1*4882a593SmuzhiyunSUMMARY = "A suite of security-related network utilities based on \ 2*4882a593Smuzhiyunthe SSH protocol including the ssh client and sshd server" 3*4882a593SmuzhiyunDESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ 4*4882a593SmuzhiyunSsh (Secure Shell) is a program for logging into a remote machine \ 5*4882a593Smuzhiyunand for executing commands on a remote machine." 6*4882a593SmuzhiyunHOMEPAGE = "http://www.openssh.com/" 7*4882a593SmuzhiyunSECTION = "console/network" 8*4882a593SmuzhiyunLICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT" 9*4882a593SmuzhiyunLIC_FILES_CHKSUM = "file://LICENCE;md5=8baf365614c9bdd63705f298c9afbfb9" 10*4882a593Smuzhiyun 11*4882a593SmuzhiyunDEPENDS = "zlib openssl virtual/crypt" 12*4882a593SmuzhiyunDEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunSRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ 15*4882a593Smuzhiyun file://sshd_config \ 16*4882a593Smuzhiyun file://ssh_config \ 17*4882a593Smuzhiyun file://init \ 18*4882a593Smuzhiyun ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ 19*4882a593Smuzhiyun file://sshd.socket \ 20*4882a593Smuzhiyun file://sshd@.service \ 21*4882a593Smuzhiyun file://sshdgenkeys.service \ 22*4882a593Smuzhiyun file://volatiles.99_sshd \ 23*4882a593Smuzhiyun file://run-ptest \ 24*4882a593Smuzhiyun file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ 25*4882a593Smuzhiyun file://sshd_check_keys \ 26*4882a593Smuzhiyun file://add-test-support-for-busybox.patch \ 27*4882a593Smuzhiyun file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \ 28*4882a593Smuzhiyun file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \ 29*4882a593Smuzhiyun " 30*4882a593SmuzhiyunSRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7" 31*4882a593Smuzhiyun 32*4882a593Smuzhiyun# This CVE is specific to OpenSSH with the pam opie which we don't build/use here 33*4882a593SmuzhiyunCVE_CHECK_IGNORE += "CVE-2007-2768" 34*4882a593Smuzhiyun 35*4882a593Smuzhiyun# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 36*4882a593Smuzhiyun# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded 37*4882a593SmuzhiyunCVE_CHECK_IGNORE += "CVE-2014-9278" 38*4882a593Smuzhiyun 39*4882a593Smuzhiyun# CVE only applies to some distributed RHEL binaries 40*4882a593SmuzhiyunCVE_CHECK_IGNORE += "CVE-2008-3844" 41*4882a593Smuzhiyun 42*4882a593SmuzhiyunPAM_SRC_URI = "file://sshd" 43*4882a593Smuzhiyun 44*4882a593Smuzhiyuninherit manpages useradd update-rc.d update-alternatives systemd 45*4882a593Smuzhiyun 46*4882a593SmuzhiyunUSERADD_PACKAGES = "${PN}-sshd" 47*4882a593SmuzhiyunUSERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" 48*4882a593SmuzhiyunINITSCRIPT_PACKAGES = "${PN}-sshd" 49*4882a593SmuzhiyunINITSCRIPT_NAME:${PN}-sshd = "sshd" 50*4882a593SmuzhiyunINITSCRIPT_PARAMS:${PN}-sshd = "defaults 9" 51*4882a593Smuzhiyun 52*4882a593SmuzhiyunSYSTEMD_PACKAGES = "${PN}-sshd" 53*4882a593SmuzhiyunSYSTEMD_SERVICE:${PN}-sshd = "sshd.socket" 54*4882a593Smuzhiyun 55*4882a593Smuzhiyuninherit autotools-brokensep ptest 56*4882a593Smuzhiyun 57*4882a593SmuzhiyunPACKAGECONFIG ??= "" 58*4882a593SmuzhiyunPACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" 59*4882a593SmuzhiyunPACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" 60*4882a593SmuzhiyunPACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" 61*4882a593SmuzhiyunPACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" 62*4882a593Smuzhiyun 63*4882a593SmuzhiyunEXTRA_AUTORECONF += "--exclude=aclocal" 64*4882a593Smuzhiyun 65*4882a593Smuzhiyun# login path is hardcoded in sshd 66*4882a593SmuzhiyunEXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ 67*4882a593Smuzhiyun ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ 68*4882a593Smuzhiyun --without-zlib-version-check \ 69*4882a593Smuzhiyun --with-privsep-path=${localstatedir}/run/sshd \ 70*4882a593Smuzhiyun --sysconfdir=${sysconfdir}/ssh \ 71*4882a593Smuzhiyun --with-xauth=${bindir}/xauth \ 72*4882a593Smuzhiyun --disable-strip \ 73*4882a593Smuzhiyun " 74*4882a593Smuzhiyun 75*4882a593Smuzhiyun# musl doesn't implement wtmp/utmp and logwtmp 76*4882a593SmuzhiyunEXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog" 77*4882a593Smuzhiyun 78*4882a593Smuzhiyun# Since we do not depend on libbsd, we do not want configure to use it 79*4882a593Smuzhiyun# just because it finds libutil.h. But, specifying --disable-libutil 80*4882a593Smuzhiyun# causes compile errors, so... 81*4882a593SmuzhiyunCACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" 82*4882a593Smuzhiyun 83*4882a593Smuzhiyun# passwd path is hardcoded in sshd 84*4882a593SmuzhiyunCACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" 85*4882a593Smuzhiyun 86*4882a593Smuzhiyun# We don't want to depend on libblockfile 87*4882a593SmuzhiyunCACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" 88*4882a593Smuzhiyun 89*4882a593Smuzhiyundo_configure:prepend () { 90*4882a593Smuzhiyun export LD="${CC}" 91*4882a593Smuzhiyun install -m 0644 ${WORKDIR}/sshd_config ${B}/ 92*4882a593Smuzhiyun install -m 0644 ${WORKDIR}/ssh_config ${B}/ 93*4882a593Smuzhiyun} 94*4882a593Smuzhiyun 95*4882a593Smuzhiyundo_compile_ptest() { 