kumquat-buildroot/package/openssh/openssh.mk

################################################################################
#
# openssh
#
################################################################################

OPENSSH_VERSION = 7.6p1
OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
OPENSSH_LICENSE_FILES = LICENCE
# Autoreconf needed due to the following patches modifying configure.ac:
# 0001-configure-ac-detect-mips-abi.patch
# 0002-configure-ac-properly-set-seccomp-audit-arch-for-mips64.patch
OPENSSH_AUTORECONF = YES
OPENSSH_CONF_ENV = LD="$(TARGET_CC)" LDFLAGS="$(TARGET_CFLAGS)"
OPENSSH_CONF_OPTS = \
	--sysconfdir=/etc/ssh \
	--disable-lastlog \
	--disable-utmp \
	--disable-utmpx \
	--disable-wtmp \
	--disable-wtmpx \
	--disable-strip

define OPENSSH_USERS
	sshd -1 sshd -1 * - - - SSH drop priv user
endef

ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
OPENSSH_CONF_OPTS += --without-pie
endif

OPENSSH_DEPENDENCIES = zlib openssl

ifeq ($(BR2_PACKAGE_CRYPTODEV_LINUX),y)
OPENSSH_DEPENDENCIES += cryptodev-linux
OPENSSH_CONF_OPTS += --with-ssl-engine
else
OPENSSH_CONF_OPTS += --without-ssl-engine
endif

ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
define OPENSSH_INSTALL_PAM_CONF
	$(INSTALL) -D -m 644 $(@D)/contrib/sshd.pam.generic $(TARGET_DIR)/etc/pam.d/sshd
	$(SED) '\%password   required     /lib/security/pam_cracklib.so%d' $(TARGET_DIR)/etc/pam.d/sshd
	$(SED) 's/\#UsePAM no/UsePAM yes/' $(TARGET_DIR)/etc/ssh/sshd_config
endef

OPENSSH_DEPENDENCIES += linux-pam
OPENSSH_CONF_OPTS += --with-pam
OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_PAM_CONF
else
OPENSSH_CONF_OPTS += --without-pam
endif

ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
OPENSSH_DEPENDENCIES += libselinux
OPENSSH_CONF_OPTS += --with-selinux
else
OPENSSH_CONF_OPTS += --without-selinux
endif

define OPENSSH_INSTALL_INIT_SYSTEMD
	$(INSTALL) -D -m 644 package/openssh/sshd.service \
		$(TARGET_DIR)/usr/lib/systemd/system/sshd.service
	mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
	ln -fs ../../../../usr/lib/systemd/system/sshd.service \
		$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/sshd.service
endef

define OPENSSH_INSTALL_INIT_SYSV
	$(INSTALL) -D -m 755 package/openssh/S50sshd \
		$(TARGET_DIR)/etc/init.d/S50sshd
endef

