diff options
Diffstat (limited to 'repo/util/openssh')
-rw-r--r-- | repo/util/openssh/openssh.xibuild | 41 | ||||
-rw-r--r-- | repo/util/openssh/sshd.confd | 26 | ||||
-rw-r--r-- | repo/util/openssh/sshd.initd | 162 |
3 files changed, 229 insertions, 0 deletions
diff --git a/repo/util/openssh/openssh.xibuild b/repo/util/openssh/openssh.xibuild new file mode 100644 index 0000000..869bcb9 --- /dev/null +++ b/repo/util/openssh/openssh.xibuild @@ -0,0 +1,41 @@ +#!/bin/sh + +MAKEDEPS="make " +DEPS="musl krb5 openssl libedit ldns libxcrypt zlib pam argp-standalone" + +PKG_VER=8.8p1 +SOURCE=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$PKG_VER.tar.gz +DESC="Premier connectivity tool for remote login with the SSH protocol" + +ADDITIONAL="sshd.initd sshd.confd" + +build () { + ./configure --prefix=/usr \ + --sysconfdir=/etc/ssh \ + --with-md5-passwords \ + --with-privsep-path=/var/lib/sshd \ + --with-default-path=/usr/bin \ + --with-superuser-path=/usr/sbin:/usr/bin \ + --with-pid-dir=/run + make +} + + +package () { + make DESTDIR=$PKG_DEST install + install -Dm755 contrib/ssh-copy-id $PKG_DEST/usr/bin + + install -Dm644 contrib/ssh-copy-id.1 \ + $PKG_DEST/usr/share/man/man1 + install -Dm755 -d $PKG_DEST/usr/share/doc/openssh-$PKG_VER + install -Dm644 INSTALL LICENCE OVERVIEW README* \ + $PKG_DEST/usr/share/doc/openssh-$PKG_VER + + install -Dm755 sshd.initd $PKG_DEST/etc/init.d/sshd + install -Dm755 sshd.confd $PKG_DEST/etc/conf.d/sshd +} + +postinstall () { + groupadd -g 33 sshd + useradd -u 33 -g 33 -c sshd -d / sshd +} diff --git a/repo/util/openssh/sshd.confd b/repo/util/openssh/sshd.confd new file mode 100644 index 0000000..8c44444 --- /dev/null +++ b/repo/util/openssh/sshd.confd @@ -0,0 +1,26 @@ +# Configuration for /etc/init.d/sshd + +# Path of sshd_config file. +#cfgfile="/etc/ssh/sshd_config" + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. +#command_args="" + +# Space-separated list of SSH host key types to generate if they do +# not already exist. An empty value means generate all of the default +# set of dsa, ecdsa, ed25519, and rsa types. +# +# Example: "ed25519 rsa". +# +#key_types_to_generate="" + +# The number of bits to use for a generated ECDSA SSH host key. +# Defaults to 256 bits if not set. +# +#ecdsa_bit_size="256" + +# Number of bits for use for a generated RSA SSH host key. +# Defaults to 3072 bits if not set. +# +#rsa_bit_size="3072" diff --git a/repo/util/openssh/sshd.initd b/repo/util/openssh/sshd.initd new file mode 100644 index 0000000..477cdbc --- /dev/null +++ b/repo/util/openssh/sshd.initd @@ -0,0 +1,162 @@ +#!/sbin/openrc-run + +description="OpenBSD Secure Shell server" +description_checkconfig="Verify configuration file" +description_reload="Reload configuration" + +extra_commands="checkconfig" +extra_started_commands="reload" + +# NOTE: SSHD_* variables are deprecated and will be removed in future! +: "${sshd_disable_keygen:="${SSHD_DISABLE_KEYGEN:-"no"}"}" +: "${cfgfile:=${SSHD_CONFIG:-"${SSHD_CONFDIR:-"/etc/ssh"}/sshd_config"}}" + +pidfile="${SSHD_PIDFILE:-"/run/$RC_SVCNAME.pid"}" +command="${SSHD_BINARY:-"/usr/sbin/sshd"}" +command_args="${command_args:-${SSHD_OPTS:-}}" + +required_files="$cfgfile" + +generate_host_key_type() { + local