openssh: import from packages

Signed-off-by: Peter Wagner <tripolar@gmx.at>

net/openssh/Makefile

@@ -0,0 +1,265 @@
+#
+# Copyright (C) 2006-2011 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=openssh
+PKG_VERSION:=6.6p1
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
+		ftp://openbsd.wiretapped.net/pub/OpenBSD/OpenSSH/portable/ \
+		ftp://ftp.belnet.be/packages/openbsd/OpenSSH/portable/ \
+		ftp://ftp.de.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/
+PKG_MD5SUM:=3e9800e6bca1fbac0eea4d41baa7f239
+
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+
+PKG_BUILD_DEPENDS:=libopenssl
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/openssh/Default
+	SECTION:=net
+	CATEGORY:=Network
+	DEPENDS:=+libopenssl +zlib +SSP_SUPPORT:libssp
+	TITLE:=OpenSSH
+	MAINTAINER:=Peter Wagner <tripolar@gmx.at>
+	URL:=http://www.openssh.com/
+	SUBMENU:=SSH
+	VARIANT:=without-pam
+endef
+
+define Package/openssh-moduli
+	$(call Package/openssh/Default)
+	DEPENDS+= +openssh-keygen
+	TITLE+= moduli file
+endef
+
+define Package/openssh-moduli/description
+OpenSSH server moduli file.
+endef
+
+define Package/openssh-client
+	$(call Package/openssh/Default)
+	TITLE+= client
+endef
+
+define Package/openssh-client/description
+OpenSSH client.
+endef
+
+define Package/openssh-client/conffiles
+/etc/ssh/ssh_config
+endef
+
+define Package/openssh-client-utils
+	$(call Package/openssh/Default)
+	DEPENDS+= +openssh-client +openssh-keygen
+	TITLE+= client utilities
+endef
+
+define Package/openssh-client-utils/description
+OpenSSH client utilities.
+endef
+
+define Package/openssh-keygen
+	$(call Package/openssh/Default)
+	TITLE+= keygen
+endef
+
+define Package/openssh-keygen/description
+OpenSSH keygen.
+endef
+
+define Package/openssh-server
+	$(call Package/openssh/Default)
+	DEPENDS+= +openssh-keygen
+	TITLE+= server
+endef
+
+define Package/openssh-server/description
+OpenSSH server.
+endef
+
+define Package/openssh-server/conffiles
+/etc/ssh/sshd_config
+endef
+
+define Package/openssh-server-pam
+	$(call Package/openssh/Default)
+	DEPENDS+= +libpthread +openssh-keygen +libpam
+	TITLE+= server (with PAM support)
+	VARIANT:=with-pam
+endef
+
+define Package/openssh-server-pam/description
+OpenSSH server (with PAM support).
+endef
+
+define Package/openssh-server-pam/conffiles
+/etc/pam.d/sshd
+/etc/security/access-sshd-local.conf
+/etc/ssh/sshd_config
+endef
+
+define Package/openssh-sftp-client
+	$(call Package/openssh/Default)
+	TITLE+= SFTP client
+endef
+
+define Package/openssh-sftp-client/description
+OpenSSH SFTP client.
+endef
+
+define Package/openssh-sftp-server
+	$(call Package/openssh/Default)
+	TITLE+= SFTP server
+endef
+
+define Package/openssh-sftp-server/description
+OpenSSH SFTP server.
+endef
+
+CONFIGURE_ARGS+= \
+	$(DISABLE_NLS) \
+	--sysconfdir=/etc/ssh \
+	--with-privsep-user=sshd \
+	--with-privsep-path=/var/empty \
+	--enable-shared \
+	--disable-static \
+	--disable-debug \
+	--disable-strip \
+	--disable-etc-default-login \
+	--disable-lastlog \
+	--disable-utmp \
+	--disable-utmpx \
+	--disable-wtmp \
+	--disable-wtmpx \
+	--without-bsd-auth \
+	--without-kerberos5 \
+	--without-x
+
+ifeq ($(BUILD_VARIANT),with-pam)
+CONFIGURE_ARGS += \
