Age | Commit message (Collapse) | Author |
|
Where we have images with PAM+systemd, serial login can be extremely
slow. The load generated by key generation does slow down the rest
of the boot process.
Lower the priority level of these systemd services, since we'd
prefer to have the rest of the system boot more effectively.
This doesn't "solve" the slow systemd boot issues but does help.
(From OE-Core rev: 087700665284c08ba846e52b6b86276629f5f1cd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Refresh dropbear-disable-weak-ciphers.patch as some weak items
have been dropped upstream.
License-Update: curve25519 changed to public domain
(From OE-Core rev: 1620a815f6fbe20e5b570ed254187856bb37c184)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Enhances dropbear with a new feature "disable-weak-ciphers", on by default.
This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers in
the dropbear ssh server and client.
Disable this feature if you need to connect to the ssh server from older
clients. Additional customization can be done with local_options.h as usual.
Tested: On dropbear_2019.78.
Upstream-Status: Inappropriate [configuration]
(From OE-Core rev: b11521ce1b1d1f8b4dddf830b41f5ea809730d22)
Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- update dropbear to version 2019.77
- drop obsolete patch
(From OE-Core rev: c0f2e6f74119538a33095c27a8d9e92084741672)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- localoptions.h is automatically searched in build directory
(From OE-Core rev: 40fe89027e1b9ed63c65ff026bc6cce5de1b814a)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Wait to fail invalid usernames to fix
CVE-2018-15599
Rework 0006-dropbear-configuration-file.patch
to fix fuzz warnings
(From OE-Core rev: f017715120b67ff02f56ed5db131436ee62aeffb)
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
root login is disabled by default for openssh and we can
enable it through IMAGE_FEATURES 'debug-tweaks' or
'allow-empty-password', so change to the same default
behavior for dropbear.
(From OE-Core rev: d3e69fa2fef83015658aa5fa1442bab5a8c3edaa)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The origins of the patch date back to early 2005 (prior to the start
of git history in oe-core) to fix a hardcoded limit on the maximum
size of remote host keys:
http://familiar.handhelds.narkive.com/b1VGg2bI/problem-w-dropbear-ssh
The hardcoded limit was fixed upstream in dropbear 0.47:
https://github.com/mkj/dropbear/commit/736f370dce614b717193f45d084e9e009de723ce
The patch has therefore been obsolete since then. It went unnoticed
until now as the patch has continued to apply - it modifies a value
which is not used.
(From OE-Core rev: 17072ffc1e765edd45bc1174378fb666185e5643)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Previously, when dropbear was started via its init script, relocation
of DROPBEAR_RSAKEY_DIR to support read-only rootfs was handled at
run time from within the init script.
Update the init script to take advantage of the read-only rootfs
config setup by read_only_rootfs_hook() and therefore be consistent
with startup under systemd (where relocation of DROPBEAR_RSAKEY_DIR
is handled by the read_only_rootfs_hook() at build time).
(From OE-Core rev: 4990f87b2f6a8b30c8d1c767636e7f5527f595ba)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- update dropbear to version 2018.76
- refresh and drop obsolete patches
- add option to use localoptions.h header file
- do not use harden stuff, which leads to QA warning
(From OE-Core rev: ec050b666ec3684918fd9dc564d2dce9a8d6a8ef)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: 18300f8faa5050178efcd22f2db843f9b3f3bb0f)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 9b2e3b8235ee545b0eb666266c5db2ec7cb9e21f)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Drop patch support-out-of-tree-builds.patch:
Because the upstream has already contain it.
(From OE-Core rev: 2fd0757ae7fd63bc93a4ce8579c6ba0cdbb4c1cd)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Bring the dropbear init script into sync with the systemd service
file (dropbearkey.service supports RSA host keys only) and with
recent versions of openssh which deprecate DSA host keys.
https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
(From OE-Core rev: 6bd7341a38a8bb5387ea81dbccfed327370569f3)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
To prevent build failures when using system libtom libraries and
linking with --as-needed, LIBTOM_LIBS should be in the order
-ltomcrypt -ltommath, not the other way around, ie libs should be
prepended to LIBTOM_LIBS as they are found, not appended.
Note that LIBTOM_LIBS is not used when linking with the bundled
libtom libs.
(From OE-Core rev: 62e96283fe77469e24e8df86c6c037c92009b00a)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch adds DROPBEAR_RSAKEY_ARGS and DROPBEAR_DSSKEY_ARGS optional
parameters to /etc/default/dropbear. The contents are simply passed to
the 'dropbearkey' program when generating a host key.
The default keysize for RSA is currently 2048 bits. It takes a CortexA9
running at 700MHz between 4 and 10 seconds to calculate a keypair. The
board boots Linux in about a second, but you have to wait for several
seconds because of the keypair generation. This patch allows one to put
the line DROPBEAR_RSAKEY_ARGS="-s 1024" into /etc/default/dropbear, and
have a host key generated in about 0.2 seconds on the same CPU. This is
particulary useful for read-only rootfs systems which generate a key on
each boot.
(From OE-Core rev: c0efbcb47ab37c2d9c298fcd40ecaadd3ca050a7)
Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Enforce the correct tag names across all of oe-core for consistency.
