glibc 2.39 has removed libcrypt completely.
solution: link against libxcrypt built with glibc compatibility.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
For users to make use of system-wide settings, the /etc/ssh/
directory and its contents need to be world readable.
Fixes: #26608
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This update requires sshd-auth to be packaged due to the authentication
bin split introduced in this version.
Changelog: https://www.openssh.com/txt/release-10.0
Build system: x86/64
Build-tested: x86/64
Run-tested: x86/64
Signed-off-by: John Audia <therealgraysky@proton.me>
Add openssh-sk-helper package containing ssh-sk-helper.
The helper can be used by openssh-client, openssh-sftp-client,
and openssh-keygen to access `ecdsa_sk` and `ed25519_sk keys
provided by a FIDO U2F or FIDO2 hardware token connected over USB.
Close#24509
Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net>
This reverts commit 855db864b0.
The reverted commit doesn't make sense since the component
(ssh-sk-helper) that uses libfido2, which is mentioned in
the commit message, isn't packaged.
Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net>
Updated and removed upstreamed patch.
Highlights relating to security:
* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by default.
* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service related
to the handling of SSH2_MSG_PING packets. This condition may be
mitigated using the existing PerSourcePenalties feature.
Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.
Full release notes: https://www.openssh.com/txt/release-9.9p2
Signed-off-by: John Audia <therealgraysky@proton.me>
The -r option is not required here but should also not hurt,
since it was already tested, that $key is a file.
However, to express the intent of the command more clearly,
let's drop it.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Imitate dropbear init.d-script and make sure we
don't end up with corrupt keys.
This can happen if we use a caching filesystem,
like 'ubifs', and the DUT is powered off during
boot-up.
Signed-off-by: Markus Gothe <markus.gothe@genexis.eu>
Adjust openssh's versioning to be compatible with apk:
8.9p1-r2 --> 8.9_p1-r2
"_p" is an allowed semantic suffix, so use that.
(Alternative might have been 8.9.1-r2)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The `ssh_systemd_notify` function is causing compilation errors
when built against GCC 14.1. This is due to an incompatible pointer
type being passed to the connect function.
The connect function expects a pointer to `struct sockaddr`, but
was receiving a pointer to `struct sockaddr_un`.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Release notes: https://www.openssh.com/txt/release-9.8
* 9.8p1 fixes CVE-2024-6387
* Adjusted Makefile to provide /usr/lib/sshd-session
* Given the troubles with -fzero-call-used-regs and all the
broken checks, makes sense to skip it
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
Most distros allow dropping site configuration files into
/etc/sshd_config.d/ so that you don't have to tweak the main
server configuration file.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
OpenSSH 9.1p1 removed remaining dependencies and stopped linking sftp,
sftp-server and scp against libcrypto or libz. This change moves those
package dependencies from the default to those that still need them.
In particular, this will allow sftp-server to be installed for use with
Dropbear without needing to install zlib or openssl.
Signed-off-by: Darren Tucker <dtucker@dtucker.net>
The root user is usually the user that clients ssh into with, so in most
cases its authorized_keys determines what clients are allowed to ssh
into this device. Without preserving this file, they could potentially
be locked out after upgrading.
Signed-off-by: Glen Huang <me@glenhuang.com>
In the build environment the autotools finds the `passwd` binary in
/usr/bin. But in the target image it is available under /bin instead.
Manually set the path to `passwd` binary to `/bin/passwd`
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
There is no need to remove root password from /etc/shadow as the
password in the file is blank anyway in the failsafe mode.
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
Version 8.2[0] added support for two new key types: "ecdsa-sk" and
"ed25519-sk". These two type enable the usage of hardware tokens that
implement the FIDO (or FIDO2) standard, as an authentication method for
SSH.
Since we're already on version 8.4 all we need to do is to explicitly enable
the support for hardware keys when compiling OpenSSH and add all the
missing dependencies OpenSSH requires.
OpenSSH depends on libfido2[1], to communicate with the FIDO devices
over USB. In turn, libfido2 depends on libcbor, a C implementation of
the CBOR protocol[2] and OpenSSL.
[0]: https://lwn.net/Articles/812537/
[1]: https://github.com/Yubico/libfido2
[2]: tools.ietf.org/html/rfc7049
Signed-off-by: Linos Giannopoulos <linosgian00@gmail.com>
b933f9cf0cb254e368027cad6d5799e45b237df5 in base made several changes
to OpenWrt's libssp support. It seems this workaround is no longer
needed.
Simplified the configure script slightly.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The init.d script for sshd never generates an ecdsa HostKey as seen
here:
for type in rsa ed25519
do
# check for keys
key=/etc/ssh/ssh_host_${type}_key
[ ! -f $key ] && {
# generate missing keys
[ -x /usr/bin/ssh-keygen ] && {
/usr/bin/ssh-keygen -N '' -t $type -f $key 2>&- >&-
}
}
done
so we'll never succeed at loading one. Get rid of the resultant
error message in logging:
May 5 17:13:59 OpenWrt sshd[20070]: error: Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
