3 files changed, 14 insertions, 118 deletions
diff --git a/recipes-connectivity/openssh/files/sshd b/recipes-connectivity/openssh/files/pam/sshd
index 72303eb..72303eb 100644
--- a/recipes-connectivity/openssh/files/sshd
+++ b/recipes-connectivity/openssh/files/pam/sshd
diff --git a/recipes-connectivity/openssh/files/sshd_config b/recipes-connectivity/openssh/files/sshd_config
deleted file mode 100644
index 1c33ad0..0000000
--- a/recipes-connectivity/openssh/files/sshd_config
+++ /dev/null
@@ -1,118 +0,0 @@
-#       $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-# Ciphers and keying
-#RekeyLimit default none
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-# Authentication:
-#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-#PubkeyAuthentication yes
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-#AuthorizedKeysFile     .ssh/authorized_keys
-#AuthorizedPrincipalsFile none
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#PermitUserEnvironment no
-Compression no
-ClientAliveInterval 15
-ClientAliveCountMax 4
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-# no default banner path
-#Banner none
-# override default of no subsystems
-Subsystem       sftp    /usr/libexec/sftp-server
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#       X11Forwarding no
-#       AllowTcpForwarding no
-#       PermitTTY no
-#       ForceCommand cvs server
diff --git a/recipes-connectivity/openssh/openssh_%.bbappend b/recipes-connectivity/openssh/openssh_%.bbappend
index 7719d3b..99c51bf 100644
--- a/recipes-connectivity/openssh/openssh_%.bbappend
+++ b/recipes-connectivity/openssh/openssh_%.bbappend
@@ -1 +1,15 @@
 require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
+# if pam feature is enabled in the distro then take sshd from the pam directory.
+FILESEXTRAPATHS_prepend := "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${THISDIR}/files/pam:', '', d)}"
+do_install_append(){
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
+        # Make sure UsePAM entry is in the sshd_config file.
+        # If entry not present then append it.
+        grep -q 'UsePAM' "${D}/etc/ssh/sshd_config" && \
+        sed -i 's/.*UsePAM.*/UsePAM yes/' "${D}/etc/ssh/sshd_config" || \
+        echo 'UsePAM yes' >> "${D}/etc/ssh/sshd_config"
+    fi
+}

diff --git a/recipes-connectivity/openssh/files/sshd b/recipes-connectivity/openssh/files/pam/sshd index 72303eb..72303eb 100644 --- a/recipes-connectivity/openssh/files/sshd +++ b/recipes-connectivity/openssh/files/pam/sshd


