[yocto] [PATCH] Restructures the openssh recipe to suport systemd.
Martin Jansa
martin.jansa at gmail.com
Thu Jul 11 05:28:07 PDT 2013
On Thu, Jul 11, 2013 at 11:43:28AM +0200, Markus Hubig wrote:
> + Adds native support for systemd in addition to sysvinit.
> * Splits the huge recipe into an inc and a small bb file.
> * Avoids the installation of the sysvinit files with systemd.
Similar patch is already on oe-core ML where it belongs and patches like
this really need to be sent with -M flag.
> Signed-off-by: Markus Hubig <mhubig at imko.de>
> ---
> .../openssh/openssh-6.2p2/init | 92 ---------------
> .../openssh/openssh-6.2p2/mac.patch | 76 -------------
> .../openssh/openssh-6.2p2/nostrip.patch | 20 ----
> .../openssh-6.2p2/openssh-CVE-2011-4327.patch | 27 -----
> .../openssh/openssh-6.2p2/ssh_config | 46 --------
> .../openssh/openssh-6.2p2/sshd | 10 --
> .../openssh/openssh-6.2p2/sshd_config | 119 --------------------
> meta/recipes-connectivity/openssh/openssh.inc | 123 +++++++++++++++++++++
> meta/recipes-connectivity/openssh/openssh/init | 92 +++++++++++++++
> .../recipes-connectivity/openssh/openssh/mac.patch | 76 +++++++++++++
> .../openssh/openssh/nostrip.patch | 20 ++++
> .../openssh/openssh/openssh-CVE-2011-4327.patch | 27 +++++
> meta/recipes-connectivity/openssh/openssh/pam | 10 ++
> .../openssh/openssh/ssh_config | 46 ++++++++
> .../openssh/openssh/sshd.socket | 11 ++
> .../openssh/openssh/sshd at .service | 9 ++
> .../openssh/openssh/sshd_config | 119 ++++++++++++++++++++
> .../openssh/openssh/sshdgenkeys.service | 10 ++
> meta/recipes-connectivity/openssh/openssh_6.2p2.bb | 113 +------------------
> 19 files changed, 549 insertions(+), 497 deletions(-)
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/init
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/sshd
> delete mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> create mode 100644 meta/recipes-connectivity/openssh/openssh.inc
> create mode 100644 meta/recipes-connectivity/openssh/openssh/init
> create mode 100644 meta/recipes-connectivity/openssh/openssh/mac.patch
> create mode 100644 meta/recipes-connectivity/openssh/openssh/nostrip.patch
> create mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
> create mode 100644 meta/recipes-connectivity/openssh/openssh/pam
> create mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
> create mode 100644 meta/recipes-connectivity/openssh/openssh/sshd.socket
> create mode 100644 meta/recipes-connectivity/openssh/openssh/sshd at .service
> create mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config
> create mode 100644 meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
>
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/init b/meta/recipes-connectivity/openssh/openssh-6.2p2/init
> deleted file mode 100644
> index 6beec84..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/init
> +++ /dev/null
> @@ -1,92 +0,0 @@
> -#! /bin/sh
> -set -e
> -
> -# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon
> -
> -test -x /usr/sbin/sshd || exit 0
> -( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
> -
> -if test -f /etc/default/ssh; then
> - . /etc/default/ssh
> -fi
> -
> -check_for_no_start() {
> - # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
> - if [ -e /etc/ssh/sshd_not_to_be_run ]; then
> - echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
> - exit 0
> - fi
> -}
> -
> -check_privsep_dir() {
> - # Create the PrivSep empty dir if necessary
> - if [ ! -d /var/run/sshd ]; then
> - mkdir /var/run/sshd
> - chmod 0755 /var/run/sshd
> - fi
> -}
> -
> -check_config() {
> - /usr/sbin/sshd -t || exit 1
> -}
> -
> -check_keys() {
> - # create keys if necessary
> - if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
> - echo " generating ssh RSA key..."
> - ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
> - fi
> - if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
> - echo " generating ssh ECDSA key..."
> - ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
> - fi
> - if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
> - echo " generating ssh DSA key..."
> - ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
> - fi
> -}
> -
> -export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
> -
> -case "$1" in
> - start)
> - check_for_no_start
> - echo "Starting OpenBSD Secure Shell server: sshd"
> - check_keys
> - check_privsep_dir
> - start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS
> - echo "done."
> - ;;
> - stop)
> - echo -n "Stopping OpenBSD Secure Shell server: sshd"
> - start-stop-daemon -K -x /usr/sbin/sshd
> - echo "."
> - ;;
> -
> - reload|force-reload)
> - check_for_no_start
> - check_keys
> - check_config
> - echo -n "Reloading OpenBSD Secure Shell server's configuration"
> - start-stop-daemon -K -s 1 -x /usr/sbin/sshd
> - echo "."
> - ;;
> -
> - restart)
> - check_keys
> - check_config
> - echo -n "Restarting OpenBSD Secure Shell server: sshd"
> - start-stop-daemon -K --oknodo -x /usr/sbin/sshd
> - check_for_no_start
> - check_privsep_dir
> - sleep 2
> - start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS
> - echo "."
