Mohd Husaam Mehdi authored 1 year ago and Markus Gothe committed 7 months ago

Fallback to Radius authentication if local user is not present,
but in that case, the user will be logged in as root.

Change-Id: I0d9030f04bc0acfdf24d0403127c97935a5c7607

Mohd Husaam Mehdi authored 2 years ago and Markus Gothe committed 7 months ago

* Modifies openssh defaults to allow ssh for root.
* Adds commented pam_radius_auth.so to sshd.pam so that user does not have to manually copy it.

Change-Id: Ib5d78d2defb201f048cf04aee13adbb1e5c55c8e

* add rsa-sha2-512 and rsa-sha2-256 to default list of HostKeyAlgorithms

Add support and set defaults for following in default sshd config:

* Ciphers:		aes256-ctr, aes192-ctr, aes128-ctr

* HostKeyAlgorithms:	ssh-dss, ssh-rsa, ecdsa-sha2-nistp521,
			ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

* HostKeyFiles:		default is empty

* KexAlgorithms:	diffie-hellman-group-exchange-sha256,
			diffie-hellman-group14-sha1,
			ecdh-sha2-nistp521,ecdh-sha2-nistp384,
			ecdh-sha2-nistp256

* add uci-default script that will generate an sshd config from
  dropbear config, if present (to preserve settings from previous
  image which had dropbear), or with default values if sshd config
  is also not present

* the script will also check for dropbear key file and if found,
  place them where sshd expects them

the values read from uci will now be written to a config file
which will be passed to sshd, instead of passing the values
as command line arguments to sshd

Mohd Mehdi authored 11 months ago and Rahul Thakur committed 11 months ago

* openssh package is missing uci support in openwrt,
this commit implements the same. The init script
now reads from the uci and passes the arguments to
openssh.
* support for handling multiple instances is also
added.

note: the same has been up-streamed and has also got
1 approval already.

Changelog: https://www.openssh.com/txt/release-9.5



Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 6dc86d46da18d573971b7e7a2d625b2498dbe249)

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>
(cherry picked from commit 7fb8e823b977c6d95225cc98fdb1f31455b5e179)

Most distros allow dropping site configuration files into
/etc/sshd_config.d/ so that you don't have to tweak the main
server configuration file.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit ead95a26b68f4145937034d84abdf9e0f7fe1eb7)

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>
(cherry picked from commit 731f0d70a8392f1d3abf1877334cfe25c6a0786f)

OpenSSH 9.1p1 removed remaining dependencies and stopped linking sftp,
sftp-server and scp against libcrypto or libz.  This change moves those
package dependencies from the default to those that still need them.
In particular, this will allow sftp-server to be installed for use with
Dropbear without needing to install zlib or openssl.

Signed-off-by: Darren Tucker <dtucker@dtucker.net>

Also point to https for website.

Signed-off-by: Darren Tucker <dtucker@dtucker.net>

Configure the openssh server to respawn. Reload by sending SIGHUP

Signed-off-by: Erik Karlsson <erik.karlsson@genexis.eu>

The root user is usually the user that clients ssh into with, so in most
cases its authorized_keys determines what clients are allowed to ssh
into this device. Without preserving this file, they could potentially
be locked out after upgrading.

Signed-off-by: Glen Huang <me@glenhuang.com>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Remove upstreamed patches.

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>

In the build environment the autotools finds the `passwd` binary in
/usr/bin. But in the target image it is available under /bin instead.
Manually set the path to `passwd` binary to `/bin/passwd`

Signed-off-by: Rucke Teg <rucketeg@protonmail.com>

There is no need to remove root password from /etc/shadow as the
password in the file is blank anyway in the failsafe mode.

Signed-off-by: Rucke Teg <rucketeg@protonmail.com>

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>

Version 8.2[0] added support for two new key types: "ecdsa-sk" and
"ed25519-sk". These two type enable the usage of hardware tokens that
implement the FIDO (or FIDO2) standard, as an authentication method for
SSH.

Since we're already on version 8.4 all we need to do is to explicitly enable
the support for hardware keys when compiling OpenSSH and add all the
missing dependencies OpenSSH requires.

OpenSSH depends on libfido2[1], to communicate with the FIDO devices
over USB. In turn, libfido2 depends on libcbor, a C implementation of
the CBOR protocol[2] and OpenSSL.

[0]: https://lwn.net/Articles/812537/
[1]: https://github.com/Yubico/libfido2


[2]: tools.ietf.org/html/rfc7049

Signed-off-by: Linos Giannopoulos <linosgian00@gmail.com>

Adds failsafe support to the openssh package.
Roughly based on an earlier patch.

Ref: https://github.com/openwrt/openwrt/pull/865


Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>

Signed-off-by: Yuan Tao <ty@wevs.org>

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>

Removed outdated options.

Small bashism fix in the init script.

Signed-off-by: Rosen Penev <rosenp@gmail.com>

b933f9cf0cb254e368027cad6d5799e45b237df5 in base made several changes
to OpenWrt's libssp support. It seems this workaround is no longer
needed.

Simplified the configure script slightly.

Signed-off-by: Rosen Penev <rosenp@gmail.com>

The init.d script for sshd never generates an ecdsa HostKey as seen
here:

	for type in rsa ed25519
	do
		# check for keys
		key=/etc/ssh/ssh_host_${type}_key
		[ ! -f $key ] && {
			# generate missing keys
			[ -x /usr/bin/ssh-keygen ] && {
				/usr/bin/ssh-keygen -N '' -t $type -f $key 2>&- >&-
			}
		}
	done

so we'll never succeed at loading one.  Get rid of the resultant
error message in logging:

May  5 17:13:59 OpenWrt sshd[20070]: error: Unable to load host key: /etc/ssh/ssh_host_ecdsa_key

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

This removes lines that set PKG_BUILD_DIR when the set value is no
different from the default value.

Specifically, the line is removed if the assigned value is:

* $(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)

  The default PKG_BUILD_DIR was updated[1] to incorporate BUILD_VARIANT
  if it is set, so now this is identical to the default value.

* $(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_SOURCE_SUBDIR)

  if PKG_SOURCE_SUBDIR is set to $(PKG_NAME)-$(PKG_VERSION), making it
  the same as the previous case

* $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)

  This is the same as the default PKG_BUILD_DIR when there is no
  BUILD_VARIANT.

* $(BUILD_DIR)/[name]-$(PKG_VERSION)

  where [name] is a string that is identical to PKG_NAME

[1]: https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=e545fac8d968864a965edb9e50c6f90940b0a6c9



Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 53e1692a)

Signed-off-by: Peter Wagner <tripolar@gmx.at>