Mohd Husaam Mehdi authored 1 year ago and Markus Gothe committed 3 months ago

Fallback to Radius authentication if local user is not present,
but in that case, the user will be logged in as root.

Change-Id: I0d9030f04bc0acfdf24d0403127c97935a5c7607

OpenSSH 9.8p1 removed support for DSA (DSS) signature algorithms.

From:
https://www.openssh.com/txt/release-9.8

"OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time."

Release notes: https://www.openssh.com/txt/release-9.8



* 9.8p1 fixes CVE-2024-6387
* Adjusted Makefile to provide /usr/lib/sshd-session
* Given the troubles with -fzero-call-used-regs and all the
  broken checks, makes sense to skip it

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 75674f0439ee497bc6b77222a23e3974d150be89)

* add rsa-sha2-512 and rsa-sha2-256 to default list of HostKeyAlgorithms

Add support and set defaults for following in default sshd config:

* Ciphers:		aes256-ctr, aes192-ctr, aes128-ctr

* HostKeyAlgorithms:	ssh-dss, ssh-rsa, ecdsa-sha2-nistp521,
			ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

* HostKeyFiles:		default is empty

* KexAlgorithms:	diffie-hellman-group-exchange-sha256,
			diffie-hellman-group14-sha1,
			ecdh-sha2-nistp521,ecdh-sha2-nistp384,
			ecdh-sha2-nistp256

* add uci-default script that will generate an sshd config from
  dropbear config, if present (to preserve settings from previous
  image which had dropbear), or with default values if sshd config
  is also not present

* the script will also check for dropbear key file and if found,
  place them where sshd expects them

Release notes: https://www.openssh.com/txt/release-9.7



Removed upstreamed patch: 010-better_fzero-call-detection.patch

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 6be0617c00bdf5e9309ad3738d09fe498cb9fb0a)

the values read from uci will now be written to a config file
which will be passed to sshd, instead of passing the values
as command line arguments to sshd

Mohd Mehdi authored 11 months ago and Rahul Thakur committed 11 months ago

* openssh package is missing uci support in openwrt,
this commit implements the same. The init script
now reads from the uci and passes the arguments to
openssh.
* support for handling multiple instances is also
added.

note: the same has been up-streamed and has also got
1 approval already.

https://github.com/openssh/openssh-portable/commit/1036d77b34a5fa15e56f516b81b9928006848cbd



Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>
(cherry picked from commit a79c49578ca136556bd10d8990aa52ef4eb0664b)

Release notes: https://www.openssh.com/txt/release-9.6



Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
(cherry picked from commit e8dfc6abbee88f35887c66ec785b081252d6d07d)

Changelog: https://www.openssh.com/txt/release-9.5



Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 6dc86d46da18d573971b7e7a2d625b2498dbe249)

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>
(cherry picked from commit 7fb8e823b977c6d95225cc98fdb1f31455b5e179)

Most distros allow dropping site configuration files into
/etc/sshd_config.d/ so that you don't have to tweak the main
server configuration file.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit ead95a26b68f4145937034d84abdf9e0f7fe1eb7)

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>
(cherry picked from commit 731f0d70a8392f1d3abf1877334cfe25c6a0786f)

OpenSSH 9.1p1 removed remaining dependencies and stopped linking sftp,
sftp-server and scp against libcrypto or libz.  This change moves those
package dependencies from the default to those that still need them.
In particular, this will allow sftp-server to be installed for use with
Dropbear without needing to install zlib or openssl.

Signed-off-by: Darren Tucker <dtucker@dtucker.net>

Also point to https for website.

Signed-off-by: Darren Tucker <dtucker@dtucker.net>

Configure the openssh server to respawn. Reload by sending SIGHUP

Signed-off-by: Erik Karlsson <erik.karlsson@genexis.eu>

The root user is usually the user that clients ssh into with, so in most
cases its authorized_keys determines what clients are allowed to ssh
into this device. Without preserving this file, they could potentially
be locked out after upgrading.

Signed-off-by: Glen Huang <me@glenhuang.com>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Remove upstreamed patches.

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>

In the build environment the autotools finds the `passwd` binary in
/usr/bin. But in the target image it is available under /bin instead.
Manually set the path to `passwd` binary to `/bin/passwd`

Signed-off-by: Rucke Teg <rucketeg@protonmail.com>

There is no need to remove root password from /etc/shadow as the
password in the file is blank anyway in the failsafe mode.

Signed-off-by: Rucke Teg <rucketeg@protonmail.com>

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Version 8.2[0] added support for two new key types: "ecdsa-sk" and
"ed25519-sk". These two type enable the usage of hardware tokens that
implement the FIDO (or FIDO2) standard, as an authentication method for
SSH.

Since we're already on version 8.4 all we need to do is to explicitly enable
the support for hardware keys when compiling OpenSSH and add all the
missing dependencies OpenSSH requires.

OpenSSH depends on libfido2[1], to communicate with the FIDO devices
over USB. In turn, libfido2 depends on libcbor, a C implementation of
the CBOR protocol[2] and OpenSSL.

[0]: https://lwn.net/Articles/812537/
[1]: https://github.com/Yubico/libfido2


[2]: tools.ietf.org/html/rfc7049

Signed-off-by: Linos Giannopoulos <linosgian00@gmail.com>

Adds failsafe support to the openssh package.
Roughly based on an earlier patch.

Ref: https://github.com/openwrt/openwrt/pull/865


Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>

Signed-off-by: Yuan Tao <ty@wevs.org>

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>