(From OE-Core rev: 606a43dc38a00cc243f933722db657aea4129f8e)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport a patch to fix out-of-tree build.
(From OE-Core rev: b1613c946d1d6e5d7f5964e4d24f1d3146dfe39e)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Tweak a pam patch to make it apply on current source.
(From OE-Core rev: 9116a9346556837328a42059bd8af02ea17d081b)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 7e13fc603aa86219bf15e355ca9ea9275308cca5)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* Upgrade to upstream 2014.66; incorporates several minor bugfix
releases.
* LIC_FILES_CHKSUM changed because the copyright year changed; there was
no change to the license text itself.
(From OE-Core rev: 78f388e81cad5dfb6aea52da68f9b4523c88c5ad)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* Add a brief subject mentioning what the patch is for
* Add Upstream-Status
(From OE-Core rev: ce01282b24c6715c85f8dfac6df3e750e77a50b8)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Drop 0002-static_build_fix.patch since an equivalent fix has been merged
upstream.
(From OE-Core rev: d5ff33a328a90abb6aae7c02bf119b53afdae5b7)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch mainly comes from meta-systemd with a few modifications.
The purpose is to get rid of the LSB init scripts in systemd images.
[YOCTO #4420]
(From OE-Core rev: 5d90c5ebdb899b2951c97a94ff57867c1e491c15)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Patch application failed on the autobuilder for pam, this refresh of the
patch should resolve the build failure.
(From OE-Core rev: c4c5ec52effc2ff97ac17270c1aa7884c808f5a9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
LIC_FILES_CHKSUM has changed with the introduction of a BSD-3-Clause
algorithm (curve25519-donna); this has prompted a re-evaluation of the
LICENSE value which should now reflect the licenses declared in the
upstream documentation. Thanks to Beth Flanagan for helping with this.
(From OE-Core rev: 232e8b96988ffa6e5107917fbf41222d26e4e90b)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- patches updated
- nopw-option.patch dropped as the option is integrated since 2013.56
- compile tested for ARMv5 target
(From OE-Core rev: ce92c707f26aff8f02021c757056af4ecddb315d)
Signed-off-by: Eric Bénard <eric@eukrea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Blank password option patch has now been accepted upstream.
(From OE-Core rev: cfcd31e1ccee27fd46c830c01541c77298a13af4)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Old init script killed all dropbear processes when doing stop/restart
including open SSH sessions which is very annoying.
(From OE-Core rev: 97aa5ac2df7593e343d82f5e64a422bb951eacf9)
Signed-off-by: Roman I Khimov <khimov@altell.ru>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Dropbear does not start when the host key is empty and it is possible
that a device is switched off before the host key is generated. This
is possible because the dropbearkey code doesn't create a temporary
file first. Detect truncated keys and then remove them which will lead
to the re-generation. This way the dropbear process will always start.
(From OE-Core rev: 16b57e352f5844f301cc6c7ea4f87bf750c11d67)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Instead of using IMAGE_FEATURES to control something within a recipe,
allow this to be set at runtime, avoiding the need to rebuild dropbear
when we want to change this option.
First half of the fix for [YOCTO #2578].
(From OE-Core rev: 313039590171456b652fa7a2f5823c9b7060b20f)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 6ec513e7e6e6959a5eb19f0b06b9e7207fb15ada)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This new version added ALLOW_BLANK_PASSWORD option. So change the allow-nopw.patch content to enable this function.
(From OE-Core rev: e876096fcbb42039d568a7acbc506e4099e9a443)
Signed-off-by: Mei Lei <lei.mei@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: f1710d09e447b0f71a55b4ef24673c6388a045ad)
Signed-off-by: Mei Lei <lei.mei@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 4bc94f1896aad7f540ac520cd69edf3e96029319)
Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
I make a patch and some changes in dropbear.inc for supporting pam.
- Enable pam in configure
- Modify file option.h to open pam supporting
(From OE-Core rev: e8f19e8616fb1b0c2d977fb63eaa64f504fb774b)
Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch includes the update of patch upstream status of the following
recipes (50 in all):
grub pciutils setserial dhcp iproute2 libnss-mdns nfs-utils openssl portmap
busybox coreutils dbus dropbear ncurses readline sysfsutils sysvinit tinylogin
udev update-rc.d util-linux elfutils file pkgconfig syslinux ubootchart
yaffs2 findutils gamin hdparm libaio libzypp parted procps sat-solver
screen sed sysklogd tcp-wrapper time zypper attr boost createrepo gnutls
hal js libgcrypt libnl libusb-compat
(From OE-Core rev: 1e6f767663b7d5fb6277fd2b214f4a50e24d4ffd)
Signed-off-by: Qing He <qing.he@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Having one monolithic packages directory makes it hard to find things
and is generally overwhelming. This commit splits it into several
logical sections roughly based on function, recipes.txt gives more
information about the classifications used.
The opportunity is also used to switch from "packages" to "recipes"
as used in OpenEmbedded as the term "packages" can be confusing to
people and has many different meanings.
Not all recipes have been classified yet, this is just a first pass
at separating things out. Some packages are moved to meta-extras as
they're no longer actively used or maintained.
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
|