mirror of
https://github.com/LibreELEC/LibreELEC.tv.git
synced 2025-07-24 11:16:51 +00:00
openssh: add patch to specify seperate keydir, remove 'sshd_config' script and create ALL supported keys
Signed-off-by: Stephan Raue <stephan@openelec.tv>
This commit is contained in:
parent
278c7f8ebd
commit
3df253529b
@ -1,47 +0,0 @@
|
||||
# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
|
||||
|
||||
# This is the ssh client system-wide configuration file. See
|
||||
# ssh_config(5) for more information. This file provides defaults for
|
||||
# users, and the values can be changed in per-user configuration files
|
||||
# or on the command line.
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
# 1. command line options
|
||||
# 2. user-specific file
|
||||
# 3. system-wide file
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
# configuration file, and defaults at the end.
|
||||
|
||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
# Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
# RhostsRSAAuthentication no
|
||||
# RSAAuthentication yes
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
# ConnectTimeout 0
|
||||
# StrictHostKeyChecking ask
|
||||
# IdentityFile ~/.ssh/identity
|
||||
# IdentityFile ~/.ssh/id_rsa
|
||||
# IdentityFile ~/.ssh/id_dsa
|
||||
# Port 22
|
||||
# Protocol 2,1
|
||||
# Cipher 3des
|
||||
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
|
||||
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
||||
# EscapeChar ~
|
||||
# Tunnel no
|
||||
# TunnelDevice any:any
|
||||
# PermitLocalCommand no
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
@ -1,116 +0,0 @@
|
||||
# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options change a
|
||||
# default value.
|
||||
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
# The default requires explicit activation of protocol 1
|
||||
#Protocol 2
|
||||
|
||||
# HostKey for protocol version 1
|
||||
#HostKey ~/.cache/ssh/ssh_host_key
|
||||
# HostKeys for protocol version 2
|
||||
HostKey ~/.cache/ssh/ssh_host_rsa_key
|
||||
HostKey ~/.cache/ssh/ssh_host_dsa_key
|
||||
#HostKey ~/.cache/ssh/ssh_host_ecdsa_key
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#KeyRegenerationInterval 1h
|
||||
#ServerKeyBits 1024
|
||||
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
SyslogFacility AUTHPRIV
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
#PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#RSAAuthentication yes
|
||||
#PubkeyAuthentication yes
|
||||
#AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
#ChallengeResponseAuthentication yes
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PrintMotd yes
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
#UsePrivilegeSeparation yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# ForceCommand cvs server
|
@ -32,7 +32,8 @@ PKG_LONGDESC="This is a Linux port of OpenBSD's excellent OpenSSH. OpenSSH is ba
|
||||
PKG_IS_ADDON="no"
|
||||
PKG_AUTORECONF="yes"
|
||||
|
||||
PKG_CONFIGURE_OPTS_TARGET="--libexecdir=/usr/lib/openssh \
|
||||
PKG_CONFIGURE_OPTS_TARGET="--sysconfdir=/etc/ssh \
|
||||
--libexecdir=/usr/lib/openssh \
|
||||
--disable-strip \
|
||||
--disable-lastlog \
|
||||
--with-sandbox=no \
|
||||
@ -45,6 +46,7 @@ PKG_CONFIGURE_OPTS_TARGET="--libexecdir=/usr/lib/openssh \
|
||||
--disable-pututline \
|
||||
--disable-pututxline \
|
||||
--disable-etc-default-login \
|
||||
--with-keydir=/storage/.cache/ssh \
|
||||
--without-pam"
|
||||
|
||||
pre_configure_target() {
|
||||
@ -53,19 +55,11 @@ pre_configure_target() {
|
||||
}
|
||||
|
||||
post_makeinstall_target() {
|
||||
mkdir -p $INSTALL/etc
|
||||
cp $PKG_DIR/config/ssh_config $INSTALL/etc
|
||||
cp $PKG_DIR/config/sshd_config $INSTALL/etc
|
||||
|
||||
mkdir -p $INSTALL/usr/sbin
|
||||
cp -P $PKG_DIR/scripts/sshd-keygen $INSTALL/usr/sbin
|
||||
|
||||
rm -rf $INSTALL/usr/lib/openssh/ssh-keysign
|
||||
rm -rf $INSTALL/usr/lib/openssh/ssh-pkcs11-helper
|
||||
if [ ! $SFTP_SERVER = "yes" ]; then
