openssh: add patch to specify seperate keydir, remove 'sshd_config' script and create ALL supported keys

Signed-off-by: Stephan Raue <stephan@openelec.tv>
This commit is contained in:
Stephan Raue 2014-08-03 15:23:00 +02:00
parent 278c7f8ebd
commit 3df253529b
6 changed files with 117 additions and 222 deletions

View File

@ -1,47 +0,0 @@
# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com

View File

@ -1,116 +0,0 @@
# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey ~/.cache/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey ~/.cache/ssh/ssh_host_rsa_key
HostKey ~/.cache/ssh/ssh_host_dsa_key
#HostKey ~/.cache/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

View File

@ -32,7 +32,8 @@ PKG_LONGDESC="This is a Linux port of OpenBSD's excellent OpenSSH. OpenSSH is ba
PKG_IS_ADDON="no"
PKG_AUTORECONF="yes"
PKG_CONFIGURE_OPTS_TARGET="--libexecdir=/usr/lib/openssh \
PKG_CONFIGURE_OPTS_TARGET="--sysconfdir=/etc/ssh \
--libexecdir=/usr/lib/openssh \
--disable-strip \
--disable-lastlog \
--with-sandbox=no \
@ -45,6 +46,7 @@ PKG_CONFIGURE_OPTS_TARGET="--libexecdir=/usr/lib/openssh \
--disable-pututline \
--disable-pututxline \
--disable-etc-default-login \
--with-keydir=/storage/.cache/ssh \
--without-pam"
pre_configure_target() {
@ -53,19 +55,11 @@ pre_configure_target() {
}
post_makeinstall_target() {
mkdir -p $INSTALL/etc
cp $PKG_DIR/config/ssh_config $INSTALL/etc
cp $PKG_DIR/config/sshd_config $INSTALL/etc
mkdir -p $INSTALL/usr/sbin
cp -P $PKG_DIR/scripts/sshd-keygen $INSTALL/usr/sbin
rm -rf $INSTALL/usr/lib/openssh/ssh-keysign
rm -rf $INSTALL/usr/lib/openssh/ssh-pkcs11-helper
if [ ! $SFTP_SERVER = "yes" ]; then
rm -rf $INSTALL/usr/lib/openssh/sftp-server
fi
# k0p
rm -rf $INSTALL/usr/bin/ssh-add
rm -rf $INSTALL/usr/bin/ssh-agent
rm -rf $INSTALL/usr/bin/ssh-keyscan

