From 723b28885e83bb05aa49f72ba5d3e4d05eff6f18 Mon Sep 17 00:00:00 2001 From: Stephan Raue Date: Sun, 3 Aug 2014 15:23:00 +0200 Subject: [PATCH] openssh: add patch to specify seperate keydir, remove 'sshd_config' script and create ALL supported keys Signed-off-by: Stephan Raue --- packages/network/openssh/config/ssh_config | 47 ------- packages/network/openssh/config/sshd_config | 116 ------------------ packages/network/openssh/package.mk | 12 +- .../openssh/patches/openssh-keydir.patch | 113 +++++++++++++++++ packages/network/openssh/scripts/sshd-keygen | 49 -------- .../network/openssh/system.d/sshd.service | 2 +- 6 files changed, 117 insertions(+), 222 deletions(-) delete mode 100644 packages/network/openssh/config/ssh_config delete mode 100644 packages/network/openssh/config/sshd_config create mode 100644 packages/network/openssh/patches/openssh-keydir.patch delete mode 100755 packages/network/openssh/scripts/sshd-keygen diff --git a/packages/network/openssh/config/ssh_config b/packages/network/openssh/config/ssh_config deleted file mode 100644 index 18936740f6..0000000000 --- a/packages/network/openssh/config/ssh_config +++ /dev/null @@ -1,47 +0,0 @@ -# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $ - -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -# Host * -# ForwardAgent no -# ForwardX11 no -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -# ProxyCommand ssh -q -W %h:%p gateway.example.com diff --git a/packages/network/openssh/config/sshd_config b/packages/network/openssh/config/sshd_config deleted file mode 100644 index 47c75e876e..0000000000 --- a/packages/network/openssh/config/sshd_config +++ /dev/null @@ -1,116 +0,0 @@ -# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# The default requires explicit activation of protocol 1 -#Protocol 2 - -# HostKey for protocol version 1 -#HostKey ~/.cache/ssh/ssh_host_key -# HostKeys for protocol version 2 -HostKey ~/.cache/ssh/ssh_host_rsa_key -HostKey ~/.cache/ssh/ssh_host_dsa_key -#HostKey ~/.cache/ssh/ssh_host_ecdsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -SyslogFacility AUTHPRIV -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in /etc/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -#UsePAM no - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no -#ChrootDirectory none - -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server diff --git a/packages/network/openssh/package.mk b/packages/network/openssh/package.mk index 1c8181383e..5f12fdd643 100644 --- a/packages/network/openssh/package.mk +++ b/packages/network/openssh/package.mk @@ -32,7 +32,8 @@ PKG_LONGDESC="This is a Linux port of OpenBSD's excellent OpenSSH. OpenSSH is ba PKG_IS_ADDON="no" PKG_AUTORECONF="yes" -PKG_CONFIGURE_OPTS_TARGET="--libexecdir=/usr/lib/openssh \ +PKG_CONFIGURE_OPTS_TARGET="--sysconfdir=/etc/ssh \ + --libexecdir=/usr/lib/openssh \ --disable-strip \ --disable-lastlog \ --with-sandbox=no \ @@ -45,6 +46,7 @@ PKG_CONFIGURE_OPTS_TARGET="--libexecdir=/usr/lib/openssh \ --disable-pututline \ --disable-pututxline \ --disable-etc-default-login \ + --with-keydir=/storage/.cache/ssh \ --without-pam" pre_configure_target() { @@ -53,19 +55,11 @@ pre_configure_target() { } post_makeinstall_target() { - mkdir -p $INSTALL/etc - cp $PKG_DIR/config/ssh_config $INSTALL/etc - cp $PKG_DIR/config/sshd_config $INSTALL/etc - - mkdir -p $INSTALL/usr/sbin - cp -P $PKG_DIR/scripts/sshd-keygen $INSTALL/usr/sbin - rm -rf $INSTALL/usr/lib/openssh/ssh-keysign rm -rf $INSTALL/usr/lib/openssh/ssh-pkcs11-helper if [ ! $SFTP_SERVER = "yes" ]; then rm -rf $INSTALL/usr/lib/openssh/sftp-server fi - # k0p rm -rf $INSTALL/usr/bin/ssh-add rm -rf $INSTALL/usr/bin/ssh-agent rm -rf $INSTALL/usr/bin/ssh-keyscan diff --git a/packages/network/openssh/patches/openssh-keydir.patch b/packages/network/openssh/patches/openssh-keydir.patch new file mode 100644 index 0000000000..8b41108846 --- /dev/null +++ b/packages/network/openssh/patches/openssh-keydir.patch @@ -0,0 +1,113 @@ +diff -Naur openssh-6.6p1/configure.ac openssh-6.6p1.patch/configure.ac +--- openssh-6.6p1/configure.ac 2014-02-21 18:09:34.000000000 +0100 ++++ openssh-6.6p1.patch/configure.ac 2014-08-03 14:19:49.867173481 +0200 +@@ -4444,6 +4444,17 @@ + ] + ) + ++# Set keydir ++AC_ARG_WITH([keydir], ++ [ --with-keydir= Specify different path for storing keys], ++ [ ++ if test -n "$withval" && test "x$withval" != "xno" && \ ++ test "x${withval}" != "xyes"; then ++ KEYDIR=$withval ++ fi ++ ] ++) ++AC_SUBST([KEYDIR]) + + AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses]) + IPV4_IN6_HACK_MSG="no" +@@ -4814,6 +4825,7 @@ + H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}` + I=`eval echo ${user_path}` ; I=`eval echo ${I}` + J=`eval echo ${superuser_path}` ; J=`eval echo ${J}` ++K=`eval echo ${KEYDIR}` ; K=`eval echo ${K}` + + echo "" + echo "OpenSSH has been configured with the following options:" +@@ -4837,6 +4849,9 @@ + if test ! -z "$superuser_path" ; then + echo " sshd superuser user PATH: $J" + fi ++if test ! -z "$KEYDIR" ; then ++echo " sshd keydir : $K" ++fi + echo " Manpage format: $MANTYPE" + echo " PAM support: $PAM_MSG" + echo " OSF SIA support: $SIA_MSG" +diff -Naur openssh-6.6p1/Makefile.in openssh-6.6p1.patch/Makefile.in +--- openssh-6.6p1/Makefile.in 2014-02-04 01:12:56.000000000 +0100 ++++ openssh-6.6p1.patch/Makefile.in 2014-08-03 14:12:36.716017883 +0200 +@@ -29,8 +29,10 @@ + PRIVSEP_PATH=@PRIVSEP_PATH@ + SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ + STRIP_OPT=@STRIP_OPT@ ++KEYDIR=@KEYDIR@ + + PATHS= -DSSHDIR=\"$(sysconfdir)\" \ ++ -DKEYDIR=\"$(KEYDIR)\" \ + -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ + -D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \ + -D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \ +@@ -111,11 +113,11 @@ + -e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \ + -e 's|/usr/libexec|$(libexecdir)|g' \ + -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \ +- -e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \ +- -e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \ +- -e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \ +- -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \ +- -e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \ ++ -e 's|/etc/ssh/ssh_host_key|$(KEYDIR)/ssh_host_key|g' \ ++ -e 's|/etc/ssh/ssh_host_ecdsa_key|$(KEYDIR)/ssh_host_ecdsa_key|g' \ ++ -e 's|/etc/ssh/ssh_host_dsa_key|$(KEYDIR)/ssh_host_dsa_key|g' \ ++ -e 's|/etc/ssh/ssh_host_rsa_key|$(KEYDIR)/ssh_host_rsa_key|g' \ ++ -e 's|/etc/ssh/ssh_host_ed25519_key|$(KEYDIR)/ssh_host_ed25519_key|g' \ + -e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \ + -e 's|/etc/moduli|$(sysconfdir)/moduli|g' \ + -e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \ +diff -Naur openssh-6.6p1/pathnames.h openssh-6.6p1.patch/pathnames.h +--- openssh-6.6p1/pathnames.h 2013-12-07 01:24:02.000000000 +0100 ++++ openssh-6.6p1.patch/pathnames.h 2014-08-03 13:03:43.612029243 +0200 +@@ -18,6 +18,10 @@ + #define SSHDIR ETCDIR "/ssh" + #endif + ++#ifndef KEYDIR ++#define KEYDIR SSHDIR ++#endif ++ + #ifndef _PATH_SSH_PIDDIR + #define _PATH_SSH_PIDDIR "/var/run" + #endif +@@ -26,9 +30,9 @@ + * System-wide file containing host keys of known hosts. This file should be + * world-readable. + */ +-#define _PATH_SSH_SYSTEM_HOSTFILE SSHDIR "/ssh_known_hosts" ++#define _PATH_SSH_SYSTEM_HOSTFILE KEYDIR "/ssh_known_hosts" + /* backward compat for protocol 2 */ +-#define _PATH_SSH_SYSTEM_HOSTFILE2 SSHDIR "/ssh_known_hosts2" ++#define _PATH_SSH_SYSTEM_HOSTFILE2 KEYDIR "/ssh_known_hosts2" + + /* + * Of these, ssh_host_key must be readable only by root, whereas ssh_config +@@ -36,11 +40,11 @@ + */ + #define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config" + #define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config" +-#define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key" +-#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key" +-#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key" +-#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key" +-#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" ++#define _PATH_HOST_KEY_FILE KEYDIR "/ssh_host_key" ++#define _PATH_HOST_DSA_KEY_FILE KEYDIR "/ssh_host_dsa_key" ++#define _PATH_HOST_ECDSA_KEY_FILE KEYDIR "/ssh_host_ecdsa_key" ++#define _PATH_HOST_ED25519_KEY_FILE KEYDIR "/ssh_host_ed25519_key" ++#define _PATH_HOST_RSA_KEY_FILE KEYDIR "/ssh_host_rsa_key" + #define _PATH_DH_MODULI SSHDIR "/moduli" + /* Backwards compatibility */ + #define _PATH_DH_PRIMES SSHDIR "/primes" diff --git a/packages/network/openssh/scripts/sshd-keygen b/packages/network/openssh/scripts/sshd-keygen deleted file mode 100755 index cb17451e1f..0000000000 --- a/packages/network/openssh/scripts/sshd-keygen +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh -################################################################################ -# This file is part of OpenELEC - http://www.openelec.tv -# Copyright (C) 2009-2014 Stephan Raue (stephan@openelec.tv) -# -# OpenELEC is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 2 of the License, or -# (at your option) any later version. -# -# OpenELEC is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with OpenELEC. If not, see . -################################################################################ - -. /etc/profile - -RSA1_KEY="/storage/.cache/ssh/ssh_host_key" -RSA2_KEY="/storage/.cache/ssh/ssh_host_rsa_key" -DSA2_KEY="/storage/.cache/ssh/ssh_host_dsa_key" - -KEYGEN="/usr/bin/ssh-keygen" - -mkdir -p /storage/.cache/ssh - -# Check for the SSH1 RSA key - if [ ! -s $RSA1_KEY ] ; then - progress "SSH: generating SSH1 RSA key" - $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null - chmod 600 $RSA1_KEY - fi - -# Check for the SSH2 RSA key - if [ ! -s $RSA2_KEY ] ; then - progress "SSH: generating SSH2 RSA key" - $KEYGEN -q -t rsa -f $RSA2_KEY -C '' -N '' >&/dev/null - chmod 600 $RSA2_KEY - fi - -# Check for the SSH2 DSA key - if [ ! -s $DSA2_KEY ] ; then - progress "SSH: generating SSH2 DSA key" - $KEYGEN -q -t dsa -f $DSA2_KEY -C '' -N '' >&/dev/null - chmod 600 $DSA2_KEY - fi diff --git a/packages/network/openssh/system.d/sshd.service b/packages/network/openssh/system.d/sshd.service index 96a2797fed..44766a519b 100644 --- a/packages/network/openssh/system.d/sshd.service +++ b/packages/network/openssh/system.d/sshd.service @@ -6,7 +6,7 @@ After=network.target [Service] EnvironmentFile=-/storage/.cache/services/sshd.conf -ExecStartPre=/usr/sbin/sshd-keygen +ExecStartPre=/usr/bin/ssh-keygen -A ExecStart=/usr/sbin/sshd -D $SSH_ARGS ExecReload=/bin/kill -HUP $MAINPID TimeoutStopSec=1s