|
||||
rm -rf $INSTALL/usr/lib/openssh/sftp-server
|
||||
fi
|
||||
# k0p
|
||||
rm -rf $INSTALL/usr/bin/ssh-add
|
||||
rm -rf $INSTALL/usr/bin/ssh-agent
|
||||
rm -rf $INSTALL/usr/bin/ssh-keyscan
|
||||
|
113
packages/network/openssh/patches/openssh-keydir.patch
Normal file
113
packages/network/openssh/patches/openssh-keydir.patch
Normal file
@ -0,0 +1,113 @@
|
||||
diff -Naur openssh-6.6p1/configure.ac openssh-6.6p1.patch/configure.ac
|
||||
--- openssh-6.6p1/configure.ac 2014-02-21 18:09:34.000000000 +0100
|
||||
+++ openssh-6.6p1.patch/configure.ac 2014-08-03 14:19:49.867173481 +0200
|
||||
@@ -4444,6 +4444,17 @@
|
||||
]
|
||||
)
|
||||
|
||||
+# Set keydir
|
||||
+AC_ARG_WITH([keydir],
|
||||
+ [ --with-keydir= Specify different path for storing keys],
|
||||
+ [
|
||||
+ if test -n "$withval" && test "x$withval" != "xno" && \
|
||||
+ test "x${withval}" != "xyes"; then
|
||||
+ KEYDIR=$withval
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+AC_SUBST([KEYDIR])
|
||||
|
||||
AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
|
||||
IPV4_IN6_HACK_MSG="no"
|
||||
@@ -4814,6 +4825,7 @@
|
||||
H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
|
||||
I=`eval echo ${user_path}` ; I=`eval echo ${I}`
|
||||
J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
|
||||
+K=`eval echo ${KEYDIR}` ; K=`eval echo ${K}`
|
||||
|
||||
echo ""
|
||||
echo "OpenSSH has been configured with the following options:"
|
||||
@@ -4837,6 +4849,9 @@
|
||||
if test ! -z "$superuser_path" ; then
|
||||
echo " sshd superuser user PATH: $J"
|
||||
fi
|
||||
+if test ! -z "$KEYDIR" ; then
|
||||
+echo " sshd keydir : $K"
|
||||
+fi
|
||||
echo " Manpage format: $MANTYPE"
|
||||
echo " PAM support: $PAM_MSG"
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
diff -Naur openssh-6.6p1/Makefile.in openssh-6.6p1.patch/Makefile.in
|
||||
--- openssh-6.6p1/Makefile.in 2014-02-04 01:12:56.000000000 +0100
|
||||
+++ openssh-6.6p1.patch/Makefile.in 2014-08-03 14:12:36.716017883 +0200
|
||||
@@ -29,8 +29,10 @@
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
+KEYDIR=@KEYDIR@
|
||||
|
||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||
+ -DKEYDIR=\"$(KEYDIR)\" \
|
||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||
-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
|
||||
@@ -111,11 +113,11 @@
|
||||
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
|
||||
-e 's|/usr/libexec|$(libexecdir)|g' \
|
||||
-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
|
||||
- -e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
|
||||
- -e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
|
||||
- -e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
|
||||
- -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
|
||||
- -e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
|
||||
+ -e 's|/etc/ssh/ssh_host_key|$(KEYDIR)/ssh_host_key|g' \
|
||||
+ -e 's|/etc/ssh/ssh_host_ecdsa_key|$(KEYDIR)/ssh_host_ecdsa_key|g' \
|
||||
+ -e 's|/etc/ssh/ssh_host_dsa_key|$(KEYDIR)/ssh_host_dsa_key|g' \
|
||||
+ -e 's|/etc/ssh/ssh_host_rsa_key|$(KEYDIR)/ssh_host_rsa_key|g' \
|
||||
+ -e 's|/etc/ssh/ssh_host_ed25519_key|$(KEYDIR)/ssh_host_ed25519_key|g' \
|
||||
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
|
||||
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
|
||||
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
|
||||
diff -Naur openssh-6.6p1/pathnames.h openssh-6.6p1.patch/pathnames.h
|
||||
--- openssh-6.6p1/pathnames.h 2013-12-07 01:24:02.000000000 +0100
|
||||
+++ openssh-6.6p1.patch/pathnames.h 2014-08-03 13:03:43.612029243 +0200
|
||||
@@ -18,6 +18,10 @@
|
||||
#define SSHDIR ETCDIR "/ssh"
|
||||
#endif
|
||||
|
||||
+#ifndef KEYDIR
|
||||
+#define KEYDIR SSHDIR
|
||||
+#endif
|
||||
+
|
||||
#ifndef _PATH_SSH_PIDDIR
|
||||
#define _PATH_SSH_PIDDIR "/var/run"
|
||||
#endif
|
||||
@@ -26,9 +30,9 @@
|
||||
* System-wide file containing host keys of known hosts. This file should be
|
||||
* world-readable.
