create mode 100644 meta/recipes-connectivity/openssh/openssh/sshd.socket
> create mode 100644 meta/recipes-connectivity/openssh/openssh/sshd@.service
> create mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config
> create mode 100644 meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
>
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/init b/meta/recipes-connectivity/openssh/openssh-6.2p2/init
> deleted file mode 100644
> index 6beec84..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/init
> +++ /dev/null
> @@ -1,92 +0,0 @@
> -#! /bin/sh
> -set -e
> -
> -# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon
> -
> -test -x /usr/sbin/sshd || exit 0
> -( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
> -
> -if test -f /etc/default/ssh; then
> - . /etc/default/ssh
> -fi
> -
> -check_for_no_start() {
> - # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
> - if [ -e /etc/ssh/sshd_not_to_be_run ]; then
> - echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
> - exit 0
> - fi
> -}
> -
> -check_privsep_dir() {
> - # Create the PrivSep empty dir if necessary
> - if [ ! -d /var/run/sshd ]; then
> - mkdir /var/run/sshd
> - chmod 0755 /var/run/sshd
> - fi
> -}
> -
> -check_config() {
> - /usr/sbin/sshd -t || exit 1
> -}
> -
> -check_keys() {
> - # create keys if necessary
> - if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
> - echo " generating ssh RSA key..."
> - ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
> - fi
> - if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
> - echo " generating ssh ECDSA key..."
> - ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
> - fi
> - if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
> - echo " generating ssh DSA key..."
> - ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
> - fi
> -}
> -
> -export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
> -
> -case "$1" in
> - start)
> - check_for_no_start
> - echo "Starting OpenBSD Secure Shell server: sshd"
> - check_keys
> - check_privsep_dir
> - start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS
> - echo "done."
> - ;;
> - stop)
> - echo -n "Stopping OpenBSD Secure Shell server: sshd"
> - start-stop-daemon -K -x /usr/sbin/sshd
> - echo "."
> - ;;
> -
> - reload|force-reload)
> - check_for_no_start
> - check_keys
> - check_config
> - echo -n "Reloading OpenBSD Secure Shell server's configuration"
> - start-stop-daemon -K -s 1 -x /usr/sbin/sshd
> - echo "."
> - ;;
> -
> - restart)
> - check_keys
> - check_config
> - echo -n "Restarting OpenBSD Secure Shell server: sshd"
> - start-stop-daemon -K --oknodo -x /usr/sbin/sshd
> - check_for_no_start
> - check_privsep_dir
> - sleep 2
> - start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS
> - echo "."
> - ;;
> -
> - *)
> - echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
> - exit 1
> -esac
> -
> -exit 0
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch b/meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch
> deleted file mode 100644
> index 69fb69d..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch
> +++ /dev/null
> @@ -1,76 +0,0 @@
> -[PATCH] force the MAC output to be 64-bit aligned
> -
> -Upstream-Status: Backport[anoncvs.mindrot.org/index.cgi/openssh/mac.c?r1=1.27&r2=1.28]
> -
> -Backport patch to fix segment fault due to unaligned memory access
> -
> -Wed Jun 5 22:12:37 2013 UTC (7 days, 3 hours ago) by dtucker
> -Branch: MAIN
> -CVS Tags: HEAD
> -Changes since 1.27: +11 -8 lines
> -Diff to previous 1.27
> -
> - - dtucker@cvs.openbsd.org 2013/06/03 00:03:18
> - [mac.c]
> - force the MAC output to be 64-bit aligned so umac won't see
> -unaligned
> - accesses on strict-alignment architectures. bz#2101, patch from
> - tomas.kuthan at oracle.com, ok djm@
> ----
> - mac.c | 18 +++++++++++-------
> - 1 file changed, 11 insertions(+), 7 deletions(-)
> -
> -diff --git a/mac.c b/mac.c
> -index 3f2dc6f..a5a80d3 100644
> ---- a/mac.c
> -+++ b/mac.c
> -@@ -152,12 +152,16 @@ mac_init(Mac *mac)
> - u_char *
> - mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
> - {
> -- static u_char m[EVP_MAX_MD_SIZE];
> -+ static union {
> -+ u_char m[EVP_MAX_MD_SIZE];
> -+ u_int64_t for_align;
> -+ } u;
> -+
> - u_char b[4], nonce[8];
> -
> -- if (mac->mac_len > sizeof(m))
> -+ if (mac->mac_len > sizeof(u))
> - fatal("mac_compute: mac too long %u %lu",
> -- mac->mac_len, (u_long)sizeof(m));
> -+ mac->mac_len, (u_long)sizeof(u));
> -
> - switch (mac->type) {
> - case SSH_EVP:
> -@@ -166,22 +170,22 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
> - HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
> - HMAC_Update(&mac->evp_ctx, b, sizeof(b));
> - HMAC_Update(&mac->evp_ctx, data, datalen);
> -- HMAC_Final(&mac->evp_ctx, m, NULL);
> -+ HMAC_Final(&mac->evp_ctx, u.m, NULL);
> - break;
> - case SSH_UMAC:
> - put_u64(nonce, seqno);
> - umac_update(mac->umac_ctx, data, datalen);
> -- umac_final(mac->umac_ctx, m, nonce);
> -+ umac_final(mac->umac_ctx, u.m, nonce);
> - break;
> - case SSH_UMAC128:
> - put_u64(nonce, seqno);
> - umac128_update(mac->umac_ctx, data, datalen);
> -- umac128_final(mac->umac_ctx, m, nonce);
> -+ umac128_final(mac->umac_ctx, u.m, nonce);
> - break;
> - default:
> - fatal("mac_compute: unknown MAC type");
> - }
> -- return (m);
> -+ return (u.m);
> - }
> -
> - void
> ---
> -1.7.9.5
> -
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch b/meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch
> deleted file mode 100644
> index 33111f5..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch
> +++ /dev/null
> @@ -1,20 +0,0 @@
> -Disable stripping binaries during make install.