96*4882a593Smuzhiyun oe_runmake regress-binaries regress-unit-binaries 97*4882a593Smuzhiyun} 98*4882a593Smuzhiyun 99*4882a593Smuzhiyundo_install:append () { 100*4882a593Smuzhiyun if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then 101*4882a593Smuzhiyun install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd 102*4882a593Smuzhiyun sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config 103*4882a593Smuzhiyun fi 104*4882a593Smuzhiyun 105*4882a593Smuzhiyun if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then 106*4882a593Smuzhiyun sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config 107*4882a593Smuzhiyun fi 108*4882a593Smuzhiyun 109*4882a593Smuzhiyun install -d ${D}${sysconfdir}/init.d 110*4882a593Smuzhiyun install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd 111*4882a593Smuzhiyun rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin 112*4882a593Smuzhiyun rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} 113*4882a593Smuzhiyun install -d ${D}/${sysconfdir}/default/volatiles 114*4882a593Smuzhiyun install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd 115*4882a593Smuzhiyun install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} 116*4882a593Smuzhiyun 117*4882a593Smuzhiyun # Create config files for read-only rootfs 118*4882a593Smuzhiyun install -d ${D}${sysconfdir}/ssh 119*4882a593Smuzhiyun install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly 120*4882a593Smuzhiyun sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly 121*4882a593Smuzhiyun echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly 122*4882a593Smuzhiyun echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly 123*4882a593Smuzhiyun echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly 124*4882a593Smuzhiyun 125*4882a593Smuzhiyun install -d ${D}${systemd_system_unitdir} 126*4882a593Smuzhiyun install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir} 127*4882a593Smuzhiyun install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir} 128*4882a593Smuzhiyun install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir} 129*4882a593Smuzhiyun sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ 130*4882a593Smuzhiyun -e 's,@SBINDIR@,${sbindir},g' \ 131*4882a593Smuzhiyun -e 's,@BINDIR@,${bindir},g' \ 132*4882a593Smuzhiyun -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ 133*4882a593Smuzhiyun ${D}${systemd_system_unitdir}/sshd.socket ${D}${systemd_system_unitdir}/*.service 134*4882a593Smuzhiyun 135*4882a593Smuzhiyun sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ 136*4882a593Smuzhiyun ${D}${sysconfdir}/init.d/sshd 137*4882a593Smuzhiyun 138*4882a593Smuzhiyun install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys 139*4882a593Smuzhiyun} 140*4882a593Smuzhiyun 141*4882a593Smuzhiyundo_install_ptest () { 142*4882a593Smuzhiyun sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh 143*4882a593Smuzhiyun cp -r regress ${D}${PTEST_PATH} 144*4882a593Smuzhiyun cp config.h ${D}${PTEST_PATH} 145*4882a593Smuzhiyun} 146*4882a593Smuzhiyun 147*4882a593SmuzhiyunALLOW_EMPTY:${PN} = "1" 148*4882a593Smuzhiyun 149*4882a593SmuzhiyunPACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" 150*4882a593SmuzhiyunFILES:${PN}-scp = "${bindir}/scp.${BPN}" 151*4882a593SmuzhiyunFILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" 152*4882a593SmuzhiyunFILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" 153*4882a593SmuzhiyunFILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" 154*4882a593SmuzhiyunFILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" 155*4882a593SmuzhiyunFILES:${PN}-sftp = "${bindir}/sftp" 156*4882a593SmuzhiyunFILES:${PN}-sftp-server = "${libexecdir}/sftp-server" 157*4882a593SmuzhiyunFILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" 158*4882a593SmuzhiyunFILES:${PN}-keygen = "${bindir}/ssh-keygen" 159*4882a593Smuzhiyun 160*4882a593SmuzhiyunRDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server" 161*4882a593SmuzhiyunRDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" 162*4882a593Smuzhiyun# break dependency on base package for -dev package 163*4882a593Smuzhiyun# otherwise SDK fails to build as the main openssh and dropbear packages 164*4882a593Smuzhiyun# conflict with each other 165*4882a593SmuzhiyunRDEPENDS:${PN}-dev = "" 166*4882a593Smuzhiyun# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies 167*4882a593SmuzhiyunRDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" 168*4882a593Smuzhiyun 169*4882a593SmuzhiyunRPROVIDES:${PN}-ssh = "ssh" 170*4882a593SmuzhiyunRPROVIDES:${PN}-sshd = "sshd" 171*4882a593Smuzhiyun 172*4882a593SmuzhiyunRCONFLICTS:${PN} = "dropbear" 173*4882a593SmuzhiyunRCONFLICTS:${PN}-sshd = "dropbear" 174*4882a593Smuzhiyun 175*4882a593SmuzhiyunCONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config" 176*4882a593SmuzhiyunCONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config" 177*4882a593Smuzhiyun 178*4882a593SmuzhiyunALTERNATIVE_PRIORITY = "90" 179*4882a593SmuzhiyunALTERNATIVE:${PN}-scp = "scp" 180*4882a593SmuzhiyunALTERNATIVE:${PN}-ssh = "ssh" 181*4882a593Smuzhiyun 182*4882a593SmuzhiyunBBCLASSEXTEND += "nativesdk" 183