View File

@ -0,0 +1,113 @@
diff -Naur openssh-6.6p1/configure.ac openssh-6.6p1.patch/configure.ac
--- openssh-6.6p1/configure.ac 2014-02-21 18:09:34.000000000 +0100
+++ openssh-6.6p1.patch/configure.ac 2014-08-03 14:19:49.867173481 +0200
@@ -4444,6 +4444,17 @@
]
)
+# Set keydir
+AC_ARG_WITH([keydir],
+ [ --with-keydir= Specify different path for storing keys],
+ [
+ if test -n "$withval" && test "x$withval" != "xno" && \
+ test "x${withval}" != "xyes"; then
+ KEYDIR=$withval
+ fi
+ ]
+)
+AC_SUBST([KEYDIR])
AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
IPV4_IN6_HACK_MSG="no"
@@ -4814,6 +4825,7 @@
H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
I=`eval echo ${user_path}` ; I=`eval echo ${I}`
J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
+K=`eval echo ${KEYDIR}` ; K=`eval echo ${K}`
echo ""
echo "OpenSSH has been configured with the following options:"
@@ -4837,6 +4849,9 @@
if test ! -z "$superuser_path" ; then
echo " sshd superuser user PATH: $J"
fi
+if test ! -z "$KEYDIR" ; then
+echo " sshd keydir : $K"
+fi
echo " Manpage format: $MANTYPE"
echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
diff -Naur openssh-6.6p1/Makefile.in openssh-6.6p1.patch/Makefile.in
--- openssh-6.6p1/Makefile.in 2014-02-04 01:12:56.000000000 +0100
+++ openssh-6.6p1.patch/Makefile.in 2014-08-03 14:12:36.716017883 +0200
@@ -29,8 +29,10 @@
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
+KEYDIR=@KEYDIR@
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
+ -DKEYDIR=\"$(KEYDIR)\" \
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
@@ -111,11 +113,11 @@
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
-e 's|/usr/libexec|$(libexecdir)|g' \
-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
- -e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
- -e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
- -e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
- -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
- -e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
+ -e 's|/etc/ssh/ssh_host_key|$(KEYDIR)/ssh_host_key|g' \
+ -e 's|/etc/ssh/ssh_host_ecdsa_key|$(KEYDIR)/ssh_host_ecdsa_key|g' \
+ -e 's|/etc/ssh/ssh_host_dsa_key|$(KEYDIR)/ssh_host_dsa_key|g' \
+ -e 's|/etc/ssh/ssh_host_rsa_key|$(KEYDIR)/ssh_host_rsa_key|g' \
+ -e 's|/etc/ssh/ssh_host_ed25519_key|$(KEYDIR)/ssh_host_ed25519_key|g' \
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
diff -Naur openssh-6.6p1/pathnames.h openssh-6.6p1.patch/pathnames.h
--- openssh-6.6p1/pathnames.h 2013-12-07 01:24:02.000000000 +0100
+++ openssh-6.6p1.patch/pathnames.h 2014-08-03 13:03:43.612029243 +0200
@@ -18,6 +18,10 @@
#define SSHDIR ETCDIR "/ssh"
#endif
+#ifndef KEYDIR
+#define KEYDIR SSHDIR
+#endif
+
#ifndef _PATH_SSH_PIDDIR
#define _PATH_SSH_PIDDIR "/var/run"
#endif
@@ -26,9 +30,9 @@
* System-wide file containing host keys of known hosts. This file should be
* world-readable.
*/
-#define _PATH_SSH_SYSTEM_HOSTFILE SSHDIR "/ssh_known_hosts"
+#define _PATH_SSH_SYSTEM_HOSTFILE KEYDIR "/ssh_known_hosts"
/* backward compat for protocol 2 */
-#define _PATH_SSH_SYSTEM_HOSTFILE2 SSHDIR "/ssh_known_hosts2"
+#define _PATH_SSH_SYSTEM_HOSTFILE2 KEYDIR "/ssh_known_hosts2"
/*
* Of these, ssh_host_key must be readable only by root, whereas ssh_config
@@ -36,11 +40,11 @@
*/
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
-#define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key"
-#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
-#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
-#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
-#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
+#define _PATH_HOST_KEY_FILE KEYDIR "/ssh_host_key"
+#define _PATH_HOST_DSA_KEY_FILE KEYDIR "/ssh_host_dsa_key"
+#define _PATH_HOST_ECDSA_KEY_FILE KEYDIR "/ssh_host_ecdsa_key"
+#define _PATH_HOST_ED25519_KEY_FILE KEYDIR "/ssh_host_ed25519_key"
+#define _PATH_HOST_RSA_KEY_FILE KEYDIR "/ssh_host_rsa_key"
#define _PATH_DH_MODULI SSHDIR "/moduli"
/* Backwards compatibility */
#define _PATH_DH_PRIMES SSHDIR "/primes"

View File

@ -1,49 +0,0 @@
#!/bin/sh
################################################################################
# This file is part of OpenELEC - http://www.openelec.tv
# Copyright (C) 2009-2014 Stephan Raue (stephan@openelec.tv)
#
# OpenELEC is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# OpenELEC is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with OpenELEC. If not, see <http://www.gnu.org/licenses/>.
################################################################################
. /etc/profile
RSA1_KEY="/storage/.cache/ssh/ssh_host_key"
RSA2_KEY="/storage/.cache/ssh/ssh_host_rsa_key"
DSA2_KEY="/storage/.cache/ssh/ssh_host_dsa_key"
KEYGEN="/usr/bin/ssh-keygen"
mkdir -p /storage/.cache/ssh
# Check for the SSH1 RSA key
if [ ! -s $RSA1_KEY ] ; then
progress "SSH: generating SSH1 RSA key"
$KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null
chmod 600 $RSA1_KEY
fi
# Check for the SSH2 RSA key
if [ ! -s $RSA2_KEY ] ; then
progress "SSH: generating SSH2 RSA key"
$KEYGEN -q -t rsa -f $RSA2_KEY -C '' -N '' >&/dev/null
chmod 600 $RSA2_KEY
fi
# Check for the SSH2 DSA key
if [ ! -s $DSA2_KEY ] ; then
progress "SSH: generating SSH2 DSA key"
$KEYGEN -q -t dsa -f $DSA2_KEY -C '' -N '' >&/dev/null
chmod 600 $DSA2_KEY
fi

View File

@ -6,7 +6,7 @@ After=network.target
[Service]
EnvironmentFile=-/storage/.cache/services/sshd.conf
ExecStartPre=/usr/sbin/sshd-keygen
ExecStartPre=/usr/bin/ssh-keygen -A
ExecStart=/usr/sbin/sshd -D $SSH_ARGS
ExecReload=/bin/kill -HUP $MAINPID
TimeoutStopSec=1s