> -
> -Upstream-Status: Inappropriate [configuration]
> -
> -Build system specific.
> -
> -Signed-off-by: Scott Garman <scott.a.garman@intel.com>
> -
> -diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in
> ---- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700
> -+++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700
> -@@ -29,7 +29,7 @@
> - RAND_HELPER=$(libexecdir)/ssh-rand-helper
> - PRIVSEP_PATH=@PRIVSEP_PATH@
> - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
> --STRIP_OPT=@STRIP_OPT@
> -+STRIP_OPT=
> -
> - PATHS= -DSSHDIR=\"$(sysconfdir)\" \
> - -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch
> deleted file mode 100644
> index 8489edc..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch
> +++ /dev/null
> @@ -1,27 +0,0 @@
> -openssh-CVE-2011-4327
> -
> -A security flaw was found in the way ssh-keysign,
> -a ssh helper program for host based authentication,
> -attempted to retrieve enough entropy information on configurations that
> -lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
> -be executed to retrieve the entropy from the system environment).
> -A local attacker could use this flaw to obtain unauthorized access to host keys
> -via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
> -
> -https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
> -http://www.openssh.com/txt/portable-keysign-rand-helper.adv
> -
> -Signed-off-by: Li Wang <li.wang@windriver.com>
> ---- a/ssh-keysign.c
> -+++ b/ssh-keysign.c
> -@@ -170,6 +170,10 @@
> - key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
> - key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
> - key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
> -+ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
> -+ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
> -+ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
> -+ fatal("fcntl failed");
> -
> - original_real_uid = getuid(); /* XXX readconf.c needs this */
> - if ((pw = getpwuid(original_real_uid)) == NULL)
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config
> deleted file mode 100644
> index 4a4a649..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config
> +++ /dev/null
> @@ -1,46 +0,0 @@
> -# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
> -
> -# This is the ssh client system-wide configuration file. See
> -# ssh_config(5) for more information. This file provides defaults for
> -# users, and the values can be changed in per-user configuration files
> -# or on the command line.
> -
> -# Configuration data is parsed as follows:
> -# 1. command line options
> -# 2. user-specific file
> -# 3. system-wide file
> -# Any configuration value is only changed the first time it is set.
> -# Thus, host-specific definitions should be at the beginning of the
> -# configuration file, and defaults at the end.
> -
> -# Site-wide defaults for some commonly used options. For a comprehensive
> -# list of available options, their meanings and defaults, please see the
> -# ssh_config(5) man page.
> -
> -Host *
> - ForwardAgent yes
> - ForwardX11 yes
> -# RhostsRSAAuthentication no
> -# RSAAuthentication yes
> -# PasswordAuthentication yes
> -# HostbasedAuthentication no
> -# GSSAPIAuthentication no
> -# GSSAPIDelegateCredentials no
> -# BatchMode no
> -# CheckHostIP yes
> -# AddressFamily any
> -# ConnectTimeout 0
> -# StrictHostKeyChecking ask
> -# IdentityFile ~/.ssh/identity
> -# IdentityFile ~/.ssh/id_rsa
> -# IdentityFile ~/.ssh/id_dsa
> -# Port 22
> -# Protocol 2,1
> -# Cipher 3des
> -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
> -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
> -# EscapeChar ~
> -# Tunnel no
> -# TunnelDevice any:any
> -# PermitLocalCommand no
> -# VisualHostKey no
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd
> deleted file mode 100644
> index 4882e58..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd
> +++ /dev/null
> @@ -1,10 +0,0 @@
> -#%PAM-1.0
> -
> -auth include common-auth
> -account required pam_nologin.so
> -account include common-account
> -password include common-password
> -session optional pam_keyinit.so force revoke
> -session include common-session
> -session required pam_loginuid.so
> -
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> deleted file mode 100644
> index 4f9b626..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> +++ /dev/null
> @@ -1,119 +0,0 @@
> -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
> -
> -# This is the sshd server system-wide configuration file. See
> -# sshd_config(5) for more information.