> - ;;
> -
> - *)
> - echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
> - exit 1
> -esac
> -
> -exit 0
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch b/meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch
> deleted file mode 100644
> index 69fb69d..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/mac.patch
> +++ /dev/null
> @@ -1,76 +0,0 @@
> -[PATCH] force the MAC output to be 64-bit aligned
> -
> -Upstream-Status: Backport[anoncvs.mindrot.org/index.cgi/openssh/mac.c?r1=1.27&r2=1.28]
> -
> -Backport patch to fix segment fault due to unaligned memory access
> -
> -Wed Jun 5 22:12:37 2013 UTC (7 days, 3 hours ago) by dtucker
> -Branch: MAIN
> -CVS Tags: HEAD
> -Changes since 1.27: +11 -8 lines
> -Diff to previous 1.27
> -
> - - dtucker at cvs.openbsd.org 2013/06/03 00:03:18
> - [mac.c]
> - force the MAC output to be 64-bit aligned so umac won't see
> -unaligned
> - accesses on strict-alignment architectures. bz#2101, patch from
> - tomas.kuthan at oracle.com, ok djm@
> ----
> - mac.c | 18 +++++++++++-------
> - 1 file changed, 11 insertions(+), 7 deletions(-)
> -
> -diff --git a/mac.c b/mac.c
> -index 3f2dc6f..a5a80d3 100644
> ---- a/mac.c
> -+++ b/mac.c
> -@@ -152,12 +152,16 @@ mac_init(Mac *mac)
> - u_char *
> - mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
> - {
> -- static u_char m[EVP_MAX_MD_SIZE];
> -+ static union {
> -+ u_char m[EVP_MAX_MD_SIZE];
> -+ u_int64_t for_align;
> -+ } u;
> -+
> - u_char b[4], nonce[8];
> -
> -- if (mac->mac_len > sizeof(m))
> -+ if (mac->mac_len > sizeof(u))
> - fatal("mac_compute: mac too long %u %lu",
> -- mac->mac_len, (u_long)sizeof(m));
> -+ mac->mac_len, (u_long)sizeof(u));
> -
> - switch (mac->type) {
> - case SSH_EVP:
> -@@ -166,22 +170,22 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
> - HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
> - HMAC_Update(&mac->evp_ctx, b, sizeof(b));
> - HMAC_Update(&mac->evp_ctx, data, datalen);
> -- HMAC_Final(&mac->evp_ctx, m, NULL);
> -+ HMAC_Final(&mac->evp_ctx, u.m, NULL);
> - break;
> - case SSH_UMAC:
> - put_u64(nonce, seqno);
> - umac_update(mac->umac_ctx, data, datalen);
> -- umac_final(mac->umac_ctx, m, nonce);
> -+ umac_final(mac->umac_ctx, u.m, nonce);
> - break;
> - case SSH_UMAC128:
> - put_u64(nonce, seqno);
> - umac128_update(mac->umac_ctx, data, datalen);
> -- umac128_final(mac->umac_ctx, m, nonce);
> -+ umac128_final(mac->umac_ctx, u.m, nonce);
> - break;
> - default:
> - fatal("mac_compute: unknown MAC type");
> - }
> -- return (m);
> -+ return (u.m);
> - }
> -
> - void
> ---
> -1.7.9.5
> -
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch b/meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch
> deleted file mode 100644
> index 33111f5..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/nostrip.patch
> +++ /dev/null
> @@ -1,20 +0,0 @@
> -Disable stripping binaries during make install.
> -
> -Upstream-Status: Inappropriate [configuration]
> -
> -Build system specific.
> -
> -Signed-off-by: Scott Garman <scott.a.garman at intel.com>
> -
> -diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in
> ---- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700
> -+++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700
> -@@ -29,7 +29,7 @@
> - RAND_HELPER=$(libexecdir)/ssh-rand-helper
> - PRIVSEP_PATH=@PRIVSEP_PATH@
> - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
> --STRIP_OPT=@STRIP_OPT@
> -+STRIP_OPT=
> -
> - PATHS= -DSSHDIR=\"$(sysconfdir)\" \
> - -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch
> deleted file mode 100644
> index 8489edc..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/openssh-CVE-2011-4327.patch
> +++ /dev/null
> @@ -1,27 +0,0 @@
> -openssh-CVE-2011-4327
> -
> -A security flaw was found in the way ssh-keysign,
> -a ssh helper program for host based authentication,
> -attempted to retrieve enough entropy information on configurations that
> -lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
> -be executed to retrieve the entropy from the system environment).
