sysmo-bts
/
meta-sysmocom-bsp
9
1
Fork 0
Code Issues Pull Requests Releases Activity

dropbear: import 2022.83 from upstream OE 

Import current packaging of dropbear from openembedded-core.git, commit
0defbb5925e309799162e221285e4cfb2e2c2ca5.

Related: SYS#6402
Change-Id: I431934b0558350931bb9571b0fa6efff8ba45387
This commit is contained in:
Oliver Smith 2023-04-27 10:58:12 +02:00
parent 7b7e522ccf
commit ce45a5bc79
11 changed files with 382 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch Normal file
View File

@ -0,0 +1,23 @@
Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h
Upstream-Status: Inappropriate [configuration]
---
default_options.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default_options.h b/default_options.h
index 349338c..5ffac25 100644
--- a/default_options.h
+++ b/default_options.h
@@ -289,7 +289,7 @@ group1 in Dropbear server too */
/* The command to invoke for xauth when using X11 forwarding.
* "-q" for quiet */
-#define XAUTH_COMMAND "/usr/bin/xauth -q"
+#define XAUTH_COMMAND "xauth -q"
/* If you want to enable running an sftp server (such as the one included with
--
2.25.1

41
recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch Normal file
View File

@ -0,0 +1,41 @@
From b8cece92ba19aa77ac013ea161bfe4c7147747c9 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jussi.kukkonen@intel.com>
Date: Wed, 2 Dec 2015 11:36:02 +0200
Subject: Enable pam
We need modify file default_options.h besides enabling pam in
configure if we want dropbear to support pam.
Upstream-Status: Pending
Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
default_options.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/default_options.h b/default_options.h
index 0e3d027..349338c 100644
--- a/default_options.h
+++ b/default_options.h
@@ -210,7 +210,7 @@ group1 in Dropbear server too */
/* Authentication Types - at least one required.
RFC Draft requires pubkey auth, and recommends password */
-#define DROPBEAR_SVR_PASSWORD_AUTH 1
+#define DROPBEAR_SVR_PASSWORD_AUTH 0
/* Note: PAM auth is quite simple and only works for PAM modules which just do
* a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
@@ -218,7 +218,7 @@ group1 in Dropbear server too */
* but there's an interface via a PAM module. It won't work for more complex
* PAM challenge/response.
* You can't enable both PASSWORD and PAM. */
-#define DROPBEAR_SVR_PAM_AUTH 0
+#define DROPBEAR_SVR_PAM_AUTH 1
/* ~/.ssh/authorized_keys authentication.
* You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */
--
2.25.1

33
recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch Normal file
View File

@ -0,0 +1,33 @@
From e3a5db1b6d3f6382a15b2266458c26c645a10f18 Mon Sep 17 00:00:00 2001
From: Mingli Yu <Mingli.Yu@windriver.com>
Date: Thu, 6 Sep 2018 15:54:00 +0800
Subject: [PATCH] dropbear configuration file
dropbear: Change the path ("/etc/pam.d/sshd" as default) to find a pam configuration file \
to "/etc/pam.d/dropbear for dropbear when enabling pam supporting"
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
svr-authpam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/svr-authpam.c b/svr-authpam.c
index d201bc9..165ec5c 100644
--- a/svr-authpam.c
+++ b/svr-authpam.c
@@ -223,7 +223,7 @@ void svr_auth_pam(int valid_user) {
}
/* Init pam */
- if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
+ if ((rc = pam_start("dropbear", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s",
rc, pam_strerror(pamHandlep, rc));
goto cleanup;
--
2.7.4

4
recipes-core/dropbear/dropbear/dropbear Normal file
View File

@ -0,0 +1,4 @@
#%PAM-1.0
auth include common-auth
account include common-account

31
recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch Normal file
View File

@ -0,0 +1,31 @@
From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001
From: Joseph Reynolds <joseph.reynolds1@ibm.com>
Date: Thu, 20 Jun 2019 16:29:15 -0500
Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
in the dropbear ssh server and client since they're considered weak ciphers
and we want to support the stong algorithms.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
---
default_options.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default_options.h b/default_options.h
index d417588..bc5200f 100644
--- a/default_options.h
+++ b/default_options.h
@@ -180,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */
* Small systems should generally include either curve25519 or ecdh for performance.
* curve25519 is less widely supported but is faster
*/
-#define DROPBEAR_DH_GROUP14_SHA1 1
+#define DROPBEAR_DH_GROUP14_SHA1 0
#define DROPBEAR_DH_GROUP14_SHA256 1
#define DROPBEAR_DH_GROUP16 0
#define DROPBEAR_CURVE25519 1
--
2.25.1