> -
> -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> -
> -# The strategy used for options in the default sshd_config shipped with
> -# OpenSSH is to specify options with their default value where
> -# possible, but leave them commented. Uncommented options change a
> -# default value.
> -
> -#Port 22
> -#AddressFamily any
> -#ListenAddress 0.0.0.0
> -#ListenAddress ::
> -
> -# Disable legacy (protocol version 1) support in the server for new
> -# installations. In future the default will change to require explicit
> -# activation of protocol 1
> -Protocol 2
> -
> -# HostKey for protocol version 1
> -#HostKey /etc/ssh/ssh_host_key
> -# HostKeys for protocol version 2
> -#HostKey /etc/ssh/ssh_host_rsa_key
> -#HostKey /etc/ssh/ssh_host_dsa_key
> -
> -# Lifetime and size of ephemeral version 1 server key
> -#KeyRegenerationInterval 1h
> -#ServerKeyBits 1024
> -
> -# Logging
> -# obsoletes QuietMode and FascistLogging
> -#SyslogFacility AUTH
> -#LogLevel INFO
> -
> -# Authentication:
> -
> -#LoginGraceTime 2m
> -#PermitRootLogin yes
> -#StrictModes yes
> -#MaxAuthTries 6
> -#MaxSessions 10
> -
> -#RSAAuthentication yes
> -#PubkeyAuthentication yes
> -#AuthorizedKeysFile .ssh/authorized_keys
> -
> -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> -#RhostsRSAAuthentication no
> -# similar for protocol version 2
> -#HostbasedAuthentication no
> -# Change to yes if you don't trust ~/.ssh/known_hosts for
> -# RhostsRSAAuthentication and HostbasedAuthentication
> -#IgnoreUserKnownHosts no
> -# Don't read the user's ~/.rhosts and ~/.shosts files
> -#IgnoreRhosts yes
> -
> -# To disable tunneled clear text passwords, change to no here!
> -#PasswordAuthentication yes
> -#PermitEmptyPasswords no
> -
> -# Change to no to disable s/key passwords
> -#ChallengeResponseAuthentication yes
> -
> -# Kerberos options
> -#KerberosAuthentication no
> -#KerberosOrLocalPasswd yes
> -#KerberosTicketCleanup yes
> -#KerberosGetAFSToken no
> -
> -# GSSAPI options
> -#GSSAPIAuthentication no
> -#GSSAPICleanupCredentials yes
> -
> -# Set this to 'yes' to enable PAM authentication, account processing,
> -# and session processing. If this is enabled, PAM authentication will
> -# be allowed through the ChallengeResponseAuthentication and
> -# PasswordAuthentication. Depending on your PAM configuration,
> -# PAM authentication via ChallengeResponseAuthentication may bypass
> -# the setting of "PermitRootLogin without-password".
> -# If you just want the PAM account and session checks to run without
> -# PAM authentication, then enable this but set PasswordAuthentication
> -# and ChallengeResponseAuthentication to 'no'.
> -#UsePAM no
> -
> -#AllowAgentForwarding yes
> -#AllowTcpForwarding yes
> -#GatewayPorts no
> -#X11Forwarding no
> -#X11DisplayOffset 10
> -#X11UseLocalhost yes
> -#PrintMotd yes
> -#PrintLastLog yes
> -#TCPKeepAlive yes
> -#UseLogin no
> -UsePrivilegeSeparation yes
> -#PermitUserEnvironment no
> -Compression no
> -ClientAliveInterval 15
> -ClientAliveCountMax 4
> -#UseDNS yes
> -#PidFile /var/run/sshd.pid
> -#MaxStartups 10
> -#PermitTunnel no
> -#ChrootDirectory none
> -
> -# no default banner path
> -#Banner none
> -
> -# override default of no subsystems
> -Subsystem sftp /usr/libexec/sftp-server
> -
> -# Example of overriding settings on a per-user basis
> -#Match User anoncvs
> -# X11Forwarding no
> -# AllowTcpForwarding no
> -# ForceCommand cvs server
> diff --git a/meta/recipes-connectivity/openssh/openssh.inc b/meta/recipes-connectivity/openssh/openssh.inc
> new file mode 100644
> index 0000000..c51b65c
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh.inc
> @@ -0,0 +1,123 @@
> +SUMMARY = "Secure rlogin/rsh/rcp/telnet replacement"
> +DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \
> +Ssh (Secure Shell) is a program for logging into a remote machine \
> +and for executing commands on a remote machine."
