diff --git a/net/openssh/Makefile b/net/openssh/Makefile new file mode 100644 index 0000000000..459b7d7a55 --- /dev/null +++ b/net/openssh/Makefile @@ -0,0 +1,265 @@ +# +# Copyright (C) 2006-2011 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=openssh +PKG_VERSION:=6.6p1 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ + ftp://openbsd.wiretapped.net/pub/OpenBSD/OpenSSH/portable/ \ + ftp://ftp.belnet.be/packages/openbsd/OpenSSH/portable/ \ + ftp://ftp.de.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/ +PKG_MD5SUM:=3e9800e6bca1fbac0eea4d41baa7f239 + + +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) + +PKG_BUILD_DEPENDS:=libopenssl + +include $(INCLUDE_DIR)/package.mk + +define Package/openssh/Default + SECTION:=net + CATEGORY:=Network + DEPENDS:=+libopenssl +zlib +SSP_SUPPORT:libssp + TITLE:=OpenSSH + MAINTAINER:=Peter Wagner + URL:=http://www.openssh.com/ + SUBMENU:=SSH + VARIANT:=without-pam +endef + +define Package/openssh-moduli + $(call Package/openssh/Default) + DEPENDS+= +openssh-keygen + TITLE+= moduli file +endef + +define Package/openssh-moduli/description +OpenSSH server moduli file. +endef + +define Package/openssh-client + $(call Package/openssh/Default) + TITLE+= client +endef + +define Package/openssh-client/description +OpenSSH client. +endef + +define Package/openssh-client/conffiles +/etc/ssh/ssh_config +endef + +define Package/openssh-client-utils + $(call Package/openssh/Default) + DEPENDS+= +openssh-client +openssh-keygen + TITLE+= client utilities +endef + +define Package/openssh-client-utils/description +OpenSSH client utilities. +endef + +define Package/openssh-keygen + $(call Package/openssh/Default) + TITLE+= keygen +endef + +define Package/openssh-keygen/description +OpenSSH keygen. +endef + +define Package/openssh-server + $(call Package/openssh/Default) + DEPENDS+= +openssh-keygen + TITLE+= server +endef + +define Package/openssh-server/description +OpenSSH server. +endef + +define Package/openssh-server/conffiles +/etc/ssh/sshd_config +endef + +define Package/openssh-server-pam + $(call Package/openssh/Default) + DEPENDS+= +libpthread +openssh-keygen +libpam + TITLE+= server (with PAM support) + VARIANT:=with-pam +endef + +define Package/openssh-server-pam/description +OpenSSH server (with PAM support). +endef + +define Package/openssh-server-pam/conffiles +/etc/pam.d/sshd +/etc/security/access-sshd-local.conf +/etc/ssh/sshd_config +endef + +define Package/openssh-sftp-client + $(call Package/openssh/Default) + TITLE+= SFTP client +endef + +define Package/openssh-sftp-client/description +OpenSSH SFTP client. +endef + +define Package/openssh-sftp-server + $(call Package/openssh/Default) + TITLE+= SFTP server +endef + +define Package/openssh-sftp-server/description +OpenSSH SFTP server. +endef + +CONFIGURE_ARGS+= \ + $(DISABLE_NLS) \ + --sysconfdir=/etc/ssh \ + --with-privsep-user=sshd \ + --with-privsep-path=/var/empty \ + --enable-shared \ + --disable-static \ + --disable-debug \ + --disable-strip \ + --disable-etc-default-login \ + --disable-lastlog \ + --disable-utmp \ + --disable-utmpx \ + --disable-wtmp \ + --disable-wtmpx \ + --without-bsd-auth \ + --without-kerberos5 \ + --without-x + +ifeq ($(BUILD_VARIANT),with-pam) +CONFIGURE_ARGS += \ + --with-pam +else +CONFIGURE_ARGS += \ + --without-pam +endif + +ifeq ($(CONFIG_OPENSSL_ENGINE),y) +CONFIGURE_ARGS+= \ + --with-ssl-engine +endif + +ifneq ($(CONFIG_SSP_SUPPORT),y) +CONFIGURE_ARGS += \ + --without-stackprotect +endif + +CONFIGURE_VARS += LD="$(TARGET_CC)" + +ifeq ($(BUILD_VARIANT),with-pam) +TARGET_LDFLAGS += -lpthread +endif + +define Build/Compile + $(MAKE) -C $(PKG_BUILD_DIR) \ + DESTDIR="$(PKG_INSTALL_DIR)" \ + LIBS="" \ + sftp-server + $(MAKE) -C $(PKG_BUILD_DIR) \ + DESTDIR="$(PKG_INSTALL_DIR)" \ + STRIP_OPT="" \ + all install +endef + +define Package/openssh-client/preinst +#!