If sftp-server is installed, use it.

Michael Heimpold authored 1 month ago and Erik Karlsson committed 1 month ago

The -r option is not required here but should also not hurt,
since it was already tested, that $key is a file.
However, to express the intent of the command more clearly,
let's drop it.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

'ssh-keygen -l' is a bit forgiving for
corrupted files, hardening this by
using 'ssh-keygen -y' instead.

Imitate dropbear init.d-script and make sure we
don't end up with corrupt keys.

Starting with OpenSSH 9.8 sessions are handled by a separate binary
called sshd-session

Otherwise we might end up in a state where we cannot
generate the desired configurations and 'ssh' will
stop working.

OpenSSH 9.8p1 removed support for DSA (DSS) signature algorithms.

From:
https://www.openssh.com/txt/release-9.8

"OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time."

Release notes: https://www.openssh.com/txt/release-9.8



* 9.8p1 fixes CVE-2024-6387
* Adjusted Makefile to provide /usr/lib/sshd-session
* Given the troubles with -fzero-call-used-regs and all the
  broken checks, makes sense to skip it

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 75674f0439ee497bc6b77222a23e3974d150be89)

* add rsa-sha2-512 and rsa-sha2-256 to default list of HostKeyAlgorithms

Add support and set defaults for following in default sshd config:

* Ciphers:		aes256-ctr, aes192-ctr, aes128-ctr

* HostKeyAlgorithms:	ssh-dss, ssh-rsa, ecdsa-sha2-nistp521,
			ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

* HostKeyFiles:		default is empty

* KexAlgorithms:	diffie-hellman-group-exchange-sha256,
			diffie-hellman-group14-sha1,
			ecdh-sha2-nistp521,ecdh-sha2-nistp384,
			ecdh-sha2-nistp256

* add uci-default script that will generate an sshd config from
  dropbear config, if present (to preserve settings from previous
  image which had dropbear), or with default values if sshd config
  is also not present

* the script will also check for dropbear key file and if found,
  place them where sshd expects them

Release notes: https://www.openssh.com/txt/release-9.7



Removed upstreamed patch: 010-better_fzero-call-detection.patch

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 6be0617c00bdf5e9309ad3738d09fe498cb9fb0a)

the values read from uci will now be written to a config file
which will be passed to sshd, instead of passing the values
as command line arguments to sshd

Mohd Mehdi authored 11 months ago and Rahul Thakur committed 11 months ago

* openssh package is missing uci support in openwrt,
this commit implements the same. The init script
now reads from the uci and passes the arguments to
openssh.
* support for handling multiple instances is also
added.

note: the same has been up-streamed and has also got
1 approval already.

https://github.com/openssh/openssh-portable/commit/1036d77b34a5fa15e56f516b81b9928006848cbd



Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>
(cherry picked from commit a79c49578ca136556bd10d8990aa52ef4eb0664b)

Release notes: https://www.openssh.com/txt/release-9.6



Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
(cherry picked from commit e8dfc6abbee88f35887c66ec785b081252d6d07d)

Changelog: https://www.openssh.com/txt/release-9.5



Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 6dc86d46da18d573971b7e7a2d625b2498dbe249)

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>
(cherry picked from commit 7fb8e823b977c6d95225cc98fdb1f31455b5e179)

Most distros allow dropping site configuration files into
/etc/sshd_config.d/ so that you don't have to tweak the main
server configuration file.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit ead95a26b68f4145937034d84abdf9e0f7fe1eb7)

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>
(cherry picked from commit 731f0d70a8392f1d3abf1877334cfe25c6a0786f)

OpenSSH 9.1p1 removed remaining dependencies and stopped linking sftp,
sftp-server and scp against libcrypto or libz.  This change moves those
package dependencies from the default to those that still need them.
In particular, this will allow sftp-server to be installed for use with
Dropbear without needing to install zlib or openssl.

Signed-off-by: Darren Tucker <dtucker@dtucker.net>

Also point to https for website.

Signed-off-by: Darren Tucker <dtucker@dtucker.net>

Configure the openssh server to respawn. Reload by sending SIGHUP

Signed-off-by: Erik Karlsson <erik.karlsson@genexis.eu>

The root user is usually the user that clients ssh into with, so in most
cases its authorized_keys determines what clients are allowed to ssh
into this device. Without preserving this file, they could potentially
be locked out after upgrading.

Signed-off-by: Glen Huang <me@glenhuang.com>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Remove upstreamed patches.

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>

In the build environment the autotools finds the `passwd` binary in
/usr/bin. But in the target image it is available under /bin instead.
Manually set the path to `passwd` binary to `/bin/passwd`

Signed-off-by: Rucke Teg <rucketeg@protonmail.com>

There is no need to remove root password from /etc/shadow as the
password in the file is blank anyway in the failsafe mode.

Signed-off-by: Rucke Teg <rucketeg@protonmail.com>

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>