> +HOMEPAGE = "http://openssh.org"
> +SECTION = "console/network"
> +LICENSE = "BSD"
> +LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
> +
> +INC_PR = "r1"
> +
> +DEPENDS = "zlib openssl"
> +DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
> +
> +RPROVIDES_${PN}-ssh = "ssh"
> +RPROVIDES_${PN}-sshd = "sshd"
> +
> +RCONFLICTS_${PN} = "dropbear"
> +RCONFLICTS_${PN}-sshd = "dropbear"
> +RCONFLICTS_${PN}-keygen = "ssh-keygen"
> +
> +INITSCRIPT_PACKAGES = "${PN}-sshd"
> +INITSCRIPT_NAME_${PN}-sshd = "sshd"
> +INITSCRIPT_PARAMS = "defaults 9"
> +
> +SYSTEMD_PACKAGES = "${PN}-sshd"
> +SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
> +
> +USERADD_PACKAGES = "${PN}-sshd"
> +USERADD_PARAM_${PN}-sshd = "--system \
> + --no-create-home \
> + --home-dir /var/run/sshd \
> + --shell /bin/false \
> + --user-group sshd"
> +
> +PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
> +
> +SRC_URI = "file://sshd_config \
> + file://ssh_config \
> + file://sshd.socket \
> + file://sshd@.service \
> + file://sshdgenkeys.service \
> + file://init \
> + file://pam \
> + "
> +
> +inherit autotools useradd update-rc.d update-alternatives systemd
> +
> +# LFS support:
> +CFLAGS += "-D__FILE_OFFSET_BITS=64"
> +export LD = "${CC}"
> +
> +EXTRA_OECONF = "--with-rand-helper=no \
> + ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
> + --without-zlib-version-check \
> + --with-privsep-path=/var/run/sshd \
> + --sysconfdir=${sysconfdir}/ssh \
> + --with-xauth=/usr/bin/xauth"
> +
> +# This is a workaround for uclibc because including stdio.h
> +# pulls in pthreads.h and causes conflicts in function prototypes.
> +# This results in compilation failure, so unless this is fixed,
> +# disable pam for uclibc.
> +EXTRA_OECONF_append_libc-uclibc=" --without-pam"
> +
> +do_configure_prepend () {
> + if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then
> + cp aclocal.m4 acinclude.m4
> + fi
> +}
> +
> +do_compile_append () {
> + install -m 0644 ${WORKDIR}/sshd_config ${S}/
> + install -m 0644 ${WORKDIR}/ssh_config ${S}/
> +}
> +
> +do_install_append () {
> +
> + if ${@base_contains('DISTRO_FEATURES','pam','true','false',d)}; then
> + install -d ${D}${sysconfdir}/pam.d
> + install -m 0755 ${WORKDIR}/pam ${D}${sysconfdir}/pam.d/sshd
> + fi
> +
> + if ${@base_contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
> + install -d ${D}${sysconfdir}/init.d
> + install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
> + fi
> +
> + if ${@base_contains('DISTRO_FEATURES','systemd','true','false',d)}; then
> + install -d ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system
> + fi
> +
> + rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
> + rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
> +}
> +
> +ALLOW_EMPTY_${PN} = "1"
> +
> +PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
> +
> +FILES_${PN}-scp = "${bindir}/scp.${BPN}"
> +FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
> +FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd"
> +FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config"
> +FILES_${PN}-sshd += "${systemd_unitdir}/system/sshd.socket"
> +FILES_${PN}-sftp = "${bindir}/sftp"
> +FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
> +FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
> +FILES_${PN}-keygen = "${bindir}/ssh-keygen"
> +
> +RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
> +RDEPENDS_${PN}-sshd += "${PN}-keygen"
> +
> +CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
> +CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> +
> +ALTERNATIVE_PRIORITY = "90"
> +ALTERNATIVE_${PN}-scp = "scp"
> +ALTERNATIVE_${PN}-ssh = "ssh"
> diff --git a/meta/recipes-connectivity/openssh/openssh/init b/meta/recipes-connectivity/openssh/openssh/init
> new file mode 100644
> index 0000000..6beec84
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/init
> @@ -0,0 +1,92 @@
> +#! /bin/sh
> +set -e
> +
> +# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon
> +
> +test -x /usr/sbin/sshd || exit 0
> +( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
> +
> +if test -f /etc/default/ssh; then
> + . /etc/default/ssh
> +fi
> +
> +check_for_no_start() {
> + # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
> + if [ -e /etc/ssh/sshd_not_to_be_run ]; then
> + echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
> + exit 0
> + fi
> +}
> +
> +check_privsep_dir() {
> + # Create the PrivSep empty dir if necessary
> + if [ ! -d /var/run/sshd ]; then
> + mkdir /var/run/sshd
> + chmod 0755 /var/run/sshd
> + fi
> +}
> +
> +check_config() {
> + /usr/sbin/sshd -t || exit 1
> +}
> +
> +check_keys() {
> + # create keys if necessary
> + if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
> + echo " generating ssh RSA key..."
> + ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
> + fi
> + if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
> + echo " generating ssh ECDSA key..."
> + ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
> + fi
> + if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
> + echo " generating ssh DSA key..."
> + ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
> + fi
> +}
> +
> +export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
> +
> +case "$1" in
> + start)
> + check_for_no_start
> + echo "Starting OpenBSD Secure Shell server: sshd"
> + check_keys
> + check_privsep_dir
> + start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS
> + echo "done."
> + ;;
> + stop)
> + echo -n "Stopping OpenBSD Secure Shell server: sshd"
> + start-stop-daemon -K -x /usr/sbin/sshd
> + echo "."
> + ;;
> +
> + reload|force-reload)
> + check_for_no_start
> + check_keys
> + check_config
> + echo -n "Reloading OpenBSD Secure Shell server's configuration"
> + start-stop-daemon -K -s 1 -x /usr/sbin/sshd
> + echo "."
> + ;;
> +
> + restart)
> + check_keys
> + check_config
> + echo -n "Restarting OpenBSD Secure Shell server: sshd"
> + start-stop-daemon -K --oknodo -x /usr/sbin/sshd
> + check_for_no_start
> + check_privsep_dir
> + sleep 2
> + start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS
> + echo "."
> + ;;
> +
> + *)
> + echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
> + exit 1
> +esac
> +
> +exit 0
> diff --git a/meta/recipes-connectivity/openssh/openssh/mac.patch b/meta/recipes-connectivity/openssh/openssh/mac.patch
> new file mode 100644
> index 0000000..69fb69d
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/mac.patch
> @@ -0,0 +1,76 @@
> +[PATCH] force the MAC output to be 64-bit aligned
> +
> +Upstream-Status: Backport[anoncvs.mindrot.org/index.cgi/openssh/mac.c?r1=1.27&r2=1.28]
> +
> +Backport patch to fix segment fault due to unaligned memory access
> +
> +Wed Jun 5 22:12:37 2013 UTC (7 days, 3 hours ago) by dtucker
> +Branch: MAIN
> +CVS Tags: HEAD
> +Changes since 1.27: +11 -8 lines
> +Diff to previous 1.27
> +
> + - dtucker@cvs.openbsd.org 2013/06/03 00:03:18
> + [mac.c]
> + force the MAC output to be 64-bit aligned so umac won't see
> +unaligned
> + accesses on strict-alignment architectures. bz#2101, patch from
> + tomas.kuthan at oracle.com, ok djm@
> +---
> + mac.c | 18 +++++++++++-------
> + 1 file changed, 11 insertions(+), 7 deletions(-)
> +
> +diff --git a/mac.c b/mac.c
> +index 3f2dc6f..a5a80d3 100644
> +--- a/mac.c
> ++++ b/mac.c
> +@@ -152,12 +152,16 @@ mac_init(Mac *mac)
> + u_char *
> + mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
> + {
> +- static u_char m[EVP_MAX_MD_SIZE];
> ++ static union {
> ++ u_char m[EVP_MAX_MD_SIZE];
> ++ u_int64_t for_align;
> ++ } u;
> ++
> + u_char b[4], nonce[8];
> +
> +- if (mac->mac_len > sizeof(m))
> ++ if (mac->mac_len > sizeof(u))
> + fatal("mac_compute: mac too long %u %lu",
> +- mac->mac_len, (u_long)sizeof(m));
> ++ mac->mac_len, (u_long)sizeof(u));
> +
> + switch (mac->type) {
> + case SSH_EVP:
> +@@ -166,22 +170,22 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
> + HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
> + HMAC_Update(&mac->evp_ctx, b, sizeof(b));
> + HMAC_Update(&mac->evp_ctx, data, datalen);
> +- HMAC_Final(&mac->evp_ctx, m, NULL);
> ++ HMAC_Final(&mac->evp_ctx, u.m, NULL);
> + break;
> + case SSH_UMAC:
> + put_u64(nonce, seqno);
> + umac_update(mac->umac_ctx, data, datalen);
> +- umac_final(mac->umac_ctx, m, nonce);
> ++ umac_final(mac->umac_ctx, u.m, nonce);
> + break;
> + case SSH_UMAC128:
> + put_u64(nonce, seqno);
> + umac128_update(mac->umac_ctx, data, datalen);
> +- umac128_final(mac->umac_ctx, m, nonce);
> ++ umac128_final(mac->umac_ctx, u.m, nonce);
> + break;
> + default:
> + fatal("mac_compute: unknown MAC type");
> + }
> +- return (m);
> ++ return (u.m);
> + }
> +
> + void
> +--
> +1.7.9.5
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh/nostrip.patch b/meta/recipes-connectivity/openssh/openssh/nostrip.patch
> new file mode 100644
> index 0000000..33111f5
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/nostrip.patch
> @@ -0,0 +1,20 @@
> +Disable stripping binaries during make install.
