--- /dev/null
+#!/bin/bash
+
+# Create the host keys for the OpenSSH server.
+#
+# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
+# variable.
+AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
+
+# source function library
+. /etc/init.d/functions
+
+# Some functions to make the below more readable
+KEYGEN=/usr/bin/ssh-keygen
+RSA1_KEY=/etc/ssh/ssh_host_key
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+DSA_KEY=/etc/ssh/ssh_host_dsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
+
+# pull in sysconfig settings
+[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
+
+fips_enabled() {
+ if [ -r /proc/sys/crypto/fips_enabled ]; then
+ cat /proc/sys/crypto/fips_enabled
+ else
+ echo 0
+ fi
+}
+
+do_rsa1_keygen() {
+ if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
+ echo -n $"Generating SSH1 RSA host key: "
+ rm -f $RSA1_KEY
+ if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
+ chgrp ssh_keys $RSA1_KEY
+ chmod 600 $RSA1_KEY
+ chmod 644 $RSA1_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $RSA1_KEY{,.pub}
+ fi
+ success $"RSA1 key generation"
+ echo
+ else
+ failure $"RSA1 key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+do_rsa_keygen() {
+ if [ ! -s $RSA_KEY ]; then
+ echo -n $"Generating SSH2 RSA host key: "
+ rm -f $RSA_KEY
+ if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
+ chgrp ssh_keys $RSA_KEY
+ chmod 600 $RSA_KEY
+ chmod 644 $RSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $RSA_KEY{,.pub}
+ fi
+ success $"RSA key generation"
+ echo
+ else
+ failure $"RSA key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+do_dsa_keygen() {
+ if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
+ echo -n $"Generating SSH2 DSA host key: "
+ rm -f $DSA_KEY
+ if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
+ chgrp ssh_keys $DSA_KEY
+ chmod 600 $DSA_KEY
+ chmod 644 $DSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $DSA_KEY{,.pub}
+ fi
+ success $"DSA key generation"
+ echo
+ else
+ failure $"DSA key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+do_ecdsa_keygen() {
+ if [ ! -s $ECDSA_KEY ]; then
+ echo -n $"Generating SSH2 ECDSA host key: "
+ rm -f $ECDSA_KEY
+ if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
+ chgrp ssh_keys $ECDSA_KEY
+ chmod 600 $ECDSA_KEY
+ chmod 644 $ECDSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $ECDSA_KEY{,.pub}
+ fi
+ success $"ECDSA key generation"
+ echo
+ else
+ failure $"ECDSA key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+do_ed25519_keygen() {
+ if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
+ echo -n $"Generating SSH2 ED25519 host key: "
+ rm -f $ED25519_KEY
+ if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
+ chgrp ssh_keys $ED25519_KEY
+ chmod 600 $ED25519_KEY
+ chmod 644 $ED25519_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $ED25519_KEY{,.pub}
+ fi
+ success $"ED25519 key generation"
+ echo
+ else
+ failure $"ED25519 key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
+ exit 0
+fi
+
+# legacy options
+case $AUTOCREATE_SERVER_KEYS in
+ NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
+ RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
+ YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
+esac
+
+for KEY in $AUTOCREATE_SERVER_KEYS; do
+ case $KEY in
+ DSA) do_dsa_keygen;;
+ RSA) do_rsa_keygen;;
+ ECDSA) do_ecdsa_keygen;;
+ ED25519) do_ed25519_keygen;;
+ esac
+done
--- /dev/null
+[Unit]
+Description=OpenSSH Server Key Generation
+ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key
+ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key
+PartOf=sshd.service sshd.socket
+
+[Service]
+ExecStart=/usr/sbin/sshd-keygen
+Type=oneshot
+RemainAfterExit=yes
--- /dev/null
+#!/bin/bash
+#
+# sshd Start up the OpenSSH server daemon
+#
+# chkconfig: 2345 55 25
+# description: SSH is a protocol for secure remote shell access. \
+# This service starts up the OpenSSH server daemon.
+#
+# processname: sshd
+# config: /etc/ssh/ssh_host_key
+# config: /etc/ssh/ssh_host_key.pub
+# config: /etc/ssh/ssh_random_seed
+# config: /etc/ssh/sshd_config
+# pidfile: /var/run/sshd.pid
+
+### BEGIN INIT INFO
+# Provides: sshd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $syslog
+# Should-Start: $syslog
+# Should-Stop: $network $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Start up the OpenSSH server daemon
+# Description: SSH is a protocol for secure remote shell access.
+# This service starts up the OpenSSH server daemon.
