Complete Yocto mirror with license table for TQMa6UL (2038-compliance)

- 264 license table entries with exact download URLs (224/264 resolved)
- Complete sources/ directory with all BitBake recipes
- Build configuration: tqma6ul-multi-mba6ulx, spaetzle (musl)
- Full traceability for Softwarefreigabeantrag
- GCC 13.4.0, Linux 6.6.102, U-Boot 2023.04, musl 1.2.4
- License distribution: GPL-2.0 (24), MIT (23), GPL-2.0+ (18), BSD-3 (16)

sources/poky/meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch

@@ -0,0 +1,27 @@
+From 88351eca17dcc55189991ba60e50819b6d4193c1 Mon Sep 17 00:00:00 2001
+From: 90 <hi@90.gripe>
+Date: Fri, 5 Apr 2024 19:36:06 +0100
+Subject: [PATCH] Fix missing header for systemd notification
+
+Upstream-Status: Backport [88351eca17dcc55189991ba60e50819b6d4193c1]
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+
+---
+ openbsd-compat/port-linux.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index df7290246df6..4c024c6d2d61 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -33,6 +33,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <time.h>
++#include <unistd.h>
+ 
+ #include "log.h"
+ #include "xmalloc.h"
+-- 
+2.39.2
+

sources/poky/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch

@@ -0,0 +1,225 @@
+From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 3 Apr 2024 14:40:32 +1100
+Subject: [PATCH] notify systemd on listen and reload
+
+Standalone implementation that does not depend on libsystemd.
+With assistance from Luca Boccassi, and feedback/testing from Colin
+Watson. bz2641
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c]
+
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ configure.ac                |  1 +
+ openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++-
+ openbsd-compat/port-linux.h |  5 ++
+ platform.c                  | 11 +++++
+ platform.h                  |  1 +
+ sshd.c                      |  2 +
+ 6 files changed, 115 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 82e8bb7c1..854f92b5b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+ 	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
+ 	AC_DEFINE([USE_BTMP])
+ 	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
++	AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
+ 	inet6_default_4in6=yes
+ 	case `uname -r` in
+ 	1.*|2.0.*)
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 0457e28d0..df7290246 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -21,16 +21,23 @@
+ 
+ #include "includes.h"
+ 
+-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \
++    defined(SYSTEMD_NOTIFY)
++#include <sys/socket.h>
++#include <sys/un.h>
++
+ #include <errno.h>
++#include <inttypes.h>
+ #include <stdarg.h>
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <time.h>
+ 
+ #include "log.h"
+ #include "xmalloc.h"
+ #include "port-linux.h"
++#include "misc.h"
+ 
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+@@ -310,4 +317,90 @@ oom_adjust_restore(void)
+ 	return;
+ }
+ #endif /* LINUX_OOM_ADJUST */
+-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
++
++#ifdef SYSTEMD_NOTIFY
++
++static void ssh_systemd_notify(const char *, ...)
++    __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
++
++static void
++ssh_systemd_notify(const char *fmt, ...)
++{
++	char *s = NULL;
++	const char *path;
++	struct stat sb;
++	struct sockaddr_un addr;
++	int fd = -1;
++	va_list ap;
++
++	if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0)
++		return;
++
++	va_start(ap, fmt);
++	xvasprintf(&s, fmt, ap);
++	va_end(ap);
++
++	/* Only AF_UNIX is supported, with path or abstract sockets */
++	if (path[0] != '/' && path[0] != '@') {
++		error_f("socket \"%s\" is not compatible with AF_UNIX", path);
++		goto out;
++	}
++
++	if (path[0] == '/' && stat(path, &sb) != 0) {
++		error_f("socket \"%s\" stat: %s", path, strerror(errno));
++		goto out;
++	}
++
++	memset(&addr, 0, sizeof(addr));
++	addr.sun_family = AF_UNIX;
++	if (strlcpy(addr.sun_path, path,
++	    sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
++		error_f("socket path \"%s\" too long", path);
++		goto out;
++	}
++	/* Support for abstract socket */
++	if (addr.sun_path[0] == '@')
++		addr.sun_path[0] = 0;
++	if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
++		error_f("socket \"%s\": %s", path, strerror(errno));
++		goto out;
++	}
++	if (connect(fd, &addr, sizeof(addr)) != 0) {
++		error_f("socket \"%s\" connect: %s", path, strerror(errno));
++		goto out;
++	}
++	if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
++		error_f("socket \"%s\" write: %s", path, strerror(errno));
++		goto out;
++	}
++	debug_f("socket \"%s\" notified %s", path, s);
++ out:
++	if (fd != -1)
++		close(fd);
++	free(s);
++}
++
++void
++ssh_systemd_notify_ready(void)
++{
++	ssh_systemd_notify("READY=1");
++}
++
++void
++ssh_systemd_notify_reload(void)
++{
++	struct timespec now;
++
++	monotime_ts(&now);
++	if (now.tv_sec < 0 || now.tv_nsec < 0) {
++		error_f("monotime returned negative value");
++		ssh_systemd_notify("RELOADING=1");
++	} else {
++		ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
++		    ((uint64_t)now.tv_sec * 1000000ULL) +
++		    ((uint64_t)now.tv_nsec / 1000ULL));
++	}
++}
++#endif /* SYSTEMD_NOTIFY */
++
++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index 3c22a854d..14064f87d 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
+@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
+ void oom_adjust_setup(void);
+ #endif
+ 
++#ifdef SYSTEMD_NOTIFY
++void ssh_systemd_notify_ready(void);
++void ssh_systemd_notify_reload(void);
++#endif
++
+ #endif /* ! _PORT_LINUX_H */
+diff --git a/platform.c b/platform.c
+index 4fe8744ee..9cf818153 100644
+--- a/platform.c
++++ b/platform.c
+@@ -44,6 +44,14 @@ platform_pre_listen(void)
+ #endif
+ }
+ 
++void
++platform_post_listen(void)
++{
++#ifdef SYSTEMD_NOTIFY
++	ssh_systemd_notify_ready();
++#endif
++}
++
+ void
+ platform_pre_fork(void)
+ {
+@@ -55,6 +63,9 @@ platform_pre_fork(void)
+ void
+ platform_pre_restart(void)
+ {
++#ifdef SYSTEMD_NOTIFY
++	ssh_systemd_notify_reload();
++#endif
+ #ifdef LINUX_OOM_ADJUST
+ 	oom_adjust_restore();
+ #endif
+diff --git a/platform.h b/platform.h
+index 7fef8c983..5dec23276 100644
+--- a/platform.h
++++ b/platform.h
+@@ -21,6 +21,7 @@
+ void platform_pre_listen(void);
+ void platform_pre_fork(void);
+ void platform_pre_restart(void);
++void platform_post_listen(void);
+ void platform_post_fork_parent(pid_t child_pid);
+ void platform_post_fork_child(void);
+ int  platform_privileged_uidswap(void);
+diff --git a/sshd.c b/sshd.c
+index b4f2b9742..865331b46 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2077,6 +2077,8 @@ main(int ac, char **av)
+ 		ssh_signal(SIGTERM, sigterm_handler);
+ 		ssh_signal(SIGQUIT, sigterm_handler);
+ 
++		platform_post_listen();
++
+ 		/*
+ 		 * Write out the pid file after the sigterm handler
+ 		 * is setup and the listen sockets are bound
+-- 
+2.45.2
+

