Buildroot Ssh

Posted : admin On 1/2/2022
  • And tell buildroot in make menuconfig System Configuration user tables where to find your user table file. The above sample content would create an additional user foo with password bar (login is activated). This user can login via ssh right away, since he's not root. Option B: Permit Root Login.
  • Download artifacts. Previous Artifacts. Clone with HTTPS. Copy HTTPS clone URL. Copy SSH clone URL [email protected] Copy HTTPS clone URL
Buildroot ssh-keygen

Buildroot is pure awesomeness for maintaining the build of a GNU/Linux based operating system. However, during my ventures I’ve had to keep private code private so use a git repo behind ssh. There is a way to achieve this with Buildroot but it is undocumented:

Connect via UART TTL. You will want to get this working sooner or later, as it is the best way to debug your buildroot distro on the board.config is simply raspberrypi2defconfig + openssh enabled with make menuconfig. Then just: ssh '[email protected]$(cat /var/lib/misc/dnsmasq.leases cut -d ' '.


LIBFOO_SITE = ssh://[email protected]/group/repo.git

On the first line we have to set the method to git as the auto detect won’t work on SSH
The second line contains the git repo as it would be defined if using git via ssh accept prepended with ssh:// and the the colon that is normally between the end of the FQDN and the location is replaced with a slash.
Line 3 can be a tag, branch or commit hash.

Buildroot Ssh-keygen

I am not sure if line 2 is correct in all cases but it works for me.