> -A local attacker could use this flaw to obtain unauthorized access to host keys
> -via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
> -
> -https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
> -http://www.openssh.com/txt/portable-keysign-rand-helper.adv
> -
> -Signed-off-by: Li Wang <li.wang at windriver.com>
> ---- a/ssh-keysign.c
> -+++ b/ssh-keysign.c
> -@@ -170,6 +170,10 @@
> - key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
> - key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
> - key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
> -+ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
> -+ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
> -+ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
> -+ fatal("fcntl failed");
> -
> - original_real_uid = getuid(); /* XXX readconf.c needs this */
> - if ((pw = getpwuid(original_real_uid)) == NULL)
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config
> deleted file mode 100644
> index 4a4a649..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/ssh_config
> +++ /dev/null
> @@ -1,46 +0,0 @@
> -# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
> -
> -# This is the ssh client system-wide configuration file. See
> -# ssh_config(5) for more information. This file provides defaults for
> -# users, and the values can be changed in per-user configuration files
> -# or on the command line.
> -
> -# Configuration data is parsed as follows:
> -# 1. command line options
> -# 2. user-specific file
> -# 3. system-wide file
> -# Any configuration value is only changed the first time it is set.
> -# Thus, host-specific definitions should be at the beginning of the
> -# configuration file, and defaults at the end.
> -
> -# Site-wide defaults for some commonly used options. For a comprehensive
> -# list of available options, their meanings and defaults, please see the
> -# ssh_config(5) man page.
> -
> -Host *
> - ForwardAgent yes
> - ForwardX11 yes
> -# RhostsRSAAuthentication no
> -# RSAAuthentication yes
> -# PasswordAuthentication yes
> -# HostbasedAuthentication no
> -# GSSAPIAuthentication no
> -# GSSAPIDelegateCredentials no
> -# BatchMode no
> -# CheckHostIP yes
> -# AddressFamily any
> -# ConnectTimeout 0
> -# StrictHostKeyChecking ask
> -# IdentityFile ~/.ssh/identity
> -# IdentityFile ~/.ssh/id_rsa
> -# IdentityFile ~/.ssh/id_dsa
> -# Port 22
> -# Protocol 2,1
> -# Cipher 3des
> -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
> -# MACs hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160
> -# EscapeChar ~
> -# Tunnel no
> -# TunnelDevice any:any
> -# PermitLocalCommand no
> -# VisualHostKey no
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd
> deleted file mode 100644
> index 4882e58..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd
> +++ /dev/null
> @@ -1,10 +0,0 @@
> -#%PAM-1.0
> -
> -auth include common-auth
> -account required pam_nologin.so
> -account include common-account
> -password include common-password
> -session optional pam_keyinit.so force revoke
> -session include common-session
> -session required pam_loginuid.so
> -
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> deleted file mode 100644
> index 4f9b626..0000000
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> +++ /dev/null
> @@ -1,119 +0,0 @@
> -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
> -
> -# This is the sshd server system-wide configuration file. See
> -# sshd_config(5) for more information.
> -
> -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> -
> -# The strategy used for options in the default sshd_config shipped with
> -# OpenSSH is to specify options with their default value where
> -# possible, but leave them commented. Uncommented options change a
> -# default value.
> -
> -#Port 22
> -#AddressFamily any
> -#ListenAddress 0.0.0.0
> -#ListenAddress ::
> -
> -# Disable legacy (protocol version 1) support in the server for new
> -# installations. In future the default will change to require explicit
> -# activation of protocol 1
> -Protocol 2
> -
> -# HostKey for protocol version 1
> -#HostKey /etc/ssh/ssh_host_key
> -# HostKeys for protocol version 2
> -#HostKey /etc/ssh/ssh_host_rsa_key
> -#HostKey /etc/ssh/ssh_host_dsa_key
> -
> -# Lifetime and size of ephemeral version 1 server key
> -#KeyRegenerationInterval 1h
> -#ServerKeyBits 1024
> -
> -# Logging
> -# obsoletes QuietMode and FascistLogging
> -#SyslogFacility AUTH
> -#LogLevel INFO
> -
> -# Authentication:
> -
> -#LoginGraceTime 2m
> -#PermitRootLogin yes
> -#StrictModes yes
> -#MaxAuthTries 6
> -#MaxSessions 10
> -
> -#RSAAuthentication yes
> -#PubkeyAuthentication yes
> -#AuthorizedKeysFile .ssh/authorized_keys
> -
> -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> -#RhostsRSAAuthentication no
> -# similar for protocol version 2
> -#HostbasedAuthentication no
> -# Change to yes if you don't trust ~/.ssh/known_hosts for
> -# RhostsRSAAuthentication and HostbasedAuthentication
> -#IgnoreUserKnownHosts no
> -# Don't read the user's ~/.rhosts and ~/.shosts files
> -#IgnoreRhosts yes
> -
> -# To disable tunneled clear text passwords, change to no here!
> -#PasswordAuthentication yes
> -#PermitEmptyPasswords no
> -
> -# Change to no to disable s/key passwords
> -#ChallengeResponseAuthentication yes
> -
> -# Kerberos options
> -#KerberosAuthentication no
> -#KerberosOrLocalPasswd yes
> -#KerberosTicketCleanup yes
> -#KerberosGetAFSToken no
> -
> -# GSSAPI options
> -#GSSAPIAuthentication no
> -#GSSAPICleanupCredentials yes
> -
> -# Set this to 'yes' to enable PAM authentication, account processing,
> -# and session processing. If this is enabled, PAM authentication will
> -# be allowed through the ChallengeResponseAuthentication and
> -# PasswordAuthentication. Depending on your PAM configuration,
> -# PAM authentication via ChallengeResponseAuthentication may bypass
> -# the setting of "PermitRootLogin without-password".