diff --git a/recipes-connectivity/openssh/files/sshd_config b/recipes-connectivity/openssh/files/sshd_config deleted file mode 100644 index 1c33ad0..0000000 --- a/recipes-connectivity/openssh/files/sshd_config +++ /dev/null
@@ -1,118 +0,0 @@
1	# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
2
3	# This is the sshd server system-wide configuration file. See
4	# sshd_config(5) for more information.
5
6	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8	# The strategy used for options in the default sshd_config shipped with
9	# OpenSSH is to specify options with their default value where
10	# possible, but leave them commented. Uncommented options override the
11	# default value.
12
13	#Port 22
14	#AddressFamily any
15	#ListenAddress 0.0.0.0
16	#ListenAddress ::
17
18	#HostKey /etc/ssh/ssh_host_rsa_key
19	#HostKey /etc/ssh/ssh_host_ecdsa_key
20	#HostKey /etc/ssh/ssh_host_ed25519_key
21
22	# Ciphers and keying
23	#RekeyLimit default none
24
25	# Logging
26	#SyslogFacility AUTH
27	#LogLevel INFO
28
29	# Authentication:
30
31	#LoginGraceTime 2m
32	#PermitRootLogin prohibit-password
33	#StrictModes yes
34	#MaxAuthTries 6
35	#MaxSessions 10
36
37	#PubkeyAuthentication yes
38
39	# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
40	# but this is overridden so installations will only check .ssh/authorized_keys
41	#AuthorizedKeysFile .ssh/authorized_keys
42
43	#AuthorizedPrincipalsFile none
44
45	#AuthorizedKeysCommand none
46	#AuthorizedKeysCommandUser nobody
47
48	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
49	#HostbasedAuthentication no
50	# Change to yes if you don't trust ~/.ssh/known_hosts for
51	# HostbasedAuthentication
52	#IgnoreUserKnownHosts no
53	# Don't read the user's ~/.rhosts and ~/.shosts files
54	#IgnoreRhosts yes
55
56	# To disable tunneled clear text passwords, change to no here!
57	#PasswordAuthentication yes
58	#PermitEmptyPasswords no
59
60	# Change to yes to enable challenge-response passwords (beware issues with
61	# some PAM modules and threads)
62	ChallengeResponseAuthentication no
63
64	# Kerberos options
65	#KerberosAuthentication no
66	#KerberosOrLocalPasswd yes
67	#KerberosTicketCleanup yes
68	#KerberosGetAFSToken no
69
70	# GSSAPI options
71	#GSSAPIAuthentication no
72	#GSSAPICleanupCredentials yes
73
74	# Set this to 'yes' to enable PAM authentication, account processing,
75	# and session processing. If this is enabled, PAM authentication will
76	# be allowed through the ChallengeResponseAuthentication and
77	# PasswordAuthentication. Depending on your PAM configuration,
78	# PAM authentication via ChallengeResponseAuthentication may bypass
79	# the setting of "PermitRootLogin without-password".
80	# If you just want the PAM account and session checks to run without
81	# PAM authentication, then enable this but set PasswordAuthentication
82	# and ChallengeResponseAuthentication to 'no'.
83	UsePAM yes
84
85	#AllowAgentForwarding yes
86	#AllowTcpForwarding yes
87	#GatewayPorts no
88	#X11Forwarding no
89	#X11DisplayOffset 10
90	#X11UseLocalhost yes
91	#PermitTTY yes
92	#PrintMotd yes
93	#PrintLastLog yes
94	#TCPKeepAlive yes
95	#UseLogin no
96	#PermitUserEnvironment no
97	Compression no
98	ClientAliveInterval 15
99	ClientAliveCountMax 4
100	#UseDNS no
101	#PidFile /var/run/sshd.pid
102	#MaxStartups 10:30:100
103	#PermitTunnel no
104	#ChrootDirectory none
105	#VersionAddendum none
106
107	# no default banner path
108	#Banner none
109
110	# override default of no subsystems
111	Subsystem sftp /usr/libexec/sftp-server
112
113	# Example of overriding settings on a per-user basis
114	#Match User anoncvs
115	# X11Forwarding no
116	# AllowTcpForwarding no
117	# PermitTTY no
118	# ForceCommand cvs server


diff --git a/recipes-connectivity/openssh/openssh_%.bbappend b/recipes-connectivity/openssh/openssh_%.bbappend index 7719d3b..99c51bf 100644 --- a/recipes-connectivity/openssh/openssh_%.bbappend +++ b/recipes-connectivity/openssh/openssh_%.bbappend
@@ -1 +1,15 @@
1	require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}	1	require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
		2
		3	# if pam feature is enabled in the distro then take sshd from the pam directory.
		4	FILESEXTRAPATHS_prepend := "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${THISDIR}/files/pam:', '', d)}"
		5
		6	do_install_append(){
		7
		8	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
		9	# Make sure UsePAM entry is in the sshd_config file.
		10	# If entry not present then append it.
		11	grep -q 'UsePAM' "${D}/etc/ssh/sshd_config" && \
		12	sed -i 's/.UsePAM./UsePAM yes/' "${D}/etc/ssh/sshd_config" \|\| \
		13	echo 'UsePAM yes' >> "${D}/etc/ssh/sshd_config"
		14	fi
		15	}