+	--with-pam
+else
+CONFIGURE_ARGS += \
+	--without-pam
+endif
+
+ifeq ($(CONFIG_OPENSSL_ENGINE),y)
+CONFIGURE_ARGS+= \
+	--with-ssl-engine
+endif
+
+ifneq ($(CONFIG_SSP_SUPPORT),y)
+CONFIGURE_ARGS += \
+	--without-stackprotect
+endif
+
+CONFIGURE_VARS += LD="$(TARGET_CC)"
+
+ifeq ($(BUILD_VARIANT),with-pam)
+TARGET_LDFLAGS += -lpthread
+endif
+
+define Build/Compile
+	$(MAKE) -C $(PKG_BUILD_DIR) \
+		DESTDIR="$(PKG_INSTALL_DIR)" \
+		LIBS="" \
+		sftp-server
+	$(MAKE) -C $(PKG_BUILD_DIR) \
+		DESTDIR="$(PKG_INSTALL_DIR)" \
+		STRIP_OPT="" \
+		all install
+endef
+
+define Package/openssh-client/preinst
+#!/bin/sh
+if [ -L $${IPKG_INSTROOT}/usr/bin/ssh ] && [ -L $${IPKG_INSTROOT}/usr/bin/scp ]; then
+	rm -f $${IPKG_INSTROOT}/usr/bin/ssh $${IPKG_INSTROOT}/usr/bin/scp;
+fi
+exit 0
+endef
+
+define Package/openssh-client/postrm
+#!/bin/sh
+rm -f $${IPKG_INSTROOT}/usr/bin/ssh $${IPKG_INSTROOT}/usr/bin/scp;
+if [ -x $${IPKG_INSTROOT}/usr/sbin/dropbear ] ; then
+	ln -s /usr/sbin/dropbear $${IPKG_INSTROOT}/usr/bin/ssh;
+	ln -s /usr/sbin/dropbear $${IPKG_INSTROOT}/usr/bin/scp;
+fi
+exit 0
+endef
+
+define Package/openssh-moduli/install
+	$(INSTALL_DIR) $(1)/etc/ssh
+	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/moduli $(1)/etc/ssh/
+endef
+
+define Package/openssh-client/install
+	$(INSTALL_DIR) $(1)/etc/ssh
+	chmod 0700 $(1)/etc/ssh
+	$(CP) $(PKG_INSTALL_DIR)/etc/ssh/ssh_config $(1)/etc/ssh/
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/ssh $(1)/usr/bin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/scp $(1)/usr/bin/
+endef
+
+define Package/openssh-client-utils/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(foreach bin,add agent keyscan keysign,$(PKG_BUILD_DIR)/ssh-$(bin)) $(1)/usr/bin/
+endef
+
+define Package/openssh-keygen/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/ssh-keygen $(1)/usr/bin/
+endef
+
+define Package/openssh-server/install
+	$(INSTALL_DIR) $(1)/etc/ssh
+	chmod 0700 $(1)/etc/ssh
+	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/sshd $(1)/usr/sbin/
+endef
+
+define Package/openssh-server-pam/install
+	$(call Package/openssh-server/install,$(1))
+	sed -i 's,#PasswordAuthentication yes,PasswordAuthentication no,g' $(1)/etc/ssh/sshd_config
+	sed -i 's,#UsePAM no,UsePAM yes,g' $(1)/etc/ssh/sshd_config
+	$(INSTALL_DIR) $(1)/etc/pam.d
+	$(INSTALL_DATA) ./files/sshd.pam $(1)/etc/pam.d/sshd
+	$(INSTALL_DIR) $(1)/etc/security
+	$(INSTALL_DATA) ./files/sshd.pam-access $(1)/etc/security/access-sshd-local.conf
+endef
+
+define Package/openssh-sftp-client/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/sftp $(1)/usr/bin/
+endef
+
+define Package/openssh-sftp-server/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/sftp-server $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/libexec
+	ln -sf ../lib/sftp-server $(1)/usr/libexec/sftp-server
+endef
+
+$(eval $(call BuildPackage,openssh-client))
+$(eval $(call BuildPackage,openssh-moduli))
+$(eval $(call BuildPackage,openssh-client-utils))
+$(eval $(call BuildPackage,openssh-keygen))
+$(eval $(call BuildPackage,openssh-server))
+$(eval $(call BuildPackage,openssh-server-pam))
+$(eval $(call BuildPackage,openssh-sftp-client))
+$(eval $(call BuildPackage,openssh-sftp-server))