> +
> +Upstream-Status: Inappropriate [configuration]
> +
> +Build system specific.
> +
> +Signed-off-by: Scott Garman <scott.a.garman@intel.com>
> +
> +diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in
> +--- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700
> ++++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700
> +@@ -29,7 +29,7 @@
> + RAND_HELPER=$(libexecdir)/ssh-rand-helper
> + PRIVSEP_PATH=@PRIVSEP_PATH@
> + SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
> +-STRIP_OPT=@STRIP_OPT@
> ++STRIP_OPT=
> +
> + PATHS= -DSSHDIR=\"$(sysconfdir)\" \
> + -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
> diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
> new file mode 100644
> index 0000000..8489edc
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
> @@ -0,0 +1,27 @@
> +openssh-CVE-2011-4327
> +
> +A security flaw was found in the way ssh-keysign,
> +a ssh helper program for host based authentication,
> +attempted to retrieve enough entropy information on configurations that
> +lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
> +be executed to retrieve the entropy from the system environment).
> +A local attacker could use this flaw to obtain unauthorized access to host keys
> +via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
> +
> +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
> +http://www.openssh.com/txt/portable-keysign-rand-helper.adv
> +
> +Signed-off-by: Li Wang <li.wang@windriver.com>
> +--- a/ssh-keysign.c
> ++++ b/ssh-keysign.c
> +@@ -170,6 +170,10 @@
> + key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
> + key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
> + key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
> ++ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
> ++ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
> ++ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
> ++ fatal("fcntl failed");
> +
> + original_real_uid = getuid(); /* XXX readconf.c needs this */
> + if ((pw = getpwuid(original_real_uid)) == NULL)
> diff --git a/meta/recipes-connectivity/openssh/openssh/pam b/meta/recipes-connectivity/openssh/openssh/pam
> new file mode 100644
> index 0000000..4882e58
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/pam
> @@ -0,0 +1,10 @@
> +#%PAM-1.0
> +
> +auth include common-auth
> +account required pam_nologin.so
> +account include common-account
> +password include common-password
> +session optional pam_keyinit.so force revoke
> +session include common-session
> +session required pam_loginuid.so
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
> new file mode 100644
> index 0000000..4a4a649
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
> @@ -0,0 +1,46 @@
> +# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
> +
> +# This is the ssh client system-wide configuration file. See
> +# ssh_config(5) for more information. This file provides defaults for
> +# users, and the values can be changed in per-user configuration files
> +# or on the command line.
> +
> +# Configuration data is parsed as follows:
> +# 1. command line options
> +# 2. user-specific file
> +# 3. system-wide file
> +# Any configuration value is only changed the first time it is set.
> +# Thus, host-specific definitions should be at the beginning of the
> +# configuration file, and defaults at the end.
> +
> +# Site-wide defaults for some commonly used options. For a comprehensive
> +# list of available options, their meanings and defaults, please see the
> +# ssh_config(5) man page.
> +
> +Host *
> + ForwardAgent yes
> + ForwardX11 yes
> +# RhostsRSAAuthentication no
> +# RSAAuthentication yes
> +# PasswordAuthentication yes
> +# HostbasedAuthentication no
> +# GSSAPIAuthentication no
> +# GSSAPIDelegateCredentials no
> +# BatchMode no
> +# CheckHostIP yes
> +# AddressFamily any
> +# ConnectTimeout 0
> +# StrictHostKeyChecking ask
> +# IdentityFile ~/.ssh/identity
> +# IdentityFile ~/.ssh/id_rsa
> +# IdentityFile ~/.ssh/id_dsa
> +# Port 22
> +# Protocol 2,1
> +# Cipher 3des
> +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
> +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
> +# EscapeChar ~
> +# Tunnel no
> +# TunnelDevice any:any
> +# PermitLocalCommand no
> +# VisualHostKey no
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
> new file mode 100644
> index 0000000..753a33b
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
> @@ -0,0 +1,11 @@
> +[Unit]
> +Conflicts=sshd.service
> +
> +[Socket]
> +ExecStartPre=/bin/mkdir -p /var/run/sshd
> +ListenStream=22
> +Accept=yes
> +
> +[Install]
> +WantedBy=sockets.target
> +Also=sshdgenkeys.service
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service
> new file mode 100644
> index 0000000..d118490
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
> @@ -0,0 +1,9 @@
> +[Unit]
> +Description=OpenSSH Per-Connection Daemon
> +After=sshdgenkeys.service
> +
> +[Service]
> +ExecStart=-/usr/sbin/sshd -i
> +ExecReload=/bin/kill -HUP $MAINPID
> +StandardInput=socket
> +StandardError=syslog
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
> new file mode 100644
> index 0000000..4f9b626
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
> @@ -0,0 +1,119 @@
> +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
> +
> +# This is the sshd server system-wide configuration file. See
> +# sshd_config(5) for more information.