$(eval $(autotools-package))
Normalize separator size to 80 Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2013-06-06 01:53:30 +02:00			`################################################################################`
Add openssl and openssh. Fix up UML kernel build. 2002-10-17 10:55:05 +02:00			`#`
			`# openssh`
			`#`
Normalize separator size to 80 Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2013-06-06 01:53:30 +02:00			`################################################################################`
Add openssl and openssh. Fix up UML kernel build. 2002-10-17 10:55:05 +02:00
openssh: security bump to version 7.6p1 Fixes CVE-2017-15906 - The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. For more details, see the release notes: https://www.openssh.com/txt/release-7.6 Also add a hash for the license file while we're at it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-10-26 14:52:47 +02:00			`OPENSSH_VERSION = 7.6p1`
package/openssh: Use HTTP instead of FTP for source download HTTP should be more firewall friendly. Signed-off-by: Will Newton <will.newton@imgtec.com> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2010-12-01 15:44:26 +01:00			`OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable`
boot, package: use SPDX short identifier for BSD-2c We want to use SPDX identifier for license string as much as possible. SPDX short identifier for BSD-2c is BSD-2-Clause. This change is done using following command. find . -name "*.mk" \| xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-2c/BSD-2-Clause/g' Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-03-30 15:43:39 +02:00			`OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain`
openssh: add license information Signed-off-by: Ryan Barnett <rjbarnet@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2014-05-06 17:42:38 +02:00			`OPENSSH_LICENSE_FILES = LICENCE`
openssh: fix sshd for MIPS64 n32 This patch backports two patches that have been sent upstream as a pull request in order to fix sshd for MIPS64 n32. The first patch adds support for detecting the MIPS ABI during the configure phase. The second patch sets the right value to seccomp_audit_arch taking into account the MIPS64 ABI. Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built for MIPS64. However, that's only valid for n64 ABI. The right macros for n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively. Because of that an sshd built for MIPS64 n32 rejects connection attempts and the output of strace reveals that the problem is related to seccomp audit: [pid 194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57, filter=0x555d5da0}) = 0 [pid 194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ? [pid 193] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN\|POLLHUP}, {fd=6, revents=POLLHUP}]) [pid 194] +++ killed by SIGSYS +++ Pull request: https://github.com/openssh/openssh-portable/pull/71 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-06-20 18:15:19 +02:00			`# Autoreconf needed due to the following patches modifying configure.ac:`
openssh: don't download patch from Github Patches downloaded from Github are not stable, so bring them in the tree. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-07-02 18:53:31 +02:00			`# 0001-configure-ac-detect-mips-abi.patch`
			`# 0002-configure-ac-properly-set-seccomp-audit-arch-for-mips64.patch`
openssh: fix sshd for MIPS64 n32 This patch backports two patches that have been sent upstream as a pull request in order to fix sshd for MIPS64 n32. The first patch adds support for detecting the MIPS ABI during the configure phase. The second patch sets the right value to seccomp_audit_arch taking into account the MIPS64 ABI. Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built for MIPS64. However, that's only valid for n64 ABI. The right macros for n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively. Because of that an sshd built for MIPS64 n32 rejects connection attempts and the output of strace reveals that the problem is related to seccomp audit: [pid 194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57, filter=0x555d5da0}) = 0 [pid 194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ? [pid 193] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN\|POLLHUP}, {fd=6, revents=POLLHUP}]) [pid 194] +++ killed by SIGSYS +++ Pull request: https://github.com/openssh/openssh-portable/pull/71 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-06-20 18:15:19 +02:00			`OPENSSH_AUTORECONF = YES`
openssl: pass LDFLAGS to fix incorrect link We already pass the LD variable to openssl in order to use gcc as the driver for the link process, instead of directly using the ld linker. However, we were not passing LDFLAGS so that the compiler flags are passed, which means that with multilib toolchains, the incorrect library variant could be used at link time, leading to invalid binaries (partly ARMv4, partly ARMv5) or broken compilation (when the build took place in soft-float, but the link stage takes place against hard-float libraries). This fixes a problem reported on IRC by amo-ej1 when compiling ssh on PowerPC e500v2 with a CodeSourcery toolchain ("crtbegin.o uses hard float, sshd uses soft float"). Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2011-02-07 10:55:04 +01:00			`OPENSSH_CONF_ENV = LD="$(TARGET_CC)" LDFLAGS="$(TARGET_CFLAGS)"`
package: indentation cleanup Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2014-12-24 08:54:24 +01:00			`OPENSSH_CONF_OPTS = \`
			`--sysconfdir=/etc/ssh \`
			`--disable-lastlog \`
			`--disable-utmp \`
			`--disable-utmpx \`
			`--disable-wtmp \`
			`--disable-wtmpx \`
			`--disable-strip`
Add openssl and openssh. Fix up UML kernel build. 2002-10-17 10:55:05 +02:00
openssh: drop user from skeleton The sshd privilege drop user doesn't belong in the skeleton, it's exclusively used by OpenSSH. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2014-10-27 19:18:55 +01:00			`define OPENSSH_USERS`
package//.mk: Fix indent Fix indent for LIBFOO_USERS and LIBFOO_PERMISSIONS as per the manual example. Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com> Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2014-11-03 00:39:51 +01:00			`sshd -1 sshd -1 * - - - SSH drop priv user`
openssh: drop user from skeleton The sshd privilege drop user doesn't belong in the skeleton, it's exclusively used by OpenSSH. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2014-10-27 19:18:55 +01:00			`endef`