sources/poky/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch

@@ -0,0 +1,61 @@
+From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Mon, 11 Sep 2023 09:55:21 +0100
+Subject: [PATCH] regress/banner.sh: log input and output files on error
+
+Some test environments like yocto with qemu are seeing these
+tests failing. There may be additional error messages in the
+stderr of ssh cloent command. busybox cmp shows this error when
+first input file has less new line characters then second
+input file:
+
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+
+Logging the full banner.out will show what other error messages
+are captured in addition of the expected banner.
+
+Full log of a failing banner test runs is:
+
+run test banner.sh ...
+test banner: missing banner file
+test banner: size 0
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+banner size 0 mismatch
+test banner: size 10
+test banner: size 100
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+banner size 100 mismatch
+test banner: size 1000
+test banner: size 10000
+test banner: size 100000
+test banner: suppress banner (-q)
+FAIL:  banner
+return value: 1
+
+See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
+
+Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
+
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+---
+ regress/banner.sh | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/regress/banner.sh b/regress/banner.sh
+index a84feb5a..de84957a 100644
+--- a/regress/banner.sh
++++ b/regress/banner.sh
+@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
+ 	verbose "test $tid: size $s"
+ 	( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+ 		cmp $OBJ/banner.in $OBJ/banner.out ) || \
+-		fail "banner size $s mismatch"
++		( verbose "Contents of $OBJ/banner.in:"; cat $OBJ/banner.in; \
++		  verbose "Contents of $OBJ/banner.out:"; cat $OBJ/banner.out; \
++		  fail "banner size $s mismatch" )
+ done
+ 
+ trace "test suppress banner (-q)"
+-- 
+2.34.1
+