> +
> +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> +
> +# The strategy used for options in the default sshd_config shipped with
> +# OpenSSH is to specify options with their default value where
> +# possible, but leave them commented. Uncommented options change a
> +# default value.
> +
> +#Port 22
> +#AddressFamily any
> +#ListenAddress 0.0.0.0
> +#ListenAddress ::
> +
> +# Disable legacy (protocol version 1) support in the server for new
> +# installations. In future the default will change to require explicit
> +# activation of protocol 1
> +Protocol 2
> +
> +# HostKey for protocol version 1
> +#HostKey /etc/ssh/ssh_host_key
> +# HostKeys for protocol version 2
> +#HostKey /etc/ssh/ssh_host_rsa_key
> +#HostKey /etc/ssh/ssh_host_dsa_key
> +
> +# Lifetime and size of ephemeral version 1 server key
> +#KeyRegenerationInterval 1h
> +#ServerKeyBits 1024
> +
> +# Logging
> +# obsoletes QuietMode and FascistLogging
> +#SyslogFacility AUTH
> +#LogLevel INFO
> +
> +# Authentication:
> +
> +#LoginGraceTime 2m
> +#PermitRootLogin yes
> +#StrictModes yes
> +#MaxAuthTries 6
> +#MaxSessions 10
> +
> +#RSAAuthentication yes
> +#PubkeyAuthentication yes
> +#AuthorizedKeysFile .ssh/authorized_keys
> +
> +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> +#RhostsRSAAuthentication no
> +# similar for protocol version 2
> +#HostbasedAuthentication no
> +# Change to yes if you don't trust ~/.ssh/known_hosts for
> +# RhostsRSAAuthentication and HostbasedAuthentication
> +#IgnoreUserKnownHosts no
> +# Don't read the user's ~/.rhosts and ~/.shosts files
> +#IgnoreRhosts yes
> +
> +# To disable tunneled clear text passwords, change to no here!
> +#PasswordAuthentication yes
> +#PermitEmptyPasswords no
> +
> +# Change to no to disable s/key passwords
> +#ChallengeResponseAuthentication yes
> +
> +# Kerberos options
> +#KerberosAuthentication no
> +#KerberosOrLocalPasswd yes
> +#KerberosTicketCleanup yes
> +#KerberosGetAFSToken no
> +
> +# GSSAPI options
> +#GSSAPIAuthentication no
> +#GSSAPICleanupCredentials yes
> +
> +# Set this to 'yes' to enable PAM authentication, account processing,
> +# and session processing. If this is enabled, PAM authentication will
> +# be allowed through the ChallengeResponseAuthentication and
> +# PasswordAuthentication. Depending on your PAM configuration,
> +# PAM authentication via ChallengeResponseAuthentication may bypass
> +# the setting of "PermitRootLogin without-password".
> +# If you just want the PAM account and session checks to run without
> +# PAM authentication, then enable this but set PasswordAuthentication
> +# and ChallengeResponseAuthentication to 'no'.
> +#UsePAM no
> +
> +#AllowAgentForwarding yes
> +#AllowTcpForwarding yes
> +#GatewayPorts no
> +#X11Forwarding no
> +#X11DisplayOffset 10
> +#X11UseLocalhost yes
> +#PrintMotd yes
> +#PrintLastLog yes
> +#TCPKeepAlive yes
> +#UseLogin no
> +UsePrivilegeSeparation yes
> +#PermitUserEnvironment no
> +Compression no
> +ClientAliveInterval 15
> +ClientAliveCountMax 4
> +#UseDNS yes
> +#PidFile /var/run/sshd.pid
> +#MaxStartups 10
> +#PermitTunnel no
> +#ChrootDirectory none
> +
> +# no default banner path
> +#Banner none
> +
> +# override default of no subsystems
> +Subsystem sftp /usr/libexec/sftp-server
> +
> +# Example of overriding settings on a per-user basis
> +#Match User anoncvs
> +# X11Forwarding no
> +# AllowTcpForwarding no
> +# ForceCommand cvs server
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> new file mode 100644
> index 0000000..c717214
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> @@ -0,0 +1,10 @@
> +[Unit]
> +Description=SSH Key Generation
> +
> +[Service]
> +ExecStart=/usr/bin/ssh-keygen -A
> +Type=oneshot
> +RemainAfterExit=yes
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> index ab2eefb..15dc078 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> @@ -1,112 +1,11 @@
> -SUMMARY = "Secure rlogin/rsh/rcp/telnet replacement"
> -DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \
> -Ssh (Secure Shell) is a program for logging into a remote machine \
> -and for executing commands on a remote machine."