2
recipes-core/dropbear/dropbear/dropbear.default Normal file
View File

@ -0,0 +1,2 @@
# Disallow root logins by default
DROPBEAR_EXTRA_ARGS="-w"

10
recipes-core/dropbear/dropbear/dropbear.socket Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Conflicts=dropbear.service
[Socket]
ListenStream=22
Accept=yes
[Install]
WantedBy=sockets.target
Also=dropbearkey.service

12
recipes-core/dropbear/dropbear/dropbear@.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=SSH Per-Connection Server
Wants=dropbearkey.service
After=syslog.target dropbearkey.service
[Service]
Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear"
EnvironmentFile=-/etc/default/dropbear
ExecStart=-@SBINDIR@/dropbear -i -r ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key $DROPBEAR_EXTRA_ARGS
ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
StandardInput=socket
KillMode=process

14
recipes-core/dropbear/dropbear/dropbearkey.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=SSH Key Generation
RequiresMountsFor=/var /var/lib
ConditionPathExists=!/etc/dropbear/dropbear_rsa_host_key
ConditionPathExists=!/var/lib/dropbear/dropbear_rsa_host_key
[Service]
Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear"
EnvironmentFile=-/etc/default/dropbear
Type=oneshot
ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR}
ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key
RemainAfterExit=yes
Nice=10

79
recipes-core/dropbear/dropbear/init Executable file
View File

@ -0,0 +1,79 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: sshd
# Required-Start: $remote_fs $syslog $networking
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 1
# Short-Description: Dropbear Secure Shell server
### END INIT INFO
#
# Do not configure this file. Edit /etc/default/dropbear instead!
#
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/dropbear
NAME=dropbear
DESC="Dropbear SSH server"
PIDFILE=/var/run/dropbear.pid
# These values may be replaced by those from /etc/default/dropbear
DROPBEAR_RSAKEY_DIR="/etc/dropbear"
DROPBEAR_PORT=22
DROPBEAR_EXTRA_ARGS=
DROPBEAR_RSAKEY_ARGS=
NO_START=0
set -e
test ! -r /etc/default/dropbear || . /etc/default/dropbear
test "$NO_START" = "0" || exit 0
test -x "$DAEMON" || exit 0
test ! -h /var/service/dropbear || exit 0
test -z "$DROPBEAR_BANNER" || \
DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
test -n "$DROPBEAR_RSAKEY" || \
DROPBEAR_RSAKEY="${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key"
gen_keys() {
if [ -f "$DROPBEAR_RSAKEY" -a ! -s "$DROPBEAR_RSAKEY" ]; then
rm $DROPBEAR_RSAKEY || true
fi
if [ ! -f "$DROPBEAR_RSAKEY" ]; then
mkdir -p ${DROPBEAR_RSAKEY%/*}
dropbearkey -t rsa -f $DROPBEAR_RSAKEY $DROPBEAR_RSAKEY_ARGS
fi
}
case "$1" in
start)
echo -n "Starting $DESC: "
gen_keys
start-stop-daemon -S -p $PIDFILE \
-x "$DAEMON" -- -r $DROPBEAR_RSAKEY \
-p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon -K -x "$DAEMON" -p $PIDFILE
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
start-stop-daemon -K -x "$DAEMON" -p $PIDFILE
sleep 1
start-stop-daemon -S -p $PIDFILE \
-x "$DAEMON" -- -r $DROPBEAR_RSAKEY \
-p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0