Buildroot Ssh Login Password

Commit message (Collapse)AuthorAgeFilesLines
* package/openssh: security bump to version 8.5p1 Fabrice Fontaine2021-03-282-7/+9
* ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR#212Also license has been updated to add some openbsd-compat licenses: Fabrice Fontaine <[email protected]>Signed-off-by: Yann E. MORIN <[email protected]>
* package/openssh: security bump to version 8.4p1 Christian Stewart2021-03-012-4/+4
Fixes CVE-2020-15778: scp in OpenSSH through 8.3p1 allows command injection inthe scp.c toremote function, as demonstrated by backtick characters in thedestination argument. NOTE: the vendor reportedly has stated that theyintentionally omit validation of 'anomalous argument transfers' because thatcould 'stand a great chance of breaking existing workflows.' Christian Stewart <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* Replace LIBFOO_CPE_ID_VERSION_MINOR by LIBFOO_CPE_ID_UPDATE Fabrice Fontaine2021-01-311-1/+1
Replace LIBFOO_CPE_ID_VERSION_MINOR by LIBFOO_CPE_ID_UPDATE to better'comply' with the official 'Well-Formed CPE Name Data Model' parameters: - - Fabrice Fontaine <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* package: provide CPE ID details for numerous packages Matt Weber2021-01-041-0/+3
This patch adds CPE ID information for a significant number ofpackages.Signed-off-by: Matthew Weber <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* package/openssh: add optional dependency on audit Norbert Lange2020-06-061-0/+7
Signed-off-by: Norbert Lange <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* package/openssh: bump to version 8.3p1 Baruch Siach2020-06-052-4/+4
Format hash file with two spaces separators.Signed-off-by: Baruch Siach <[email protected]>Signed-off-by: Yann E. MORIN <[email protected]>
* package/openssh: allow separate selection of client, server, keyutils Thomas De Schampheleire2020-05-092-4/+55
The openssh package comprises three separate entities: the SSH client, SSHserver, and some SSH key utilities. One may want the client but not theserver, the server but not the client, or maybe only the key utilities.Add separate options for each entity and update the files installed ontarget accordingly.On an ARM Cortex-A53 configuration, size of stripped binaries are:Client programs: 2213118 bytes (2161 KB)usr/bin/ssh,657180usr/bin/scp,99836usr/bin/ssh-add,312800usr/bin/ssh-agent,296428usr/libexec/ssh-keysign,398908usr/libexec/ssh-pkcs11-helper,292316usr/bin/sftp,144992usr/bin/ssh-copy-id,10658Server programs: 806840 bytes (787 KB)usr/libexec/sftp-server,112140usr/sbin/sshd,694168etc/init.d/S50sshd,532Key utilities: 789648 bytes (771 KB)usr/bin/ssh-keygen,398924usr/bin/ssh-keyscan,390724Signed-off-by: Thomas De Schampheleire <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* package/openssh: bump to version 8.2p1 Romain Naour2020-04-042-3/+3
This new version is mandatory to allow the glibc package bump to version 2.31.Otherwise it's not possible to connect to the remote host, as reported by [1] [2].Upstream commit [3][4] fixes the issue.[1][2][3][4] Note: Romain Naour <[email protected]>Reviewed-by: David Pierret <[email protected]>Tested-by: David Pierret <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* package: rely on systemctl preset-all for buildroot-provided services Jérémy Rosen2019-12-181-3/+0
All the packages in this list have the following properties* units are provided by buildroot in the package directory* the SYSTEMD_INSTALL_INIT_HOOK is exactly equivalent to what the [Install] section of the unit doesThe fix removes the soflinking in the .mk fileSigned-off-by: Jérémy Rosen <[email protected]>Signed-off-by: Yann E. MORIN <[email protected]>
* package/openssh: bump to version 8.1p1 Baruch Siach2019-10-152-4/+4
This bump is not marked as security bump. The 8.1 release fixes a XMSSkey parsing code vulnerability. This code can not be enabled withoutexplicit definition of the WITH_XMSS macro.Update LICENCE hash; converted to UTF-8.Signed-off-by: Baruch Siach <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* package/openssh: bump to version 8.0p1 Adam Duskett2019-06-215-503/+3
Also remove upstream patches.Signed-off-by: Adam Duskett <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* package/openssh: fix build with atomic Fabrice Fontaine2019-04-261-2/+5
Use pkg-config to retrieve openssl dependencies such as atomicFixes: - Fabrice Fontaine <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* openssh: add upstream security fixes Baruch Siach2019-02-122-0/+461