> -HOMEPAGE = "http://openssh.org"
> -SECTION = "console/network"
> -LICENSE = "BSD"
> -LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
> -
> -PR = "r0"
> -
> -DEPENDS = "zlib openssl"
> -DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
> -
> -RPROVIDES_${PN}-ssh = "ssh"
> -RPROVIDES_${PN}-sshd = "sshd"
> -
> -RCONFLICTS_${PN} = "dropbear"
> -RCONFLICTS_${PN}-sshd = "dropbear"
> -RCONFLICTS_${PN}-keygen = "ssh-keygen"
> -
> -SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
> - file://nostrip.patch \
> - file://sshd_config \
> - file://ssh_config \
> - file://init \
> - file://openssh-CVE-2011-4327.patch \
> - file://mac.patch \
> - ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
> -
> -PAM_SRC_URI = "file://sshd"
> +require openssh.inc
>
> SRC_URI[md5sum] = "be46174dcbb77ebb4ea88ef140685de1"
> SRC_URI[sha256sum] = "7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b"
>
> -inherit useradd update-rc.d update-alternatives
> -
> -USERADD_PACKAGES = "${PN}-sshd"
> -USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
> -INITSCRIPT_PACKAGES = "${PN}-sshd"
> -INITSCRIPT_NAME_${PN}-sshd = "sshd"
> -INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
> -
> -PACKAGECONFIG ??= "tcp-wrappers"
> -PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
> -
> -inherit autotools
> -
> -# LFS support:
> -CFLAGS += "-D__FILE_OFFSET_BITS=64"
> -export LD = "${CC}"
> -
> -EXTRA_OECONF = "--with-rand-helper=no \
> - ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
> - --without-zlib-version-check \
> - --with-privsep-path=/var/run/sshd \
> - --sysconfdir=${sysconfdir}/ssh \
> - --with-xauth=/usr/bin/xauth"
> -
> -# This is a workaround for uclibc because including stdio.h
> -# pulls in pthreads.h and causes conflicts in function prototypes.
> -# This results in compilation failure, so unless this is fixed,
> -# disable pam for uclibc.
> -EXTRA_OECONF_append_libc-uclibc=" --without-pam"
> -
> -do_configure_prepend () {
> - if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then
> - cp aclocal.m4 acinclude.m4
> - fi
> -}
> -
> -do_compile_append () {
> - install -m 0644 ${WORKDIR}/sshd_config ${S}/
> - install -m 0644 ${WORKDIR}/ssh_config ${S}/
> -}
> -
> -do_install_append () {
> - for i in ${DISTRO_FEATURES};
> - do
> - if [ ${i} = "pam" ]; then
> - install -d ${D}${sysconfdir}/pam.d
> - install -m 0755 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
> - fi
> - done
> - install -d ${D}${sysconfdir}/init.d
> - install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
> - rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
> - rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
> -}
> -
> -ALLOW_EMPTY_${PN} = "1"
> -
> -PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
> -FILES_${PN}-scp = "${bindir}/scp.${BPN}"
> -FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
> -FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd"
> -FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config"
> -FILES_${PN}-sftp = "${bindir}/sftp"
> -FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
> -FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
> -FILES_${PN}-keygen = "${bindir}/ssh-keygen"
> -
> -RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
> -RDEPENDS_${PN}-sshd += "${PN}-keygen"
> -
> -CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
> -CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> -
> -ALTERNATIVE_PRIORITY = "90"
> -ALTERNATIVE_${PN}-scp = "scp"
> -ALTERNATIVE_${PN}-ssh = "ssh"
> +SRC_URI += "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
> + file://nostrip.patch \
> + file://openssh-CVE-2011-4327.patch \
> + file://mac.patch"
>
> +PR = "${INC_PR}.0"
> --
> 1.8.1.2
>
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]
prev parent reply other threads:[~2013-07-11 12:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-11 9:43 [PATCH] Restructures the openssh recipe to suport systemd Markus Hubig
2013-07-11 12:28 ` Martin Jansa [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130711122807.GI3288@jama \
--to=martin.jansa@gmail.com \
--cc=mhubig@imko.de \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.