bit_size key_type + + key_type=$1 + if [ ! -f /etc/ssh/ssh_host_"${key_type}"_key ]; then + case $key_type in + ecdsa) bit_size="$ecdsa_bit_size";; + rsa) bit_size="$rsa_bit_size";; + esac + einfo "Generating $key_type SSH host key..." + ssh-keygen \ + -q \ + -f /etc/ssh/ssh_host_"$key_type"_key \ + -N '' \ + -t "$key_type" \ + ${bit_size:+ -b ${bit_size}} || return 1 + fi +} + +generate_host_keys() { + local type + + if [ -z "$key_types_to_generate" ] && + [ -z "$ecdsa_bit_size" ] && [ -z "$rsa_bit_size" ]; then + ssh-keygen -A + return + fi + for type in ${key_types_to_generate:-dsa ecdsa ed25519 rsa}; do + generate_host_key_type "$type" || return 1 + done +} + +get_conf() { + awk "/^$1/{ print \$2 }" "$cfgfile" 2>/dev/null +} + +conf_enabled() { + [ "$(get_conf "$1")" = "yes" ] +} + +depend() { + use logger dns + after entropy + + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + # shellcheck disable=SC2013 + for x in $(get_conf ListenAddress) ; do + case "$x" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="$warn_addr $x" ;; + esac + done + if [ -n "$warn_addr" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "$warn_addr" + fi + fi +} + +update_command() { + if conf_enabled KerberosAuthentication || conf_enabled GSSAPIAuthentication && [ -r /usr/sbin/sshd.krb5 ]; then + command="${SSHD_BINARY:-"/usr/sbin/sshd.krb5"}" + elif conf_enabled UsePAM && [ -r /usr/sbin/sshd.pam ]; then + command="${SSHD_BINARY:-"/usr/sbin/sshd.pam"}" + fi +} + +checkconfig() { + update_command + warn_deprecated_var SSHD_BINARY + warn_deprecated_var SSHD_CONFDIR + warn_deprecated_var SSHD_CONFIG cfgfile + warn_deprecated_var SSHD_DISABLE_KEYGEN sshd_disable_keygen + warn_deprecated_var SSHD_OPTS command_args + warn_deprecated_var SSHD_PIDFILE + + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if ! yesno "$sshd_disable_keygen"; then + generate_host_keys || return 1 + fi + + [ "$pidfile" != "/run/sshd.pid" ] \ + && command_args="$command_args -o PidFile=$pidfile" + + [ "$cfgfile" != "/etc/ssh/sshd_config" ] \ + && command_args="$command_args -f $cfgfile" + + # shellcheck disable=SC2086 + "$command" -t $command_args || return 1 +} + +start_pre() { + checkconfig +} + +stop_pre() { + update_command + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi +} + +stop_post() { + if [ "$RC_RUNLEVEL" = "shutdown" ]; then + _sshd_pids=$(pgrep "${command##*/}") + if [ -n "$_sshd_pids" ]; then + ebegin "Shutting down ssh connections" + # shellcheck disable=SC2086 + kill -TERM $_sshd_pids >/dev/null 2>&1 + eend 0 + fi + fi +} + +reload() { + checkconfig || return 1 + + ebegin "Reloading $RC_SVCNAME" + start-stop-daemon --signal HUP \ + --exec "$command" --pidfile "$pidfile" + eend $? +} + +warn_deprecated_var() { + local varname="$1" + local replacement="${2:-}" + + eval "test -n \"\$$varname\"" || return 0 + + ewarn "Variable \$$varname is deprecated and will be removed in the future!" + # shellcheck disable=SC2015 + [ "$replacement" ] && ewarn "Use \$$replacement instead of \$$varname." ||: +} |