sources/poky/meta/recipes-connectivity/openssh/openssh/CVE-2024-39894.patch

@@ -0,0 +1,35 @@
+From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 1 Jul 2024 04:31:17 +0000
+Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
+ we
+
+can't rely on channel_did_enqueue to tell that there is data to send. This
+flag indicates that the channels code enqueued a packet on _this_ ppoll()
+iteration, not that data was enqueued in _any_ ppoll() iteration in the
+timeslice. ok markus@
+
+OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/CVE-2024-39894.patch?h=ubuntu/noble-security
+Upstream commit https://github.com/openssh/openssh-portable/commit/146c420d29d055cc75c8606327a1cf8439fe3a08]
+CVE: CVE-2024-39894
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ clientloop.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -612,8 +612,9 @@ obfuscate_keystroke_timing(struct ssh *s
+ 		if (timespeccmp(&now, &chaff_until, >=)) {
+ 			/* Stop if there have been no keystrokes for a while */
+ 			stop_reason = "chaff time expired";
+-		} else if (timespeccmp(&now, &next_interval, >=)) {
+-			/* Otherwise if we were due to send, then send chaff */
++		} else if (timespeccmp(&now, &next_interval, >=) &&
++		    !ssh_packet_have_data_to_write(ssh)) {
++			/* If due to send but have no data, then send chaff */
+ 			if (send_chaff(ssh))
+ 				nchaff++;
+ 		}

sources/poky/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch

@@ -0,0 +1,27 @@
+Description: fix signal handler race condition
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497
+
+CVE: CVE-2024-6387
+
+Upstream-Status: Backport
+https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc
+
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+
+--- a/log.c
++++ b/log.c
+@@ -452,12 +452,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+ 