toolchain: add hidden symbol for PIE support uClibc-ng does not support PIE for some architectures as arc and m68k. It isn't implemented in the static linking case, too. With musl toolchains you might have static PIE support with little patching of gcc. Static linking for GNU libc isn't enabled in buildroot. Fixup any package using special treatment of PIE. (grep -ir pie package//.mk) Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> [Thomas: use positive logic.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-07-11 16:35:14 +02:00			`ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)`
openssh: fix static compilation PIE and static doesn't work on Linux. Fixes: http://autobuild.buildroot.net/results/dce/dce0202e039f4636d68532c4aab8738938b76650/ Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-08-29 09:46:35 +02:00			`OPENSSH_CONF_OPTS += --without-pie`
			`endif`
openssh: disable PIE when building for ARC Fixes build failure reported here: http://autobuild.buildroot.net/results/262/26218e028f3d2c77c5192b45154627f08384b688/ uClibc toolchain for ARC doesn't support PIE Attempt to build anything with "-pie" option lead to linker failure: arc-buildroot-linux-uclibc-gcc -pie test.c ld: ../4.8-r3/bin/../arc-buildroot-linux-uclibc/sysroot/usr/lib/crt1.o: warning: unresolvable relocation against symbol `__uClibc_main' from .text section ld: ../4.8-r3/bin/../lib/gcc/arc-buildroot-linux-uclibc/4.8.0/crtbegin.o: warning: unresolvable relocation against symbol `__deregister_frame_info@@GCC_3.0' from .text section ld: ../4.8-r3/bin/../lib/gcc/arc-buildroot-linux-uclibc/4.8.0/crtbegin.o: warning: unresolvable relocation against symbol `__deregister_frame_info@@GCC_3.0' from .text section ld: ../4.8-r3/bin/../lib/gcc/arc-buildroot-linux-uclibc/4.8.0/crtbegin.o: warning: unresolvable relocation against symbol `__register_frame_info@@GCC_3.0' from .text section ld: ../4.8-r3/bin/../lib/gcc/arc-buildroot-linux-uclibc/4.8.0/crtbegin.o: warning: unresolvable relocation against symbol `__register_frame_info@@GCC_3.0' from .text section In its turn this behavior confuses configure script of openssh so some options get set improperly. In particular "strnvis" gets determined as existing which causes failure during compilation: log.c:67:25: error: 'VIS_SAFE' undeclared (first use in this function) #define LOG_STDERR_VIS (VIS_SAFE\|VIS_OCTAL) With disabled PIE ("--without-pie") openssh gets built without issues. Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Anton Kolesov <akolesov@synopsys.com> Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2014-07-30 14:32:21 +02:00
openssh: convert to Makefile.autotools.in and bump version to 5.1p1 This patch converts building of OpenSSH to use Makefile.autotools.in instead and in the same process bump to latest upstream version 5.1p1. The openssh.path is also cleaned up a bit to reflect the new release, i.e. some of the patch is already applied/fixed upstream. Signed-off-by: Hans-Christian Egtvedt <hans-christian.egtvedt@atmel.com> 2008-09-24 14:00:57 +02:00			`OPENSSH_DEPENDENCIES = zlib openssl`
Thomas Cameron writes: this patch fixes the source file downloads when executing a "make source", and a few cut-and-paste (tm) errors in the *.mk files. Again, this is a patch against the current CVS sources, and includes my previous patch. 2003-11-12 10:31:12 +01:00
openssh: add support for HW SSL engines Enable support for OpenSSH to use a hardware SSL engine if cryptodev-linux is included. Without this, OpenSSH uses only OpenSSL software crypto implementation. Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com> CC: Baruch Siach <baruch@tkos.co.il> CC: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-04-18 15:03:03 +02:00			`ifeq ($(BR2_PACKAGE_CRYPTODEV_LINUX),y)`
			`OPENSSH_DEPENDENCIES += cryptodev-linux`
			`OPENSSH_CONF_OPTS += --with-ssl-engine`
			`else`
			`OPENSSH_CONF_OPTS += --without-ssl-engine`
			`endif`