> -# If you just want the PAM account and session checks to run without
> -# PAM authentication, then enable this but set PasswordAuthentication
> -# and ChallengeResponseAuthentication to 'no'.
> -#UsePAM no
> -
> -#AllowAgentForwarding yes
> -#AllowTcpForwarding yes
> -#GatewayPorts no
> -#X11Forwarding no
> -#X11DisplayOffset 10
> -#X11UseLocalhost yes
> -#PrintMotd yes
> -#PrintLastLog yes
> -#TCPKeepAlive yes
> -#UseLogin no
> -UsePrivilegeSeparation yes
> -#PermitUserEnvironment no
> -Compression no
> -ClientAliveInterval 15
> -ClientAliveCountMax 4
> -#UseDNS yes
> -#PidFile /var/run/sshd.pid
> -#MaxStartups 10
> -#PermitTunnel no
> -#ChrootDirectory none
> -
> -# no default banner path
> -#Banner none
> -
> -# override default of no subsystems
> -Subsystem sftp /usr/libexec/sftp-server
> -
> -# Example of overriding settings on a per-user basis
> -#Match User anoncvs
> -# X11Forwarding no
> -# AllowTcpForwarding no
> -# ForceCommand cvs server
> diff --git a/meta/recipes-connectivity/openssh/openssh.inc b/meta/recipes-connectivity/openssh/openssh.inc
> new file mode 100644
> index 0000000..c51b65c
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh.inc
> @@ -0,0 +1,123 @@
> +SUMMARY = "Secure rlogin/rsh/rcp/telnet replacement"
> +DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \
> +Ssh (Secure Shell) is a program for logging into a remote machine \
> +and for executing commands on a remote machine."
> +HOMEPAGE = "http://openssh.org"
> +SECTION = "console/network"
> +LICENSE = "BSD"
> +LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
> +
> +INC_PR = "r1"
> +
> +DEPENDS = "zlib openssl"
> +DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
> +
> +RPROVIDES_${PN}-ssh = "ssh"
> +RPROVIDES_${PN}-sshd = "sshd"
> +
> +RCONFLICTS_${PN} = "dropbear"
> +RCONFLICTS_${PN}-sshd = "dropbear"
> +RCONFLICTS_${PN}-keygen = "ssh-keygen"
> +
> +INITSCRIPT_PACKAGES = "${PN}-sshd"
> +INITSCRIPT_NAME_${PN}-sshd = "sshd"
> +INITSCRIPT_PARAMS = "defaults 9"
> +
> +SYSTEMD_PACKAGES = "${PN}-sshd"
> +SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
> +
> +USERADD_PACKAGES = "${PN}-sshd"
> +USERADD_PARAM_${PN}-sshd = "--system \
> + --no-create-home \
> + --home-dir /var/run/sshd \
> + --shell /bin/false \
> + --user-group sshd"
> +
> +PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
> +
> +SRC_URI = "file://sshd_config \
> + file://ssh_config \
> + file://sshd.socket \
> + file://sshd@.service \
> + file://sshdgenkeys.service \
> + file://init \
> + file://pam \
> + "
> +
> +inherit autotools useradd update-rc.d update-alternatives systemd
> +
> +# LFS support:
> +CFLAGS += "-D__FILE_OFFSET_BITS=64"
> +export LD = "${CC}"
> +
> +EXTRA_OECONF = "--with-rand-helper=no \
> + ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
> + --without-zlib-version-check \
> + --with-privsep-path=/var/run/sshd \
> + --sysconfdir=${sysconfdir}/ssh \
> + --with-xauth=/usr/bin/xauth"
> +
> +# This is a workaround for uclibc because including stdio.h
> +# pulls in pthreads.h and causes conflicts in function prototypes.
> +# This results in compilation failure, so unless this is fixed,
> +# disable pam for uclibc.