CVE-2019-6109: Due to missing character encoding in the progressdisplay, a malicious server (or Man-in-The-Middle attacker) can employcrafted object names to manipulate the client output, e.g., by usingANSI control codes to hide additional files being transferred. Thisaffects refresh_progress_meter() in progressmeter.c.CVE-2019-6111: Due to the scp implementation being derived from 1983rcp, the server chooses which files/directories are sent to the client.However, the scp client only performs cursory validation of the objectname returned (only directory traversal attacks are prevented). Amalicious scp server (or Man-in-The-Middle attacker) can overwritearbitrary files in the scp client target directory. If recursiveoperation (-r) is performed, the server can manipulate subdirectories aswell (for example, to overwrite the .ssh/authorized_keys file).Signed-off-by: Baruch Siach <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* package/openssh: Add sysusers.d snippet Chris Lesiak2019-02-062-4/+13
Whether using the new sysusers.d snippet, or adding an entry to/etc/password, set the service's home directory to /var/empty.See README.privsep included as part of the openssh distribution.Signed-off-by: Chris Lesiak <[email protected]>Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
* package/openssh: Set /var/empty permissions Chris Lesiak2019-02-031-0/+4
The openssh privilege separation feature, enabled by default,requires that the path /var/empty exists and has certain permissions(not writable by the sshd user). Note that nothing ever gets writtingin this directory, so it works fine on a readonly rootfs.See README.privsep included as part of the openssh distribution.Signed-off-by: Chris Lesiak <[email protected]>Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
* package/openssh: add upstream security fix Baruch Siach2019-01-151-0/+39
Fixes CVE-2018-20685: The scp client allows server to modify permissionsof the target directory by using empty ('D0777 0 n') or dot ('D0777 0.n') directory name.The bug reporter lists a number of related vulnerabilities that are notfixed yet: Baruch Siach <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* package/openssh: use BR2_SYSTEM_DEFAULT_PATH as default PATH Markus Mayer2018-12-311-0/+1
We use the configuration option $(BR2_SYSTEM_DEFAULT_PATH) to set thedefault PATH in OpenSSH sessions.$(BR2_SYSTEM_DEFAULT_PATH) is a Kconfig string. So it is alreadyquoted, which is exactly what we want.Signed-off-by: Markus Mayer <[email protected]>Reviewed-by: 'Yann E. MORIN' <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: bump to version 7.9p1 Baruch Siach2018-10-214-96/+3
Drop patch #1. uClibc no longer includes pthreads.h indirectly.Drop patch #2. The sys/param.h header is included indirectly through thelocal includes.h header since version 6.8p1.Signed-off-by: Baruch Siach <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* openssh: security bump to version 7.8 Baruch Siach2018-08-242-3/+3
Fixes CVE-2018-15473: user enumeration vulnerability due to not delayingbailout for an invalid authenticating user until after the packetcontaining the request has been fully parsed.Some OpenSSH developers don't consider this a security issue: Baruch Siach <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: bump to version 7.7p1 Baruch Siach2018-04-107-149/+3
Drop upstream patches, renumber the rest.Signed-off-by: Baruch Siach <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* package/openssh: also install ssh-copy-id script Julien BOIBESSOT2018-02-081-0/+6
This script is useful to copy SSH keys between client and server [1] andinstalled on most distributions (for example on debian: [2]).[1][2] Julien BOIBESSOT <[email protected]>Reviewed-by: 'Yann E. MORIN' <[email protected]>[Thomas: use full destination path.]Signed-off-by: Thomas Petazzoni <[email protected]>
* package/*/ fix help text check-package warnings Thomas Petazzoni2017-12-181-2/+3
This commit fixes the warnings reported by check-package on the helptext of all package files, related to the formatting of thehelp text: should start with a tab, then 2 spaces, then at most 62characters.The vast majority of warnings fixed were caused by too long lines. Afew warnings were related to spaces being used instead of a tab toindent the help text.Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: fix getpagesize() related static linking issue Peter Korsgaard2017-11-011-0/+35
Fixes: configure script checks for getpagesize() and sets HAVE_GETPAGESIZE inconfig.h, but bsd-getpagesize.c forgot to include includes.h (whichindirectly includes config.h) so the checks always fails, causing linkerissues when linking statically on systems with getpagesize().Fix it by including includes.h.Patch submitted upstream: Peter Korsgaard <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: security bump to version 7.6p1 Peter Korsgaard2017-10-272-3/+5
Fixes CVE-2017-15906 - The process_open function in sftp-server.c in OpenSSHbefore 7.6 does not properly prevent write operations in readonly mode,which allows attackers to create zero-length files.For more details, see the release notes: add a hash for the license file while we're at it.Signed-off-by: Peter Korsgaard <[email protected]>