openssh: add linux-pam support Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2012-09-15 16:27:53 +02:00			`ifeq ($(BR2_PACKAGE_LINUX_PAM),y)`
openssh: selinux and pam support [Thomas: in the sed expression, use % as a delimiter instead of /, since the line contains several / that all had to be escaped.] Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-07-14 22:20:22 +02:00			`define OPENSSH_INSTALL_PAM_CONF`
			`$(INSTALL) -D -m 644 $(@D)/contrib/sshd.pam.generic $(TARGET_DIR)/etc/pam.d/sshd`
			`$(SED) '\%password required /lib/security/pam_cracklib.so%d' $(TARGET_DIR)/etc/pam.d/sshd`
			`$(SED) 's/\#UsePAM no/UsePAM yes/' $(TARGET_DIR)/etc/ssh/sshd_config`
			`endef`

openssh: add linux-pam support Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2012-09-15 16:27:53 +02:00			`OPENSSH_DEPENDENCIES += linux-pam`
packages: rename FOO_CONF_OPT into FOO_CONF_OPTS To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS, make the same change for FOO_CONF_OPT. Sed command used: find * -type f \| xargs sed -i 's#_CONF_OPT\>#&S#g' Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2014-09-27 21:32:44 +02:00			`OPENSSH_CONF_OPTS += --with-pam`
openssh: selinux and pam support [Thomas: in the sed expression, use % as a delimiter instead of /, since the line contains several / that all had to be escaped.] Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-07-14 22:20:22 +02:00			`OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_PAM_CONF`
			`else`
			`OPENSSH_CONF_OPTS += --without-pam`
			`endif`

			`ifeq ($(BR2_PACKAGE_LIBSELINUX),y)`
			`OPENSSH_DEPENDENCIES += libselinux`
			`OPENSSH_CONF_OPTS += --with-selinux`
			`else`
			`OPENSSH_CONF_OPTS += --without-selinux`
openssh: add linux-pam support Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2012-09-15 16:27:53 +02:00			`endif`

openssh: add systemd unit file And only install sysV-style script when appropiate. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2013-12-04 11:37:53 +01:00			`define OPENSSH_INSTALL_INIT_SYSTEMD`
			`$(INSTALL) -D -m 644 package/openssh/sshd.service \`
openssh: move systemd service files to /usr/lib Signed-off-by: Mike Williams <mike@mikebwilliams.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-03-20 20:13:59 +01:00			`$(TARGET_DIR)/usr/lib/systemd/system/sshd.service`
openssh: add systemd unit file And only install sysV-style script when appropiate. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2013-12-04 11:37:53 +01:00			`mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants`
openssh: move systemd service files to /usr/lib Signed-off-by: Mike Williams <mike@mikebwilliams.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-03-20 20:13:59 +01:00			`ln -fs ../../../../usr/lib/systemd/system/sshd.service \`
openssh: add systemd unit file And only install sysV-style script when appropiate. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2013-12-04 11:37:53 +01:00			`$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/sshd.service`
openssh: convert old-style hook to new-style hook Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2010-09-01 22:48:22 +02:00			`endef`

openssh: add systemd unit file And only install sysV-style script when appropiate. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2013-12-04 11:37:53 +01:00			`define OPENSSH_INSTALL_INIT_SYSV`
			`$(INSTALL) -D -m 755 package/openssh/S50sshd \`
			`$(TARGET_DIR)/etc/init.d/S50sshd`
			`endef`
openssh: convert old-style hook to new-style hook Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2010-09-01 22:48:22 +02:00
all packages: rename XXXTARGETS to xxx-package Also remove the redundant $(call ...). This is a purely mechanical change, performed with find package linux toolchain boot -name \*.mk \| \ xargs sed -i -e 's/$(eval $(call GENTARGETS))/$(eval $(generic-package))/' \ -e 's/$(eval $(call AUTOTARGETS))/$(eval $(autotools-package))/' \ -e 's/$(eval $(call CMAKETARGETS))/$(eval $(cmake-package))/' Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2012-07-03 00:07:32 +02:00			`$(eval $(autotools-package))`