133
recipes-core/dropbear/dropbear_2022.83.bb Normal file
View File

@ -0,0 +1,133 @@
SUMMARY = "A lightweight SSH and SCP implementation"
HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
DESCRIPTION = "Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for "embedded"-type Linux (or other Unix) systems, such as wireless routers."
SECTION = "console/network"
# some files are from other projects and have others license terms:
# public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
LICENSE = "MIT & BSD-3-Clause & BSD-2-Clause & PD"
LIC_FILES_CHKSUM = "file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f"
DEPENDS = "zlib virtual/crypt"
RPROVIDES:${PN} = "ssh sshd"
RCONFLICTS:${PN} = "openssh-sshd openssh"
SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
file://0001-urandom-xauth-changes-to-options.h.patch \
file://init \
file://dropbearkey.service \
file://dropbear@.service \
file://dropbear.socket \
file://dropbear.default \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
"
SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b"
PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
file://0006-dropbear-configuration-file.patch \
file://dropbear"
PAM_PLUGINS = "libpam-runtime \
pam-plugin-deny \
pam-plugin-permit \
pam-plugin-unix \
"
inherit autotools update-rc.d systemd
CVE_PRODUCT = "dropbear_ssh"
INITSCRIPT_NAME = "dropbear"
INITSCRIPT_PARAMS = "defaults 10"
SYSTEMD_SERVICE:${PN} = "dropbear.socket"
SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
BINCOMMANDS = "dbclient ssh scp"
EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}"
PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
PACKAGECONFIG[disable-weak-ciphers] = ""
PACKAGECONFIG[enable-x11-forwarding] = ""
# This option appends to CFLAGS and LDFLAGS from OE
# This is causing [textrel] QA warning
EXTRA_OECONF += "--disable-harden"
# musl does not implement wtmp/logwtmp APIs
EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
do_configure:append() {
echo "/* Dropbear features */" > ${B}/localoptions.h
if ${@bb.utils.contains('PACKAGECONFIG', 'enable-x11-forwarding', 'true', 'false', d)}; then
echo "#define DROPBEAR_X11FWD 1" >> ${B}/localoptions.h
fi
}
do_install() {
install -d ${D}${sysconfdir} \
${D}${sysconfdir}/init.d \
${D}${sysconfdir}/default \
${D}${sysconfdir}/dropbear \
${D}${bindir} \
${D}${sbindir} \
${D}${localstatedir}
install -m 0644 ${WORKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear
install -m 0755 dropbearmulti ${D}${sbindir}/
for i in ${BINCOMMANDS}
do
# ssh and scp symlinks are created by update-alternatives
if [ $i = ssh ] || [ $i = scp ]; then continue; fi
ln -s ${sbindir}/dropbearmulti ${D}${bindir}/$i
done
for i in ${SBINCOMMANDS}
do
ln -s ./dropbearmulti ${D}${sbindir}/$i
done
sed -e 's,/etc,${sysconfdir},g' \
-e 's,/usr/sbin,${sbindir},g' \
-e 's,/var,${localstatedir},g' \
-e 's,/usr/bin,${bindir},g' \
-e 's,/usr,${prefix},g' ${WORKDIR}/init > ${D}${sysconfdir}/init.d/dropbear
chmod 755 ${D}${sysconfdir}/init.d/dropbear
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
install -d ${D}${sysconfdir}/pam.d
install -m 0644 ${WORKDIR}/dropbear ${D}${sysconfdir}/pam.d/
fi
# deal with systemd unit files
install -d ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/dropbearkey.service ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/dropbear@.service ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/dropbear.socket ${D}${systemd_system_unitdir}
sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
-e 's,@BINDIR@,${bindir},g' \
-e 's,@SBINDIR@,${sbindir},g' \
${D}${systemd_system_unitdir}/dropbear.socket ${D}${systemd_system_unitdir}/*.service
}
inherit update-alternatives
ALTERNATIVE_PRIORITY = "20"
ALTERNATIVE:${PN} = "${@bb.utils.filter('BINCOMMANDS', 'scp ssh', d)}"
ALTERNATIVE_TARGET = "${sbindir}/dropbearmulti"
pkg_postrm:${PN} () {
if [ -f "${sysconfdir}/dropbear/dropbear_rsa_host_key" ]; then
rm ${sysconfdir}/dropbear/dropbear_rsa_host_key
fi
if [ -f "${sysconfdir}/dropbear/dropbear_dss_host_key" ]; then
rm ${sysconfdir}/dropbear/dropbear_dss_host_key
fi
}
CONFFILES:${PN} = "${sysconfdir}/default/dropbear"
FILES:${PN} += "${bindir}"