|
||||
*/
|
||||
-#define _PATH_SSH_SYSTEM_HOSTFILE SSHDIR "/ssh_known_hosts"
|
||||
+#define _PATH_SSH_SYSTEM_HOSTFILE KEYDIR "/ssh_known_hosts"
|
||||
/* backward compat for protocol 2 */
|
||||
-#define _PATH_SSH_SYSTEM_HOSTFILE2 SSHDIR "/ssh_known_hosts2"
|
||||
+#define _PATH_SSH_SYSTEM_HOSTFILE2 KEYDIR "/ssh_known_hosts2"
|
||||
|
||||
/*
|
||||
* Of these, ssh_host_key must be readable only by root, whereas ssh_config
|
||||
@@ -36,11 +40,11 @@
|
||||
*/
|
||||
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
|
||||
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
|
||||
-#define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key"
|
||||
-#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
|
||||
-#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
|
||||
-#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
|
||||
-#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
||||
+#define _PATH_HOST_KEY_FILE KEYDIR "/ssh_host_key"
|
||||
+#define _PATH_HOST_DSA_KEY_FILE KEYDIR "/ssh_host_dsa_key"
|
||||
+#define _PATH_HOST_ECDSA_KEY_FILE KEYDIR "/ssh_host_ecdsa_key"
|
||||
+#define _PATH_HOST_ED25519_KEY_FILE KEYDIR "/ssh_host_ed25519_key"
|
||||
+#define _PATH_HOST_RSA_KEY_FILE KEYDIR "/ssh_host_rsa_key"
|
||||
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
||||
/* Backwards compatibility */
|
||||
#define _PATH_DH_PRIMES SSHDIR "/primes"
|
@ -1,49 +0,0 @@
|
||||
#!/bin/sh
|
||||
################################################################################
|
||||
# This file is part of OpenELEC - http://www.openelec.tv
|
||||
# Copyright (C) 2009-2014 Stephan Raue (stephan@openelec.tv)
|
||||
#
|
||||
# OpenELEC is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# OpenELEC is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with OpenELEC. If not, see <http://www.gnu.org/licenses/>.
|
||||
################################################################################
|
||||
|
||||
. /etc/profile
|
||||
|
||||
RSA1_KEY="/storage/.cache/ssh/ssh_host_key"
|
||||
RSA2_KEY="/storage/.cache/ssh/ssh_host_rsa_key"
|
||||
DSA2_KEY="/storage/.cache/ssh/ssh_host_dsa_key"
|
||||
|
||||
KEYGEN="/usr/bin/ssh-keygen"
|
||||
|
||||
mkdir -p /storage/.cache/ssh
|
||||
|
||||
# Check for the SSH1 RSA key
|
||||
if [ ! -s $RSA1_KEY ] ; then
|
||||
progress "SSH: generating SSH1 RSA key"
|
||||
$KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null
|
||||
chmod 600 $RSA1_KEY
|
||||
fi
|
||||
|
||||
# Check for the SSH2 RSA key
|
||||
if [ ! -s $RSA2_KEY ] ; then
|
||||
progress "SSH: generating SSH2 RSA key"
|
||||
$KEYGEN -q -t rsa -f $RSA2_KEY -C '' -N '' >&/dev/null
|
||||
chmod 600 $RSA2_KEY
|
||||
fi
|
||||
|
||||
# Check for the SSH2 DSA key
|
||||
if [ ! -s $DSA2_KEY ] ; then
|
||||
progress "SSH: generating SSH2 DSA key"
|
||||
$KEYGEN -q -t dsa -f $DSA2_KEY -C '' -N '' >&/dev/null
|
||||
chmod 600 $DSA2_KEY
|
||||
fi
|
@ -6,7 +6,7 @@ After=network.target
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/storage/.cache/services/sshd.conf
|
||||
ExecStartPre=/usr/sbin/sshd-keygen
|
||||
ExecStartPre=/usr/bin/ssh-keygen -A
|
||||
ExecStart=/usr/sbin/sshd -D $SSH_ARGS
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
TimeoutStopSec=1s
|
||||
|
Loading…
x
Reference in New Issue
Block a user