/bin/sh +if [ -L $${IPKG_INSTROOT}/usr/bin/ssh ] && [ -L $${IPKG_INSTROOT}/usr/bin/scp ]; then + rm -f $${IPKG_INSTROOT}/usr/bin/ssh $${IPKG_INSTROOT}/usr/bin/scp; +fi +exit 0 +endef + +define Package/openssh-client/postrm +#!/bin/sh +rm -f $${IPKG_INSTROOT}/usr/bin/ssh $${IPKG_INSTROOT}/usr/bin/scp; +if [ -x $${IPKG_INSTROOT}/usr/sbin/dropbear ] ; then + ln -s /usr/sbin/dropbear $${IPKG_INSTROOT}/usr/bin/ssh; + ln -s /usr/sbin/dropbear $${IPKG_INSTROOT}/usr/bin/scp; +fi +exit 0 +endef + +define Package/openssh-moduli/install + $(INSTALL_DIR) $(1)/etc/ssh + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/moduli $(1)/etc/ssh/ +endef + +define Package/openssh-client/install + $(INSTALL_DIR) $(1)/etc/ssh + chmod 0700 $(1)/etc/ssh + $(CP) $(PKG_INSTALL_DIR)/etc/ssh/ssh_config $(1)/etc/ssh/ + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/ssh $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/scp $(1)/usr/bin/ +endef + +define Package/openssh-client-utils/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(foreach bin,add agent keyscan keysign,$(PKG_BUILD_DIR)/ssh-$(bin)) $(1)/usr/bin/ +endef + +define Package/openssh-keygen/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/ssh-keygen $(1)/usr/bin/ +endef + +define Package/openssh-server/install + $(INSTALL_DIR) $(1)/etc/ssh + chmod 0700 $(1)/etc/ssh + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/sshd $(1)/usr/sbin/ +endef + +define Package/openssh-server-pam/install + $(call Package/openssh-server/install,$(1)) + sed -i 's,#PasswordAuthentication yes,PasswordAuthentication no,g' $(1)/etc/ssh/sshd_config + sed -i 's,#UsePAM no,UsePAM yes,g' $(1)/etc/ssh/sshd_config + $(INSTALL_DIR) $(1)/etc/pam.d + $(INSTALL_DATA) ./files/sshd.pam $(1)/etc/pam.d/sshd + $(INSTALL_DIR) $(1)/etc/security + $(INSTALL_DATA) ./files/sshd.pam-access $(1)/etc/security/access-sshd-local.conf +endef + +define Package/openssh-sftp-client/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sftp $(1)/usr/bin/ +endef + +define Package/openssh-sftp-server/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/sftp-server $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/libexec + ln -sf ../lib/sftp-server $(1)/usr/libexec/sftp-server +endef + +$(eval $(call BuildPackage,openssh-client)) +$(eval $(call BuildPackage,openssh-moduli)) +$(eval $(call BuildPackage,openssh-client-utils)) +$(eval $(call BuildPackage,openssh-keygen)) +$(eval $(call BuildPackage,openssh-server)) +$(eval $(call BuildPackage,openssh-server-pam)) +$(eval $(call BuildPackage,openssh-sftp-client)) +$(eval $(call BuildPackage,openssh-sftp-server)) diff --git a/net/openssh/files/sshd.init b/net/openssh/files/sshd.init new file mode 100644 index 0000000000..879df12cdb --- /dev/null +++ b/net/openssh/files/sshd.init @@ -0,0 +1,44 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2006-2011 OpenWrt.org + +START=50 +STOP=50 + +USE_PROCD=1 +PROG=/usr/sbin/sshd + +start_service() { + for type in rsa dsa; do { + # check for keys + key=/etc/ssh/ssh_host_${type}_key + [ ! -f $key ] && { + # generate missing keys + [ -x /usr/bin/ssh-keygen ] && { + /usr/bin/ssh-keygen -N '' -t $type -f $key 2>&- >&- + } + } + }; done + user_exists sshd 22 || user_add sshd 22 22 sshd /var/empty + group_exists sshd 22 || group_add sshd 22 + mkdir -m 0700 -p /var/empty + + procd_open_instance + procd_set_param command $PROG -D + procd_close_instance +} + +shutdown() { + local pid + local pids + local pid_mine + + stop + + # kill active clients + pid_mine="$$" + pids="$(pidof sshd)" + for pid in $pids; do + [ "$pid" = "$pid_mine" ] && continue + [ -e "/proc/$pid/stat" ] && kill $pid + done +} diff --git a/net/openssh/files/sshd.pam b/net/openssh/files/sshd.pam new file mode 100644 index 0000000000..387ff2e080 --- /dev/null +++ b/net/openssh/files/sshd.pam @@ -0,0 +1,41 @@ +# PAM configuration for the Secure Shell service + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +auth required pam_env.so + +# Skip Google Authenticator if logging in from the local network. +# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-sshd-local.conf +# Google Authenticator 2-step verification. +# auth requisite pam_google_authenticator.so + +# Standard Un*x authentication. +auth include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +account include common-account + +# Standard Un*x session setup and teardown. +session include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so + +# Print the status of the user's mailbox upon successful login. +session optional pam_mail.so standard noenv + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +# Set up SELinux capabilities (need modified pam) +# session required pam_selinux.so multiple + +# Standard Un*x password updating. +password include common-password diff --git a/net/openssh/files/sshd.pam-access b/net/openssh/files/sshd.pam-access new file mode 100644 index 0000000000..425ff1194c --- /dev/null +++ b/net/openssh/files/sshd.pam-access @@ -0,0 +1,4 @@ +# Skip Google Authenticator for local network +#+ : ALL : 192.168.1.0/24 ++ : ALL : LOCAL +- : ALL : ALL diff --git a/net/openssh/patches/100-no_cast_fix.patch b/net/openssh/patches/100-no_cast_fix.patch new file mode 100644 index 0000000000..751e5896fe --- /dev/null +++ b/net/openssh/patches/100-no_cast_fix.patch @@ -0,0 +1,13 @@ +--- a/cipher.c ++++ b/cipher.c +@@ -80,8 +80,10 @@ static const struct Cipher ciphers[] = { + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, + { "blowfish-cbc", + SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, ++#ifndef OPENSSL_NO_CAST + { "cast128-cbc", + SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc }, ++#endif + { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 }, + { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 }, + { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 }, diff --git a/net/openssh/patches/130-implicit_memset_decl_fix.patch b/net/openssh/patches/130-implicit_memset_decl_fix.patch new file mode 100644 index 0000000000..be8bbcf9c4 --- /dev/null +++ b/net/openssh/patches/130-implicit_memset_decl_fix.patch @@ -0,0 +1,12 @@ +--- a/includes.h ++++ b/includes.h +@@ -59,6 +59,9 @@ + /* + *-*-nto-qnx needs these headers for strcasecmp and LASTLOG_FILE respectively + */ ++#ifdef HAVE_STRING_H ++# include ++#endif + #ifdef HAVE_STRINGS_H + # include + #endif diff --git a/net/openssh/patches/140-pam_uclibc_pthreads_fix.patch