+### END INIT INFO
+
+# source function library
+. /etc/init.d/functions
+
+# pull in sysconfig settings
+[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
+
+RETVAL=0
+prog="sshd"
+lockfile=/var/lock/subsys/$prog
+
+# Some functions to make the below more readable
+SSHD=/usr/sbin/sshd
+XPID_FILE=/var/run/sshd.pid
+PID_FILE=/var/run/sshd-s.pid
+
+runlevel=$(set -- $(runlevel); eval "echo \$$#" )
+
+do_restart_sanity_check()
+{
+ $SSHD -t
+ RETVAL=$?
+ if [ $RETVAL -ne 0 ]; then
+ failure $"Configuration file or keys are invalid"
+ echo
+ fi
+}
+
+start()
+{
+ [ -x $SSHD ] || exit 5
+ [ -f /etc/ssh/sshd_config ] || exit 6
+ # Create keys if necessary
+ /usr/sbin/sshd-keygen
+
+ # In rare instances, sshd may be started but a pid
+ # file is not generated. This is seen usually during
+ # system reboot scenarios. A subsequent attempt to start
+ # sshd here will trigger a port bind error. As a sanity
+ # check attempt a kill call (mostly redundant) to any
+ # previously running sshd instance
+ /bin/kill `/bin/pidof "$SSHD"` >/dev/null 2>&1
+
+ echo -n $"Starting $prog: "
+ $SSHD $OPTIONS && success || failure
+ RETVAL=$?
+ [ $RETVAL -eq 0 ] && touch $lockfile
+ [ $RETVAL -eq 0 ] && cp -f $XPID_FILE $PID_FILE
+ echo
+ return $RETVAL
+}
+
+stop()
+{
+
+ echo -n $"Stopping $prog: "
+ if [ ! -f "$PID_FILE" ]; then
+ # not running; per LSB standards this is "ok"
+ action $"Stopping $prog: " /bin/true
+ return 0
+ fi
+ PID=`cat "$PID_FILE"`
+ if [ -n "$PID" ]; then
+ /bin/kill "$PID" >/dev/null 2>&1
+ RETVAL=$?
+ if [ $RETVAL -eq 0 ]; then
+ RETVAL=1
+ action $"Stopping $prog: " /bin/false
+ else
+ action $"Stopping $prog: " /bin/true
+ fi
+ else
+ # failed to read pidfile
+ action $"Stopping $prog: " /bin/false
+ RETVAL=4
+ fi
+ # if we are in halt or reboot runlevel kill all running sessions
+ # so the TCP connections are closed cleanly
+ if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
+ trap '' TERM
+ killall $prog 2>/dev/null
+ trap TERM
+ fi
+ [ $RETVAL -eq 0 ] && rm -f $lockfile
+ rm -f "$PID_FILE"
+ return $RETVAL
+}
+
+reload()
+{
+ echo -n $"Reloading $prog: "
+ if [ -n "`pidfileofproc $SSHD`" ] ; then
+ killproc $SSHD -HUP
+ else
+ failure $"Reloading $prog"
+ fi
+ RETVAL=$?
+ echo
+}
+
+restart() {
+ stop
+ start
+}
+
+force_reload() {
+ restart
+}
+
+rh_status() {
+ status -p $PID_FILE openssh-daemon
+}
+
+rh_status_q() {
+ rh_status >/dev/null 2>&1
+}
+
+case "$1" in
+ start)
+ rh_status_q && exit 0
+ start
+ ;;
+ stop)
+ if ! rh_status_q; then
+ rm -f $lockfile
+ exit 0
+ fi
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ reload)
+ rh_status_q || exit 7
+ reload
+ ;;
+ force-reload)
+ force_reload
+ ;;
+ condrestart|try-restart)
+ rh_status_q || exit 0
+ if [ -f $lockfile ] ; then
+ do_restart_sanity_check
+ if [ $RETVAL -eq 0 ] ; then
+ stop
+ # avoid race
+ sleep 3
+ start
+ else
+ RETVAL=6
+ fi
+ fi
+ ;;
+ status)
+ rh_status
+ RETVAL=$?
+ if [ $RETVAL -eq 3 -a -f $lockfile ] ; then
+ RETVAL=2
+ fi
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status}"
+ RETVAL=2
+esac
+exit $RETVAL
--- /dev/null
+[Unit]
+Description=OpenSSH server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target sshd-keygen.service
+Wants=sshd-keygen.service
+
+[Service]
+Type=notify
+EnvironmentFile=/etc/sysconfig/sshd
+ExecStart=/usr/sbin/sshd -D $OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+# Configuration file for the sshd service.
+
+# The server keys are automatically generated if they are missing.
+# To change the automatic creation uncomment and change the appropriate
+# line. Accepted key types are: DSA RSA ECDSA ED25519.