net/openssh/files/sshd.init

@@ -0,0 +1,44 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2011 OpenWrt.org
+
+START=50
+STOP=50
+
+USE_PROCD=1
+PROG=/usr/sbin/sshd
+
+start_service() {
+	for type in rsa dsa; do {
+		# check for keys
+		key=/etc/ssh/ssh_host_${type}_key
+		[ ! -f $key ] && {
+			# generate missing keys
+			[ -x /usr/bin/ssh-keygen ] && {
+				/usr/bin/ssh-keygen -N '' -t $type -f $key 2>&- >&-
+			}
+		}
+	}; done
+	user_exists sshd 22 || user_add sshd 22 22 sshd /var/empty
+	group_exists sshd 22 || group_add sshd 22 
+	mkdir -m 0700 -p /var/empty
+
+	procd_open_instance
+	procd_set_param command $PROG -D
+	procd_close_instance
+}
+
+shutdown() {
+	local pid
+	local pids
+	local pid_mine
+
+	stop
+
+	# kill active clients
+	pid_mine="$$"
+	pids="$(pidof sshd)"
+	for pid in $pids; do
+		[ "$pid" = "$pid_mine" ] && continue
+		[ -e "/proc/$pid/stat" ] && kill $pid
+	done
+}

net/openssh/files/sshd.pam

@@ -0,0 +1,41 @@
+# PAM configuration for the Secure Shell service
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+auth       required     pam_env.so
+
+# Skip Google Authenticator if logging in from the local network.
+# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-sshd-local.conf
+# Google Authenticator 2-step verification.
+# auth       requisite    pam_google_authenticator.so
+
+# Standard Un*x authentication.
+auth       include      common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account    required     pam_access.so
+
+# Standard Un*x authorization.
+account    include      common-account
+
+# Standard Un*x session setup and teardown.
+session    include      common-session
+
+# Print the message of the day upon successful login.
+session    optional     pam_motd.so
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Set up SELinux capabilities (need modified pam)
+# session    required     pam_selinux.so multiple
+
+# Standard Un*x password updating.
+password   include      common-password

net/openssh/files/sshd.pam-access

@@ -0,0 +1,4 @@
+# Skip Google Authenticator for local network
+#+ : ALL : 192.168.1.0/24
++ : ALL : LOCAL
+- : ALL : ALL

net/openssh/patches/100-no_cast_fix.patch

@@ -0,0 +1,13 @@
+--- a/cipher.c
++++ b/cipher.c
+@@ -80,8 +80,10 @@ static const struct Cipher ciphers[] = {
+ 	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+ 	{ "blowfish-cbc",
+ 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
++#ifndef OPENSSL_NO_CAST
+ 	{ "cast128-cbc",
+ 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
++#endif
+ 	{ "arcfour",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
+ 	{ "arcfour128",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
+ 	{ "arcfour256",	SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },

net/openssh/patches/130-implicit_memset_decl_fix.patch

@@ -0,0 +1,12 @@
+--- a/includes.h
++++ b/includes.h
+@@ -59,6 +59,9 @@
+ /*
+  *-*-nto-qnx needs these headers for strcasecmp and LASTLOG_FILE respectively
+  */
++#ifdef HAVE_STRING_H
++# include <string.h>
++#endif
+ #ifdef HAVE_STRINGS_H
+ # include <strings.h>
+ #endif