* openssh: don't download patch from Github Thomas Petazzoni2017-07-036-6/+109
Patches downloaded from Github are not stable, so bring them in thetree.Signed-off-by: Thomas Petazzoni <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* openssh: fix sshd for MIPS64 n32 Vicente Olivert Riera2017-06-212-0/+8
This patch backports two patches that have been sent upstream as a pullrequest in order to fix sshd for MIPS64 n32.The first patch adds support for detecting the MIPS ABI during theconfigure phase.The second patch sets the right value to seccomp_audit_arch taking intoaccount the MIPS64 ABI.Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 orAUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is builtfor MIPS64. However, that's only valid for n64 ABI. The right macros forn32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 andAUDIT_ARCH_MIPSEL64N32, for big and little endian respectively.Because of that an sshd built for MIPS64 n32 rejects connection attemptsand the output of strace reveals that the problem is related to seccompaudit:[pid 194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57,filter=0x555d5da0}) = 0[pid 194] write(7, '000]0005000Ulist_hostkey_types: '..., 97) = ?[pid 193] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN POLLHUP},{fd=6, revents=POLLHUP}])[pid 194] +++ killed by SIGSYS +++Pull request: Vicente Olivert Riera <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: add support for HW SSL engines Gilad Ben-Yossef2017-05-031-0/+7
Enable support for OpenSSH to use a hardware SSL engine ifcryptodev-linux is included. Without this, OpenSSH uses onlyOpenSSL software crypto implementation.Signed-off-by: Gilad Ben-Yossef <[email protected]>CC: Baruch Siach <[email protected]>CC: Arnout Vandecappelle <[email protected]>Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* boot, package: use SPDX short identifier for BSD-2c Rahul Bedarkar2017-04-011-1/+1
We want to use SPDX identifier for license string as much as possible.SPDX short identifier for BSD-2c is BSD-2-Clause.This change is done using following command.find . -name '*.mk' xargs sed -ri '/LICENSE( )?[+:]?=/s/BSD-2c/BSD-2-Clause/g'Signed-off-by: Rahul Bedarkar <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* boot, package: use SPDX short identifier for BSD-3c Rahul Bedarkar2017-04-011-1/+1
We want to use SPDX identifier for license string as much as possible.SPDX short identifier for BSD-3c is BSD-3-Clause.This change is done using following command.find . -name '*.mk' xargs sed -ri '/LICENSE( )?[+:]?=/s/BSD-3c/BSD-3-Clause/g'Signed-off-by: Rahul Bedarkar <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: security bump to version 7.5 Baruch Siach2017-03-212-4/+3
From the release notes ( * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by default, sshd offers them as lowest-preference options and will remove them by default entriely in the next release. Reported by Jean Paul Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of Royal Holloway, University of London. * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making a recursive file transfer could be maniuplated by a hostile server to perform a path-traversal attack. creating or modifying files outside of the intended target directory. Reported by Jann Horn of Google Project Zero.[Peter: mention security fixes]Signed-off-by: Baruch Siach <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* openssh: Move key generation to the start function of init script. Ignacy Gawędzki2017-02-261-3/+3
Since there's not much point in generating missing host keys when theinit script is called with 'stop', the call to ssh-keygen should notbe done inconditionally, but in the start function instead.Signed-off-by: Ignacy Gawędzki <[email protected]>Acked-by: 'Yann E. MORIN' <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* packages: improve license type lists Danomi Manchego2017-02-201-1/+1
Make license type lists more uniform:* put content license applies to in parenthesis; ex: 'GPLv2+ (programs)'* use commas to separate types listed without conjuction; ex: 'GPLv2, LGPLv2'No attempt was made to validate the claimed licenses. This is just a tweakto increase uniformity of the _LICENSE variables.Signed-off-by: Danomi Manchego <[email protected]>Reviewed-by: Thomas Petazzoni <[email protected]>[Thomas: replace semi-colons by commas in LIBURCU_LICENSE.]Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: security bump to version 7.4p1 Gustavo Zacarias2016-12-193-34/+3
Fixes:CVE-2016-10009 - ssh-agent(1): Will now refuse to load PKCS#11 modulesfrom paths outside a trusted whitelistCVE-2016-10010 - sshd(8): When privilege separation is disabled,forwarded Unix-domain sockets would be created by sshd(8) with theprivileges of 'root'CVE-2016-10011 - sshd(8): Avoid theoretical leak of host private keymaterial to privilege-separated child processes via realloc()CVE-2016-10012 - sshd(8): The shared memory manager used bypre-authentication compression support had a bounds checks that could beelided by some optimising compilers upstream patch.Signed-off-by: Gustavo Zacarias <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* openssh: add upstream security fix Baruch Siach2016-11-151-0/+31
