From 9cea29e441099f7e15f05a47fb3cdc1fa7fc532f Mon Sep 17 00:00:00 2001 From: Peter Wagner <​tripolar@gmx.at> Date: Tue, 22 Oct 2013 01:12:31 +0000 Subject: [PATCH] [packages] add openssh-server-pam this adds openssh-server with pam support the user still has the change this settings in /etc/ssh/sshd_config: PasswordAuthentication no UsePAM yes to use pam. To avoid having two moduli files which is just static data, openssh-moduli now depends on ssh-keygen. based on patch from DkSouls Signed-off-by: Peter Wagner SVN-Revision: 38494 --- net/openssh/Makefile | 58 +++++++++++++++++++++++++++---- net/openssh/files/sshd.pam | 41 ++++++++++++++++++++++ net/openssh/files/sshd.pam-access | 4 +++ 3 files changed, 97 insertions(+), 6 deletions(-) create mode 100644 net/openssh/files/sshd.pam create mode 100644 net/openssh/files/sshd.pam-access diff --git a/net/openssh/Makefile b/net/openssh/Makefile index 1ef6659294..4b8a10e5d2 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssh PKG_VERSION:=6.3p1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ @@ -18,6 +18,9 @@ PKG_SOURCE_URL:=ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ ftp://ftp.de.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/ PKG_MD5SUM:=225e75c9856f76011966013163784038 + +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) + PKG_BUILD_DEPENDS:=libopenssl include $(INCLUDE_DIR)/package.mk @@ -30,11 +33,12 @@ define Package/openssh/Default MAINTAINER:=Peter Wagner URL:=http://www.openssh.com/ SUBMENU:=SSH + VARIANT:=without-pam endef define Package/openssh-moduli $(call Package/openssh/Default) - DEPENDS+= +openssh-server + DEPENDS+= +openssh-keygen TITLE+= moduli file endef @@ -42,7 +46,6 @@ define Package/openssh-moduli/description OpenSSH server moduli file. endef - define Package/openssh-client $(call Package/openssh/Default) TITLE+= client @@ -89,6 +92,23 @@ define Package/openssh-server/conffiles /etc/ssh/sshd_config endef +define Package/openssh-server-pam + $(call Package/openssh/Default) + DEPENDS+= +libpthread +openssh-keygen +libpam + TITLE+= server (with PAM support) + VARIANT:=with-pam +endef + +define Package/openssh-server-pam/description +OpenSSH server (with PAM support). +endef + +define Package/openssh-server-pam/conffiles +/etc/pam.d/sshd +/etc/security/access-sshd-local.conf +/etc/ssh/sshd_config +endef + define Package/openssh-sftp-client $(call Package/openssh/Default) TITLE+= SFTP client @@ -124,9 +144,16 @@ CONFIGURE_ARGS+= \ --disable-wtmpx \ --without-bsd-auth \ --without-kerberos5 \ - --without-pam \ --without-x +ifeq ($(BUILD_VARIANT),with-pam) +CONFIGURE_ARGS += \ + --with-pam +else +CONFIGURE_ARGS += \ + --without-pam +endif + ifeq ($(CONFIG_OPENSSL_ENGINE),y) CONFIGURE_ARGS+= \ --with-ssl-engine @@ -139,6 +166,10 @@ endif CONFIGURE_VARS += LD="$(TARGET_CC)" +ifeq ($(BUILD_VARIANT),with-pam) +TARGET_LDFLAGS += -lpthread +endif + define Build/Compile $(MAKE) -C $(PKG_BUILD_DIR) \ DESTDIR="$(PKG_INSTALL_DIR)" \ @@ -152,7 +183,7 @@ endef define Package/openssh-moduli/install $(INSTALL_DIR) $(1)/etc/ssh - $(CP) $(PKG_INSTALL_DIR)/etc/ssh/moduli $(1)/etc/ssh/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/moduli $(1)/etc/ssh/ endef define Package/openssh-client/install @@ -178,7 +209,21 @@ endef define Package/openssh-server/install $(INSTALL_DIR) $(1)/etc/ssh chmod 0700 $(1)/etc/ssh - $(CP) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/sshd $(1)/usr/sbin/ +endef + +define Package/openssh-server-pam/install + $(INSTALL_DIR) $(1)/etc/ssh + chmod 0700 $(1)/etc/ssh + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/ + $(INSTALL_DIR) $(1)/etc/pam.d + $(INSTALL_DATA) ./files/sshd.pam $(1)/etc/pam.d/sshd + $(INSTALL_DIR) $(1)/etc/security + $(INSTALL_DATA) ./files/sshd.pam-access $(1)/etc/security/access-sshd-local.conf $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd $(INSTALL_DIR) $(1)/usr/sbin @@ -202,5 +247,6 @@ $(eval $(call BuildPackage,openssh-moduli)) $(eval $(call BuildPackage,openssh-client-utils)) $(eval $(call BuildPackage,openssh-keygen)) $(eval $(call BuildPackage,openssh-server)) +$(eval $(call BuildPackage,openssh-server-pam)) $(eval $(call BuildPackage,openssh-sftp-client)) $(eval $(call BuildPackage,openssh-sftp-server)) diff --git a/net/openssh/files/sshd.pam b/net/openssh/files/sshd.pam new file mode 100644 index 0000000000..387ff2e080 --- /dev/null +++ b/net/openssh/files/sshd.pam @@ -0,0 +1,41 @@ +# PAM configuration for the Secure Shell service + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +auth required pam_env.so + +# Skip Google Authenticator if logging in from the local network. +# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-sshd-local.conf +# Google Authenticator 2-step verification. +# auth requisite pam_google_authenticator.so + +# Standard Un*x authentication. +auth include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +account include common-account + +# Standard Un*x session setup and teardown. +session include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so + +# Print the status of the user's mailbox upon successful login. +session optional pam_mail.so standard noenv + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +# Set up SELinux capabilities (need modified pam) +# session required pam_selinux.so multiple + +# Standard Un*x password updating. +password include common-password diff --git a/net/openssh/files/sshd.pam-access b/net/openssh/files/sshd.pam-access new file mode 100644 index 0000000000..425ff1194c --- /dev/null +++ b/net/openssh/files/sshd.pam-access @@ -0,0 +1,4 @@ +# Skip Google Authenticator for local network +#+ : ALL : 192.168.1.0/24 ++ : ALL : LOCAL +- : ALL : ALL -- 2.30.2