> +EXTRA_OECONF_append_libc-uclibc=" --without-pam"
> +
> +do_configure_prepend () {
> + if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then
> + cp aclocal.m4 acinclude.m4
> + fi
> +}
> +
> +do_compile_append () {
> + install -m 0644 ${WORKDIR}/sshd_config ${S}/
> + install -m 0644 ${WORKDIR}/ssh_config ${S}/
> +}
> +
> +do_install_append () {
> +
> + if ${@base_contains('DISTRO_FEATURES','pam','true','false',d)}; then
> + install -d ${D}${sysconfdir}/pam.d
> + install -m 0755 ${WORKDIR}/pam ${D}${sysconfdir}/pam.d/sshd
> + fi
> +
> + if ${@base_contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
> + install -d ${D}${sysconfdir}/init.d
> + install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
> + fi
> +
> + if ${@base_contains('DISTRO_FEATURES','systemd','true','false',d)}; then
> + install -d ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/sshd at .service ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system
> + fi
> +
> + rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
> + rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
> +}
> +
> +ALLOW_EMPTY_${PN} = "1"
> +
> +PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
> +
> +FILES_${PN}-scp = "${bindir}/scp.${BPN}"
> +FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
> +FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd"
> +FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config"
> +FILES_${PN}-sshd += "${systemd_unitdir}/system/sshd.socket"
> +FILES_${PN}-sftp = "${bindir}/sftp"
> +FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
> +FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
> +FILES_${PN}-keygen = "${bindir}/ssh-keygen"
> +
> +RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
> +RDEPENDS_${PN}-sshd += "${PN}-keygen"
> +
> +CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
> +CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> +
> +ALTERNATIVE_PRIORITY = "90"
> +ALTERNATIVE_${PN}-scp = "scp"
> +ALTERNATIVE_${PN}-ssh = "ssh"
> diff --git a/meta/recipes-connectivity/openssh/openssh/init b/meta/recipes-connectivity/openssh/openssh/init
> new file mode 100644
> index 0000000..6beec84
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/init
> @@ -0,0 +1,92 @@
> +#! /bin/sh
> +set -e
> +
> +# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon
> +
> +test -x /usr/sbin/sshd || exit 0
> +( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
> +
> +if test -f /etc/default/ssh; then
> + . /etc/default/ssh
> +fi
> +
> +check_for_no_start() {
> + # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
> + if [ -e /etc/ssh/sshd_not_to_be_run ]; then
> + echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
> + exit 0
> + fi
> +}
> +
> +check_privsep_dir() {
> + # Create the PrivSep empty dir if necessary
> + if [ ! -d /var/run/sshd ]; then
> + mkdir /var/run/sshd
> + chmod 0755 /var/run/sshd
> + fi
> +}
> +
> +check_config() {
> + /usr/sbin/sshd -t || exit 1
> +}
> +
> +check_keys() {
> + # create keys if necessary
> + if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
> + echo " generating ssh RSA key..."
> + ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
> + fi
> + if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
> + echo " generating ssh ECDSA key..."
> + ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
> + fi
> + if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
> + echo " generating ssh DSA key..."
> + ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
> + fi
> +}
> +
> +export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
> +
> +case "$1" in
> + start)
> + check_for_no_start
> + echo "Starting OpenBSD Secure Shell server: sshd"
> + check_keys
> + check_privsep_dir
> + start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS
> + echo "done."
> + ;;
> + stop)
> + echo -n "Stopping OpenBSD Secure Shell server: sshd"
> + start-stop-daemon -K -x /usr/sbin/sshd
> + echo "."
> + ;;
> +
> + reload|force-reload)
> + check_for_no_start
> + check_keys
> + check_config
> + echo -n "Reloading OpenBSD Secure Shell server's configuration"
> + start-stop-daemon -K -s 1 -x /usr/sbin/sshd
> + echo "."
> + ;;
> +
> + restart)
> + check_keys
> + check_config
> + echo -n "Restarting OpenBSD Secure Shell server: sshd"
> + start-stop-daemon -K --oknodo -x /usr/sbin/sshd
> + check_for_no_start
> + check_privsep_dir
> + sleep 2
> + start-stop-daemon -S -x /usr/sbin/sshd -- $SSHD_OPTS
> + echo "."
> + ;;
> +
> + *)
> + echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
> + exit 1
> +esac
> +
> +exit 0
> diff --git a/meta/recipes-connectivity/openssh/openssh/mac.patch b/meta/recipes-connectivity/openssh/openssh/mac.patch
> new file mode 100644
> index 0000000..69fb69d
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/mac.patch
> @@ -0,0 +1,76 @@
> +[PATCH] force the MAC output to be 64-bit aligned
> +
> +Upstream-Status: Backport[anoncvs.mindrot.org/index.cgi/openssh/mac.c?r1=1.27&r2=1.28]
> +
> +Backport patch to fix segment fault due to unaligned memory access
> +
> +Wed Jun 5 22:12:37 2013 UTC (7 days, 3 hours ago) by dtucker
> +Branch: MAIN
> +CVS Tags: HEAD
> +Changes since 1.27: +11 -8 lines
> +Diff to previous 1.27
> +
> + - dtucker at cvs.openbsd.org 2013/06/03 00:03:18
> + [mac.c]
> + force the MAC output to be 64-bit aligned so umac won't see
> +unaligned
> + accesses on strict-alignment architectures. bz#2101, patch from
> + tomas.kuthan at oracle.com, ok djm@
