Dropbear: upgrade to 2022.83 and add sftp-server #14

Merged
hwelte merged 6 commits from osmith/nightly-dropbear into 201705 2023-05-12 08:28:32 +00:00
Member

Make recent versions of OpenSSH's ssh client and scp program work out of the box:

  • Upgrade to the most recent dropbear version, and disable weak ciphers (fix SYS#6402)
  • Build sftp-server from OpenSSH (standalone program, 126K size) and install it as dependency of dropbear (fix SYS#6403)

I have verified that this works by building and flashing a full image and testing with OpenSSH client 9.3_p1.

See commit messages for details.

Make recent versions of OpenSSH's ssh client and scp program work out of the box: * Upgrade to the most recent dropbear version, and disable weak ciphers (fix SYS#6402) * Build sftp-server from OpenSSH (standalone program, 126K size) and install it as dependency of dropbear (fix SYS#6403) I have verified that this works by building and flashing a full image and testing with OpenSSH client 9.3_p1. See commit messages for details.
osmith added 5 commits 2023-05-03 09:42:58 +00:00
8bbf92392a recipes-fixes/dropbear: remove
Remove this directory to prepare to upgrade dropbear in following
patches. The directory made changes to the sysvinit script that was
used by pre-201705 systems (SYS#691). 201705 uses systemd services
instead.

On a side note, all customizations made to the init script had been
upstreamed into OE.

Related: SYS#6402
Change-Id: Icb65a68091aff43c5c94ba961a650865a2784b65
6ec23241ba dropbear: import from generic-poky
Prepare to upgrade dropbear by importing it first from:
https://gitea.sysmocom.de/sysmo-bts/generic-poky/src/branch/pyro/meta/recipes-core/dropbear

Related: SYS#6402
Change-Id: I8e1290373c1ed44c612f9ed50240e6313027f47a
909ac967d7 dropbear: upgrade to 2022.83
Remove patches that were upstreamed or are not relevant anymore. Replace
the xauth patch with the rebased version from upstream.

Add the dropbear-disable-weak-ciphers.patch from upstream OE.

Add "--disable-harden" just like in the upstream recipe, as OE's
hardening flags cause the textrel QA warning otherwise.

Related: https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/dropbear/
Related: SYS#6402
Change-Id: I431934b0558350931bb9571b0fa6efff8ba45387
fabb1a3bd9 sftp-server: new package
Package OpenSSH's sftp-server program, so we can install it as
dependency of dropbear in a future patch. Once sftp-server is installed,
the scp tool from OpenSSH can be used with the SFTP protocol, without
enabling the legacy flag for the legacy SCP protocol.

The sftp-server binary is 126K in size.

After packaging this, I realized that we could also have used
the openssh-sftp-server package from poky:
https://gitea.sysmocom.de/sysmo-bts/generic-poky/src/branch/pyro/meta/recipes-connectivity/openssh
But let's use this extra package now, it uses the most recent OpenSSH
source and doesn't build the rest of OpenSSH which we don't need.

Related: SYS#6403
Change-Id: I376bc31413935f7a560afd916a623228550dc6fe
461bf8819e dropbear: add sftp-server to rdepends
Related: SYS#6403
Change-Id: I4044a19d172c9617eecabd083cfbc04832591e6a
osmith changed target branch from laforge/nightly to 201705 2023-05-03 12:01:32 +00:00
osmith added 5 commits 2023-05-03 12:01:46 +00:00
b5ea94924d recipes-fixes/dropbear: remove
Remove this directory to prepare to upgrade dropbear in following
patches. The directory made changes to the sysvinit script that was
used by pre-201705 systems (SYS#691). 201705 uses systemd services
instead.

On a side note, all customizations made to the init script had been
upstreamed into OE.

Related: SYS#6402
Change-Id: Icb65a68091aff43c5c94ba961a650865a2784b65
7207af6bf1 dropbear: import from generic-poky
Prepare to upgrade dropbear by importing it first from:
https://gitea.sysmocom.de/sysmo-bts/generic-poky/src/branch/pyro/meta/recipes-core/dropbear

Related: SYS#6402
Change-Id: I8e1290373c1ed44c612f9ed50240e6313027f47a
d6db916831 dropbear: upgrade to 2022.83
Remove patches that were upstreamed or are not relevant anymore. Replace
the xauth patch with the rebased version from upstream.

Add the dropbear-disable-weak-ciphers.patch from upstream OE.

Add "--disable-harden" just like in the upstream recipe, as OE's
hardening flags cause the textrel QA warning otherwise.

Related: https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/dropbear/
Related: SYS#6402
Change-Id: I431934b0558350931bb9571b0fa6efff8ba45387
19ee605ece sftp-server: new package
Package OpenSSH's sftp-server program, so we can install it as
dependency of dropbear in a future patch. Once sftp-server is installed,
the scp tool from OpenSSH can be used with the SFTP protocol, without
enabling the legacy flag for the legacy SCP protocol.

The sftp-server binary is 126K in size.

After packaging this, I realized that we could also have used
the openssh-sftp-server package from poky:
https://gitea.sysmocom.de/sysmo-bts/generic-poky/src/branch/pyro/meta/recipes-connectivity/openssh
But let's use this extra package now, it uses the most recent OpenSSH
source and doesn't build the rest of OpenSSH which we don't need.

Related: SYS#6403
Change-Id: I376bc31413935f7a560afd916a623228550dc6fe
b642c39109 dropbear: add sftp-server to rdepends
Related: SYS#6403
Change-Id: I4044a19d172c9617eecabd083cfbc04832591e6a
osmith force-pushed osmith/nightly-dropbear from b642c39109 to 9f86a965ed 2023-05-03 14:36:59 +00:00 Compare
osmith added 4 commits 2023-05-03 14:39:17 +00:00
ce45a5bc79 dropbear: import 2022.83 from upstream OE
Import current packaging of dropbear from openembedded-core.git, commit
0defbb5925e309799162e221285e4cfb2e2c2ca5.

Related: SYS#6402
Change-Id: I431934b0558350931bb9571b0fa6efff8ba45387
b1f45828b7 dropbear: fix build with our OE version
* Replace : with _
* Remove "virtual/crypt" from depends

Related: SYS#6402
Change-Id: Iebeb013ed2829e5008388eed7f8794eb5ae6dad0
bd1ca5c390 dropbear: do not disable root login
Related: SYS#6402
Change-Id: Ie9ef36f3008c6f8054f4e8164000a2e9e80c53d9
b5ef8f9119 dropbear: depend on sftp-server
Related: SYS#6403
Change-Id: Ieb8d386d92e47cd37174e4d816c3a2126174ce72
osmith force-pushed osmith/nightly-dropbear from b5ef8f9119 to 9c9857bc26 2023-05-03 15:04:41 +00:00 Compare
pespin approved these changes 2023-05-03 15:10:11 +00:00
Author
Member

Thanks for the review! Not sure if Harald also wants to take a look at this, so not merging yet.

Thanks for the review! Not sure if Harald also wants to take a look at this, so not merging yet.
osmith requested review from hwelte 2023-05-04 07:44:22 +00:00
hwelte merged commit 9c9857bc26 into 201705 2023-05-12 08:28:32 +00:00
hwelte deleted branch osmith/nightly-dropbear 2023-05-12 08:28:33 +00:00
Sign in to join this conversation.
No reviewers
No Label
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sysmo-bts/meta-sysmocom-bsp#14
No description provided.