net/openssh/patches/140-pam_uclibc_pthreads_fix.patch

@@ -0,0 +1,84 @@
+--- a/auth-pam.c
++++ b/auth-pam.c
+@@ -159,7 +159,7 @@ sshpam_sigchld_handler(int sig)
+ 	}
+ 	if (WIFSIGNALED(sshpam_thread_status) &&
+ 	    WTERMSIG(sshpam_thread_status) == SIGTERM)
+-		return;	/* terminated by pthread_cancel */
++		return;	/* terminated by pthread2_cancel */
+ 	if (!WIFEXITED(sshpam_thread_status))
+ 		sigdie("PAM: authentication thread exited unexpectedly");
+ 	if (WEXITSTATUS(sshpam_thread_status) != 0)
+@@ -168,14 +168,14 @@ sshpam_sigchld_handler(int sig)
+ 
+ /* ARGSUSED */
+ static void
+-pthread_exit(void *value)
++pthread2_exit(void *value)
+ {
+ 	_exit(0);
+ }
+ 
+ /* ARGSUSED */
+ static int
+-pthread_create(sp_pthread_t *thread, const void *attr,
++pthread2_create(sp_pthread_t *thread, const void *attr,
+     void *(*thread_start)(void *), void *arg)
+ {
+ 	pid_t pid;
+@@ -201,7 +201,7 @@ pthread_create(sp_pthread_t *thread, con
+ }
+ 
+ static int
+-pthread_cancel(sp_pthread_t thread)
++pthread2_cancel(sp_pthread_t thread)
+ {
+ 	signal(SIGCHLD, sshpam_oldsig);
+ 	return (kill(thread, SIGTERM));
+@@ -209,7 +209,7 @@ pthread_cancel(sp_pthread_t thread)
+ 
+ /* ARGSUSED */
+ static int
+-pthread_join(sp_pthread_t thread, void **value)
++pthread2_join(sp_pthread_t thread, void **value)
+ {
+ 	int status;
+ 
+@@ -510,7 +510,7 @@ sshpam_thread(void *ctxtp)
+ 	/* XXX - can't do much about an error here */
+ 	ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
+ 	buffer_free(&buffer);
+-	pthread_exit(NULL);
++	pthread2_exit(NULL);
+ 
+  auth_fail:
+ 	buffer_put_cstring(&buffer,
+@@ -521,7 +521,7 @@ sshpam_thread(void *ctxtp)
+ 	else
+ 		ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+ 	buffer_free(&buffer);
+-	pthread_exit(NULL);
++	pthread2_exit(NULL);
+ 
+ 	return (NULL); /* Avoid warning for non-pthread case */
+ }
+@@ -533,8 +533,8 @@ sshpam_thread_cleanup(void)
+ 
+ 	debug3("PAM: %s entering", __func__);
+ 	if (ctxt != NULL && ctxt->pam_thread != 0) {
+-		pthread_cancel(ctxt->pam_thread);
+-		pthread_join(ctxt->pam_thread, NULL);
++		pthread2_cancel(ctxt->pam_thread);
++		pthread2_join(ctxt->pam_thread, NULL);
+ 		close(ctxt->pam_psock);
+ 		close(ctxt->pam_csock);
+ 		memset(ctxt, 0, sizeof(*ctxt));
+@@ -698,7 +698,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+ 	}
+ 	ctxt->pam_psock = socks[0];
+ 	ctxt->pam_csock = socks[1];
+-	if (pthread_create(&ctxt->pam_thread, NULL, sshpam_thread, ctxt) == -1) {
++	if (pthread2_create(&ctxt->pam_thread, NULL, sshpam_thread, ctxt) == -1) {
+ 		error("PAM: failed to start authentication thread: %s",
+ 		    strerror(errno));
+ 		close(socks[0]);

net/openssh/patches/200-dscp-qos.patch

@@ -0,0 +1,21 @@
+--- a/ssh_config
++++ b/ssh_config
+@@ -46,3 +46,6 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
++
++# enable DSCP QoS values (per RFC-4594)
++#IPQoS AF21 AF11
+--- a/sshd_config
++++ b/sshd_config
+@@ -122,6 +122,9 @@ UsePrivilegeSeparation sandbox		# Defaul
+ # no default banner path
+ #Banner none
+ 
++# enable DSCP QoS values (per RFC-4594)
++#IPQoS AF21 AF11
++
+ # override default of no subsystems
+ Subsystem	sftp	/usr/libexec/sftp-server
+