Fixes CVE-2016-8858: Memory exhaustion, up to 128MB, of unauthenticated peer.Signed-off-by: Baruch Siach <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: bump version to 7.3p1 Vicente Olivert Riera2016-08-012-3/+3
Signed-off-by: Vicente Olivert Riera <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* toolchain: add hidden symbol for PIE support Waldemar Brodkorb2016-07-241-6/+1
uClibc-ng does not support PIE for some architectures asarc and m68k. It isn't implemented in the static linking case, too.With musl toolchains you might have static PIE support with littlepatching of gcc. Static linking for GNU libc isn't enabled inbuildroot. Fixup any package using special treatment of PIE.(grep -ir pie package/*/*.mk)Signed-off-by: Waldemar Brodkorb <[email protected]>[Thomas: use positive logic.]Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: security bump to version 7.2p2 Gustavo Zacarias2016-03-102-2/+2
Fixes:CVE-2016-3115 - sanitise X11 authentication credentials to avoid xauthcommand injection when X11Forwarding is enabled.Signed-off-by: Gustavo Zacarias <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* openssh: bump to version 7.2p1 Gustavo Zacarias2016-02-292-3/+3
Signed-off-by: Gustavo Zacarias <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: security bump to version 7.1p2 Gustavo Zacarias2016-01-142-4/+3
Fixes:CVE-2016-0777 - Client Information leak from use of roaming connectionfeature.CVE-2016-0778 - A buffer overflow flaw was found in the way the OpenSSHclient roaming feature was implemented. A malicious server couldpotentially use this flaw to execute arbitrary code on a successfullyauthenticated OpenSSH client if that client used certain non-defaultconfiguration options.Signed-off-by: Gustavo Zacarias <[email protected]>Reviewed-by: James Knight <[email protected]>Tested-by: James Knight <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* package: Replace 'echo -n' by 'printf' Maxime Hadjinlian2015-10-041-2/+2
'echo -n' is not a POSIX construct (no flag support), we shoud use'printf', especially in init script.This patch was generated by the following command line:git grep -l 'echo -n' -- `git ls-files grep -v 'patch'` xargs sed -i 's/echo -n/printf/'Signed-off-by: Maxime Hadjinlian <[email protected]>Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* openssh: fix static compilation Waldemar Brodkorb2015-08-291-0/+4
PIE and static doesn't work on Linux.Fixes: Waldemar Brodkorb <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: security bump to version 7.1p1 Gustavo Zacarias2015-08-252-3/+4
Fixes:CVE-2015-6563 - Fixed a privilege separation weakness related to PAMsupport.CVE-2015-6564 - Fixed a use-after-free bug related to PAM support thatwas reachable by attackers who could compromise the pre-authenticationprocess for remote code exectuion.CVE-2015-6565 - incorrectly set TTYs to be world-writable.Signed-off-by: Gustavo Zacarias <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* openssh: selinux and pam support Matt Weber2015-07-181-0/+16
[Thomas: in the sed expression, use % as a delimiter instead of /,since the line contains several / that all had to be escaped.]Signed-off-by: Matthew Weber <[email protected]>Reviewed-by: Samuel Martin <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: bump to version 6.9p1 Gustavo Zacarias2015-07-022-3/+3
Signed-off-by: Gustavo Zacarias <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* package: kill pointless text justification Gustavo Zacarias2015-04-231-1/+1
Signed-off-by: Gustavo Zacarias <[email protected]>Acked-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: move systemd service files to /usr/lib Mike Williams2015-03-201-2/+2
Signed-off-by: Mike Williams <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* openssh: bump to version 6.8p1 Gustavo Zacarias2015-03-183-42/+24
Signed-off-by: Gustavo Zacarias <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* package/*: rename patches according to the new policy Peter Korsgaard2015-02-032-0/+0
Autogenerated from ( Samuel Martin <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>
* package: indentation cleanup Jerzy Grzegorek2014-12-241-2/+8
Signed-off-by: Jerzy Grzegorek <[email protected]>Signed-off-by: Thomas Petazzoni <[email protected]>
* package/*/*.mk: Fix indent Maxime Hadjinlian2014-11-081-1/+1
Fix indent for LIBFOO_USERS and LIBFOO_PERMISSIONS as per the manual example.Signed-off-by: Maxime Hadjinlian <[email protected]>Acked-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>Signed-off-by: Peter Korsgaard <[email protected]>