> +---
> + mac.c | 18 +++++++++++-------
> + 1 file changed, 11 insertions(+), 7 deletions(-)
> +
> +diff --git a/mac.c b/mac.c
> +index 3f2dc6f..a5a80d3 100644
> +--- a/mac.c
> ++++ b/mac.c
> +@@ -152,12 +152,16 @@ mac_init(Mac *mac)
> + u_char *
> + mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
> + {
> +- static u_char m[EVP_MAX_MD_SIZE];
> ++ static union {
> ++ u_char m[EVP_MAX_MD_SIZE];
> ++ u_int64_t for_align;
> ++ } u;
> ++
> + u_char b[4], nonce[8];
> +
> +- if (mac->mac_len > sizeof(m))
> ++ if (mac->mac_len > sizeof(u))
> + fatal("mac_compute: mac too long %u %lu",
> +- mac->mac_len, (u_long)sizeof(m));
> ++ mac->mac_len, (u_long)sizeof(u));
> +
> + switch (mac->type) {
> + case SSH_EVP:
> +@@ -166,22 +170,22 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
> + HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
> + HMAC_Update(&mac->evp_ctx, b, sizeof(b));
> + HMAC_Update(&mac->evp_ctx, data, datalen);
> +- HMAC_Final(&mac->evp_ctx, m, NULL);
> ++ HMAC_Final(&mac->evp_ctx, u.m, NULL);
> + break;
> + case SSH_UMAC:
> + put_u64(nonce, seqno);
> + umac_update(mac->umac_ctx, data, datalen);
> +- umac_final(mac->umac_ctx, m, nonce);
> ++ umac_final(mac->umac_ctx, u.m, nonce);
> + break;
> + case SSH_UMAC128:
> + put_u64(nonce, seqno);
> + umac128_update(mac->umac_ctx, data, datalen);
> +- umac128_final(mac->umac_ctx, m, nonce);
> ++ umac128_final(mac->umac_ctx, u.m, nonce);
> + break;
> + default:
> + fatal("mac_compute: unknown MAC type");
> + }
> +- return (m);
> ++ return (u.m);
> + }
> +
> + void
> +--
> +1.7.9.5
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh/nostrip.patch b/meta/recipes-connectivity/openssh/openssh/nostrip.patch
> new file mode 100644
> index 0000000..33111f5
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/nostrip.patch
> @@ -0,0 +1,20 @@
> +Disable stripping binaries during make install.
> +
> +Upstream-Status: Inappropriate [configuration]
> +
> +Build system specific.
> +
> +Signed-off-by: Scott Garman <scott.a.garman at intel.com>
> +
> +diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in
> +--- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700
> ++++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700
> +@@ -29,7 +29,7 @@
> + RAND_HELPER=$(libexecdir)/ssh-rand-helper
> + PRIVSEP_PATH=@PRIVSEP_PATH@
> + SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
> +-STRIP_OPT=@STRIP_OPT@
> ++STRIP_OPT=
> +
> + PATHS= -DSSHDIR=\"$(sysconfdir)\" \
> + -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
> diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
> new file mode 100644
> index 0000000..8489edc
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
> @@ -0,0 +1,27 @@
> +openssh-CVE-2011-4327
> +
> +A security flaw was found in the way ssh-keysign,
> +a ssh helper program for host based authentication,
> +attempted to retrieve enough entropy information on configurations that
> +lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
> +be executed to retrieve the entropy from the system environment).
> +A local attacker could use this flaw to obtain unauthorized access to host keys
> +via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
> +
> +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
> +http://www.openssh.com/txt/portable-keysign-rand-helper.adv
> +
> +Signed-off-by: Li Wang <li.wang at windriver.com>
> +--- a/ssh-keysign.c
> ++++ b/ssh-keysign.c
> +@@ -170,6 +170,10 @@
> + key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
> + key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
> + key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
> ++ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
> ++ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
> ++ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
> ++ fatal("fcntl failed");
> +
> + original_real_uid = getuid(); /* XXX readconf.c needs this */
> + if ((pw = getpwuid(original_real_uid)) == NULL)
> diff --git a/meta/recipes-connectivity/openssh/openssh/pam b/meta/recipes-connectivity/openssh/openssh/pam
> new file mode 100644
> index 0000000..4882e58
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/pam
> @@ -0,0 +1,10 @@
> +#%PAM-1.0
> +
> +auth include common-auth
> +account required pam_nologin.so
> +account include common-account
> +password include common-password
> +session optional pam_keyinit.so force revoke
> +session include common-session
> +session required pam_loginuid.so
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
> new file mode 100644
> index 0000000..4a4a649
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
> @@ -0,0 +1,46 @@
> +# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
> +
> +# This is the ssh client system-wide configuration file. See
> +# ssh_config(5) for more information. This file provides defaults for
> +# users, and the values can be changed in per-user configuration files
> +# or on the command line.
> +
> +# Configuration data is parsed as follows:
> +# 1. command line options
> +# 2. user-specific file
> +# 3. system-wide file
> +# Any configuration value is only changed the first time it is set.
> +# Thus, host-specific definitions should be at the beginning of the
> +# configuration file, and defaults at the end.
> +
> +# Site-wide defaults for some commonly used options. For a comprehensive
> +# list of available options, their meanings and defaults, please see the
> +# ssh_config(5) man page.