b/net/openssh/patches/140-pam_uclibc_pthreads_fix.patch new file mode 100644 index 0000000000..1319b524a5 --- /dev/null +++ b/net/openssh/patches/140-pam_uclibc_pthreads_fix.patch @@ -0,0 +1,84 @@ +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -159,7 +159,7 @@ sshpam_sigchld_handler(int sig) + } + if (WIFSIGNALED(sshpam_thread_status) && + WTERMSIG(sshpam_thread_status) == SIGTERM) +- return; /* terminated by pthread_cancel */ ++ return; /* terminated by pthread2_cancel */ + if (!WIFEXITED(sshpam_thread_status)) + sigdie("PAM: authentication thread exited unexpectedly"); + if (WEXITSTATUS(sshpam_thread_status) != 0) +@@ -168,14 +168,14 @@ sshpam_sigchld_handler(int sig) + + /* ARGSUSED */ + static void +-pthread_exit(void *value) ++pthread2_exit(void *value) + { + _exit(0); + } + + /* ARGSUSED */ + static int +-pthread_create(sp_pthread_t *thread, const void *attr, ++pthread2_create(sp_pthread_t *thread, const void *attr, + void *(*thread_start)(void *), void *arg) + { + pid_t pid; +@@ -201,7 +201,7 @@ pthread_create(sp_pthread_t *thread, con + } + + static int +-pthread_cancel(sp_pthread_t thread) ++pthread2_cancel(sp_pthread_t thread) + { + signal(SIGCHLD, sshpam_oldsig); + return (kill(thread, SIGTERM)); +@@ -209,7 +209,7 @@ pthread_cancel(sp_pthread_t thread) + + /* ARGSUSED */ + static int +-pthread_join(sp_pthread_t thread, void **value) ++pthread2_join(sp_pthread_t thread, void **value) + { + int status; + +@@ -510,7 +510,7 @@ sshpam_thread(void *ctxtp) + /* XXX - can't do much about an error here */ + ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); + buffer_free(&buffer); +- pthread_exit(NULL); ++ pthread2_exit(NULL); + + auth_fail: + buffer_put_cstring(&buffer, +@@ -521,7 +521,7 @@ sshpam_thread(void *ctxtp) + else + ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); + buffer_free(&buffer); +- pthread_exit(NULL); ++ pthread2_exit(NULL); + + return (NULL); /* Avoid warning for non-pthread case */ + } +@@ -533,8 +533,8 @@ sshpam_thread_cleanup(void) + + debug3("PAM: %s entering", __func__); + if (ctxt != NULL && ctxt->pam_thread != 0) { +- pthread_cancel(ctxt->pam_thread); +- pthread_join(ctxt->pam_thread, NULL); ++ pthread2_cancel(ctxt->pam_thread); ++ pthread2_join(ctxt->pam_thread, NULL); + close(ctxt->pam_psock); + close(ctxt->pam_csock); + memset(ctxt, 0, sizeof(*ctxt)); +@@ -698,7 +698,7 @@ sshpam_init_ctx(Authctxt *authctxt) + } + ctxt->pam_psock = socks[0]; + ctxt->pam_csock = socks[1]; +- if (pthread_create(&ctxt->pam_thread, NULL, sshpam_thread, ctxt) == -1) { ++ if (pthread2_create(&ctxt->pam_thread, NULL, sshpam_thread, ctxt) == -1) { + error("PAM: failed to start authentication thread: %s", + strerror(errno)); + close(socks[0]); diff --git a/net/openssh/patches/200-dscp-qos.patch b/net/openssh/patches/200-dscp-qos.patch new file mode 100644 index 0000000000..827a6689dc --- /dev/null +++ b/net/openssh/patches/200-dscp-qos.patch @@ -0,0 +1,21 @@ +--- a/ssh_config ++++ b/ssh_config +@@ -46,3 +46,6 @@ + # VisualHostKey no + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h ++ ++# enable DSCP QoS values (per RFC-4594) ++#IPQoS AF21 AF11 +--- a/sshd_config ++++ b/sshd_config +@@ -122,6 +122,9 @@ UsePrivilegeSeparation sandbox # Defaul + # no default banner path + #Banner none + ++# enable DSCP QoS values (per RFC-4594) ++#IPQoS AF21 AF11 ++ + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server +