+# The default is "RSA ECDSA ED25519"
+
+# AUTOCREATE_SERVER_KEYS=""
+# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
+
+# Do not change this option unless you have hardware random
+# generator and you REALLY know what you are doing
+
+SSH_USE_STRONG_RNG=0
+# SSH_USE_STRONG_RNG=1
--- /dev/null
+#
+## Copyright (C) 2019 Wind River Systems, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI += "\
+ file://stx/sshd.init \
+ file://stx/sshd-keygen \
+ file://stx/sshd-keygen.service \
+ file://stx/sshd.service \
+ file://stx/sshd.sysconfig \
+"
+
+SYSTEMD_SERVICE_${PN}-sshd = "sshd.service"
+
+do_install_append () {
+ rm -f ${D}${systemd_system_unitdir}/sshd.socket
+ rm -f ${D}${systemd_system_unitdir}/sshd@service.socket
+ rm -f ${D}${systemd_system_unitdir}/sshdgenkeys.service
+
+ install -d ${D}/${sysconfdir}/init.d/
+ install -m 755 ${WORKDIR}/stx/sshd.init ${D}/${sysconfdir}/init.d/sshd
+
+ install -d ${D}/${sysconfdir}/sysconfig/
+ install -m 644 ${WORKDIR}/stx/sshd.sysconfig ${D}/${sysconfdir}/sysconfig/sshd
+
+ install -m 755 ${WORKDIR}/stx/sshd-keygen ${D}/${sbindir}/sshd-keygen
+ install -m644 ${WORKDIR}/stx/sshd.service ${D}/${systemd_system_unitdir}/sshd.service
+ install -m644 ${WORKDIR}/stx/sshd-keygen.service ${D}/${systemd_system_unitdir}/sshd-keygen.service
+
+ install -d ${D}/${sysconfdir}/tmpfiles.d
+ echo "d ${localstatedir}/run/sshd 0755 root root -" >> ${D}/${sysconfdir}/tmpfiles.d/sshd.conf
+
+}
+
+RDEPENDS_${PN} += "bash"
+RDEPENDS_${PN}-sshd += "bash"
+
+# allow both systemd service and sysvinit scripts are installed
+DISTRO_FEATURES_BACKFILL_CONSIDERED_remove = "sysvinit"
+
+USERADD_PARAM_${PN}-sshd = "-r -d /var/empty/sshd -s /sbin/nologin -g sshd -c 'Privilege-separated SSH' sshd"
+GROUPADD_PARAM_${PN}-sshd = "-r ssh_keys; -r sshd"
chmod 644 ${systemd_system_unitdir}/slapd
}
-pkg_postinst_ontarget_openssh-config() {
+pkg_postinst_openssh-config() {
# %description
# package StarlingX configuration files of openssh to system folder.
- SRCPATH=${datadir}/starlingx/config-files/openssh-config/files
+ SRCPATH=$D${datadir}/starlingx/config-files/openssh-config/files
- install -m 644 ${SRCPATH}/sshd.service ${sysconfdir}/systemd/system/sshd.service
- install -m 644 ${SRCPATH}/ssh_config ${datadir}/starlingx/ssh_config
- install -m 600 ${SRCPATH}/sshd_config ${datadir}/starlingx/sshd_config
+ install -m 644 ${SRCPATH}/sshd.service $D${sysconfdir}/systemd/system/sshd.service
+ install -m 644 ${SRCPATH}/ssh_config $D${datadir}/starlingx/ssh_config
+ install -m 600 ${SRCPATH}/sshd_config $D${datadir}/starlingx/sshd_config
# remove the unsupported and deprecated options
sed -i -e 's/^\(GSSAPIAuthentication.*\)/#\1/' \
-e 's/^\(GSSAPICleanupCredentials.*\)/#\1/' \
-e 's/^\(UsePrivilegeSeparation.*\)/#\1/' \
- ${datadir}/starlingx/sshd_config
+ $D${datadir}/starlingx/sshd_config
- sed -i -e 's/\(GSSAPIAuthentication yes\)/#\1/' ${datadir}/starlingx/ssh_config
+ sed -i -e 's/\(GSSAPIAuthentication yes\)/#\1/' $D${datadir}/starlingx/ssh_config
- cp -f ${datadir}/starlingx/ssh_config ${sysconfdir}/ssh/ssh_config
- cp -f ${datadir}/starlingx/sshd_config ${sysconfdir}/ssh/sshd_config
+ cp -f $D${datadir}/starlingx/ssh_config $D${sysconfdir}/ssh/ssh_config
+ cp -f $D${datadir}/starlingx/sshd_config $D${sysconfdir}/ssh/sshd_config
+
+ # enable syslog-ng service by default
+ OPTS=""
+ if [ -n "$D" ]; then
+ OPTS="--root=$D"
+ fi
+ if [ -z "$D" ]; then
+ systemctl daemon-reload
+ fi
+
+ systemctl $OPTS enable sshd.service
+
+ if [ -z "$D" ]; then
+ systemctl --no-block restart sshd.service
+ fi
+
}
pkg_postinst_ontarget_openvswitch-config() {
Code Review / pti / rtp.git / commitdiff