> +
> +Host *
> + ForwardAgent yes
> + ForwardX11 yes
> +# RhostsRSAAuthentication no
> +# RSAAuthentication yes
> +# PasswordAuthentication yes
> +# HostbasedAuthentication no
> +# GSSAPIAuthentication no
> +# GSSAPIDelegateCredentials no
> +# BatchMode no
> +# CheckHostIP yes
> +# AddressFamily any
> +# ConnectTimeout 0
> +# StrictHostKeyChecking ask
> +# IdentityFile ~/.ssh/identity
> +# IdentityFile ~/.ssh/id_rsa
> +# IdentityFile ~/.ssh/id_dsa
> +# Port 22
> +# Protocol 2,1
> +# Cipher 3des
> +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
> +# MACs hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160
> +# EscapeChar ~
> +# Tunnel no
> +# TunnelDevice any:any
> +# PermitLocalCommand no
> +# VisualHostKey no
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
> new file mode 100644
> index 0000000..753a33b
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
> @@ -0,0 +1,11 @@
> +[Unit]
> +Conflicts=sshd.service
> +
> +[Socket]
> +ExecStartPre=/bin/mkdir -p /var/run/sshd
> +ListenStream=22
> +Accept=yes
> +
> +[Install]
> +WantedBy=sockets.target
> +Also=sshdgenkeys.service
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd at .service b/meta/recipes-connectivity/openssh/openssh/sshd at .service
> new file mode 100644
> index 0000000..d118490
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd at .service
> @@ -0,0 +1,9 @@
> +[Unit]
> +Description=OpenSSH Per-Connection Daemon
> +After=sshdgenkeys.service
> +
> +[Service]
> +ExecStart=-/usr/sbin/sshd -i
> +ExecReload=/bin/kill -HUP $MAINPID
> +StandardInput=socket
> +StandardError=syslog
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
> new file mode 100644
> index 0000000..4f9b626
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
> @@ -0,0 +1,119 @@
> +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
> +
> +# This is the sshd server system-wide configuration file. See
> +# sshd_config(5) for more information.
> +
> +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> +
> +# The strategy used for options in the default sshd_config shipped with
> +# OpenSSH is to specify options with their default value where
> +# possible, but leave them commented. Uncommented options change a
> +# default value.
> +
> +#Port 22
> +#AddressFamily any
> +#ListenAddress 0.0.0.0
> +#ListenAddress ::
> +
> +# Disable legacy (protocol version 1) support in the server for new
> +# installations. In future the default will change to require explicit
> +# activation of protocol 1
> +Protocol 2
> +
> +# HostKey for protocol version 1
> +#HostKey /etc/ssh/ssh_host_key
> +# HostKeys for protocol version 2
> +#HostKey /etc/ssh/ssh_host_rsa_key
> +#HostKey /etc/ssh/ssh_host_dsa_key
> +
> +# Lifetime and size of ephemeral version 1 server key
> +#KeyRegenerationInterval 1h
> +#ServerKeyBits 1024
> +
> +# Logging
> +# obsoletes QuietMode and FascistLogging
> +#SyslogFacility AUTH
> +#LogLevel INFO
> +
> +# Authentication:
> +
> +#LoginGraceTime 2m
> +#PermitRootLogin yes
> +#StrictModes yes
> +#MaxAuthTries 6
> +#MaxSessions 10
> +
> +#RSAAuthentication yes
> +#PubkeyAuthentication yes
> +#AuthorizedKeysFile .ssh/authorized_keys
> +
> +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> +#RhostsRSAAuthentication no
> +# similar for protocol version 2
> +#HostbasedAuthentication no
> +# Change to yes if you don't trust ~/.ssh/known_hosts for
> +# RhostsRSAAuthentication and HostbasedAuthentication
> +#IgnoreUserKnownHosts no
> +# Don't read the user's ~/.rhosts and ~/.shosts files
> +#IgnoreRhosts yes
> +
> +# To disable tunneled clear text passwords, change to no here!
> +#PasswordAuthentication yes
> +#PermitEmptyPasswords no
> +
> +# Change to no to disable s/key passwords
> +#ChallengeResponseAuthentication yes
> +
> +# Kerberos options
> +#KerberosAuthentication no
> +#KerberosOrLocalPasswd yes
> +#KerberosTicketCleanup yes
> +#KerberosGetAFSToken no
> +
> +# GSSAPI options
> +#GSSAPIAuthentication no
> +#GSSAPICleanupCredentials yes
> +
> +# Set this to 'yes' to enable PAM authentication, account processing,
> +# and session processing. If this is enabled, PAM authentication will
> +# be allowed through the ChallengeResponseAuthentication and
> +# PasswordAuthentication. Depending on your PAM configuration,
> +# PAM authentication via ChallengeResponseAuthentication may bypass
> +# the setting of "PermitRootLogin without-password".
> +# If you just want the PAM account and session checks to run without
> +# PAM authentication, then enable this but set PasswordAuthentication
> +# and ChallengeResponseAuthentication to 'no'.
> +#UsePAM no
> +
> +#AllowAgentForwarding yes
> +#AllowTcpForwarding yes
> +#GatewayPorts no
> +#X11Forwarding no
> +#X11DisplayOffset 10
> +#X11UseLocalhost yes
> +#PrintMotd yes
> +#PrintLastLog yes
> +#TCPKeepAlive yes
> +#UseLogin no
> +UsePrivilegeSeparation yes
> +#PermitUserEnvironment no
> +Compression no
> +ClientAliveInterval 15
> +ClientAliveCountMax 4
> +#UseDNS yes
> +#PidFile /var/run/sshd.pid
> +#MaxStartups 10
> +#PermitTunnel no
> +#ChrootDirectory none
> +
> +# no default banner path
> +#Banner none
> +
> +# override default of no subsystems
> +Subsystem sftp /usr/libexec/sftp-server
> +
> +# Example of overriding settings on a per-user basis
> +#Match User anoncvs
> +# X11Forwarding no
> +# AllowTcpForwarding no
> +# ForceCommand cvs server
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> new file mode 100644
> index 0000000..c717214
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> @@ -0,0 +1,10 @@
> +[Unit]
> +Description=SSH Key Generation
> +
> +[Service]
> +ExecStart=/usr/bin/ssh-keygen -A
> +Type=oneshot
> +RemainAfterExit=yes
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> index ab2eefb..15dc078 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> @@ -1,112 +1,11 @@
> -SUMMARY = "Secure rlogin/rsh/rcp/telnet replacement"
> -DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \
> -Ssh (Secure Shell) is a program for logging into a remote machine \
> -and for executing commands on a remote machine."
> -HOMEPAGE = "http://openssh.org"
> -SECTION = "console/network"
> -LICENSE = "BSD"
> -LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
> -
> -PR = "r0"
> -
> -DEPENDS = "zlib openssl"
> -DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
> -
> -RPROVIDES_${PN}-ssh = "ssh"
> -RPROVIDES_${PN}-sshd = "sshd"
> -
> -RCONFLICTS_${PN} = "dropbear"
> -RCONFLICTS_${PN}-sshd = "dropbear"
> -RCONFLICTS_${PN}-keygen = "ssh-keygen"
> -
> -SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
> - file://nostrip.patch \
> - file://sshd_config \
> - file://ssh_config \
> - file://init \
> - file://openssh-CVE-2011-4327.patch \
> - file://mac.patch \
> - ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
> -
> -PAM_SRC_URI = "file://sshd"
> +require openssh.inc
>
> SRC_URI[md5sum] = "be46174dcbb77ebb4ea88ef140685de1"
> SRC_URI[sha256sum] = "7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b"
>
> -inherit useradd update-rc.d update-alternatives
> -
> -USERADD_PACKAGES = "${PN}-sshd"
> -USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
> -INITSCRIPT_PACKAGES = "${PN}-sshd"
> -INITSCRIPT_NAME_${PN}-sshd = "sshd"
> -INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
> -
> -PACKAGECONFIG ??= "tcp-wrappers"
> -PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
> -
> -inherit autotools
> -
> -# LFS support:
> -CFLAGS += "-D__FILE_OFFSET_BITS=64"
> -export LD = "${CC}"
> -
> -EXTRA_OECONF = "--with-rand-helper=no \
> - ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
> - --without-zlib-version-check \
> - --with-privsep-path=/var/run/sshd \
> - --sysconfdir=${sysconfdir}/ssh \
> - --with-xauth=/usr/bin/xauth"
> -
> -# This is a workaround for uclibc because including stdio.h
> -# pulls in pthreads.h and causes conflicts in function prototypes.
> -# This results in compilation failure, so unless this is fixed,
> -# disable pam for uclibc.
> -EXTRA_OECONF_append_libc-uclibc=" --without-pam"
> -
> -do_configure_prepend () {
> - if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then
> - cp aclocal.m4 acinclude.m4
> - fi
> -}
> -
> -do_compile_append () {
> - install -m 0644 ${WORKDIR}/sshd_config ${S}/
> - install -m 0644 ${WORKDIR}/ssh_config ${S}/
> -}
> -
> -do_install_append () {
> - for i in ${DISTRO_FEATURES};
> - do
> - if [ ${i} = "pam" ]; then
> - install -d ${D}${sysconfdir}/pam.d
> - install -m 0755 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
> - fi
> - done
> - install -d ${D}${sysconfdir}/init.d
> - install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
> - rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
> - rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
> -}
> -
> -ALLOW_EMPTY_${PN} = "1"
> -
> -PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
> -FILES_${PN}-scp = "${bindir}/scp.${BPN}"
> -FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
> -FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd"
> -FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config"
> -FILES_${PN}-sftp = "${bindir}/sftp"
> -FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
> -FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
> -FILES_${PN}-keygen = "${bindir}/ssh-keygen"
> -
> -RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
> -RDEPENDS_${PN}-sshd += "${PN}-keygen"
> -
> -CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
> -CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> -
> -ALTERNATIVE_PRIORITY = "90"
> -ALTERNATIVE_${PN}-scp = "scp"
> -ALTERNATIVE_${PN}-ssh = "ssh"
> +SRC_URI += "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
> + file://nostrip.patch \
> + file://openssh-CVE-2011-4327.patch \
> + file://mac.patch"
>
> +PR = "${INC_PR}.0"
> --
> 1.8.1.2
>
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
--
Martin 'JaMa' Jansa jabber: Martin.Jansa at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20130711/6c30c726/attachment.pgp>
More information about the yocto
mailing list