sources/poky/meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch

@@ -0,0 +1,169 @@
+From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 18 Feb 2025 08:02:48 +0000
+Subject: [PATCH] upstream: Fix cases where error codes were not correctly set
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
+
+CVE: CVE-2025-26465
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0832aac79517611dd4de93ad0a83577994d9c907]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ krl.c           | 4 +++-
+ ssh-agent.c     | 5 +++++
+ ssh-sk-client.c | 4 +++-
+ sshconnect2.c   | 5 ++++-
+ sshsig.c        | 1 +
+ 5 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/krl.c b/krl.c
+index e2efdf0..0d0f695 100644
+--- a/krl.c
++++ b/krl.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: krl.c,v 1.59 2023/07/17 05:22:30 djm Exp $ */
++/* $OpenBSD: krl.c,v 1.60 2025/02/18 08:02:48 djm Exp $ */
+ /*
+  * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
+  *
+@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
+			break;
+		case KRL_SECTION_CERT_SERIAL_BITMAP:
+			if (rs->lo - bitmap_start > INT_MAX) {
++				r = SSH_ERR_INVALID_FORMAT;
+				error_f("insane bitmap gap");
+				goto out;
+			}
+@@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp)
+	}
+
+	if ((krl = ssh_krl_init()) == NULL) {
++		r = SSH_ERR_ALLOC_FAIL;
+		error_f("alloc failed");
+		goto out;
+	}
+diff --git a/ssh-agent.c b/ssh-agent.c
+index b6a3f48..2d2c6fc 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1204,6 +1204,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+	    "restrict-destination-v00@openssh.com") == 0) {
+		if (*dcsp != NULL) {
+			error_f("%s already set", ext_name);
++			r = SSH_ERR_INVALID_FORMAT;
+			goto out;
+		}
+		if ((r = sshbuf_froms(m, &b)) != 0) {
+@@ -1213,6 +1214,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+		while (sshbuf_len(b) != 0) {
+			if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) {
+				error_f("too many %s constraints", ext_name);
++				r = SSH_ERR_INVALID_FORMAT;
+				goto out;
+			}
+			*dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1,
+@@ -1230,6 +1232,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+		}
+		if (*certs != NULL) {
+			error_f("%s already set", ext_name);
++			r = SSH_ERR_INVALID_FORMAT;
+			goto out;
+		}
+		if ((r = sshbuf_get_u8(m, &v)) != 0 ||
+@@ -1241,6 +1244,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+		while (sshbuf_len(b) != 0) {
+			if (*ncerts >= AGENT_MAX_EXT_CERTS) {
+				error_f("too many %s constraints", ext_name);
++				r = SSH_ERR_INVALID_FORMAT;
+				goto out;
+			}
+			*certs = xrecallocarray(*certs, *ncerts, *ncerts + 1,
+@@ -1737,6 +1741,7 @@ process_ext_session_bind(SocketEntry *e)
+	/* record new key/sid */
+	if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
+		error_f("too many session IDs recorded");
++		r = -1;
+		goto out;
+	}
+	e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
+diff --git a/ssh-sk-client.c b/ssh-sk-client.c
+index 321fe53..06fad22 100644
+--- a/ssh-sk-client.c
++++ b/ssh-sk-client.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-sk-client.c,v 1.12 2022/01/14 03:34:00 djm Exp $ */
++/* $OpenBSD: ssh-sk-client.c,v 1.13 2025/02/18 08:02:48 djm Exp $ */
+ /*
+  * Copyright (c) 2019 Google LLC
+  *
+@@ -439,6 +439,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+		}
+		if ((srk = calloc(1, sizeof(*srk))) == NULL) {
+			error_f("calloc failed");
++			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		srk->key = key;
+@@ -450,6 +451,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+		if ((tmp = recallocarray(srks, nsrks, nsrks + 1,
+		    sizeof(*srks))) == NULL) {
+			error_f("recallocarray keys failed");
++			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		debug_f("srks[%zu]: %s %s uidlen %zu", nsrks,
+diff --git a/sshconnect2.c b/sshconnect2.c
+index fab1e36..a5f92f0 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -101,7 +101,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+	    options.required_rsa_size)) != 0)
+		fatal_r(r, "Bad server host key");
+	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+-	    xxx_conn_info) == -1)
++	    xxx_conn_info) != 0)
+		fatal("Host key verification failed.");
+	return 0;
+ }
+@@ -709,6 +709,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+
+	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
+		debug_f("server sent unknown pkalg %s", pkalg);
++		r = SSH_ERR_INVALID_FORMAT;
+		goto done;
+	}
+	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+@@ -719,6 +720,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+		error("input_userauth_pk_ok: type mismatch "
+		    "for decoded key (received %d, expected %d)",
+		    key->type, pktype);
++		r = SSH_ERR_INVALID_FORMAT;
+		goto done;
+	}
+
+@@ -738,6 +740,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+		    SSH_FP_DEFAULT);
+		error_f("server replied with unknown key: %s %s",
+		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
++		r = SSH_ERR_INVALID_FORMAT;
+		goto done;
+	}
+	ident = format_identity(id);
+diff --git a/sshsig.c b/sshsig.c
+index d50d65f..1b7f40d 100644
+--- a/sshsig.c
++++ b/sshsig.c
+@@ -874,6 +874,7 @@ cert_filter_principals(const char *path, u_long linenum,
+	}
+	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+		error_f("buffer error");
++		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+	/* success */
+--
+2.40.0

sources/poky/meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch

@@ -0,0 +1,38 @@
+From 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 18 Feb 2025 08:02:12 +0000
+Subject: [PATCH] upstream: Don't reply to PING in preauth phase or during KEX
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2]
+CVE: CVE-2025-26466
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ packet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/packet.c b/packet.c
+index beb214f..aeab98c 100644
+--- a/packet.c
++++ b/packet.c
+@@ -1773,6 +1773,14 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 			if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0)
+ 				return r;
+ 			DBG(debug("Received SSH2_MSG_PING len %zu", len));
++			if (!ssh->state->after_authentication) {
++				DBG(debug("Won't reply to PING in preauth"));
++				break;
++			}
++			if (ssh_packet_is_rekeying(ssh)) {
++				DBG(debug("Won't reply to PING during KEX"));
++				break;
++			}
+ 			if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 ||
+ 			    (r = sshpkt_put_string(ssh, d, len)) != 0 ||
+ 			    (r = sshpkt_send(ssh)) != 0)
+-- 
+2.25.1
+

sources/poky/meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch

@@ -0,0 +1,44 @@
+From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: [PATCH] upstream: Fix logic error in DisableForwarding option. This
+ option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367]
+CVE: CVE-2025-32728
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index aa342e8..eb932b8 100644
+--- a/session.c
++++ b/session.c
+@@ -2191,7 +2191,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ 	if (!auth_opts->permit_agent_forwarding_flag ||
+-	    !options.allow_agent_forwarding) {
++	    !options.allow_agent_forwarding ||
++	    options.disable_forwarding) {
+ 		debug_f("agent forwarding disabled");
+ 		return 0;
+ 	}
+@@ -2586,7 +2587,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ 		return 0;
+ 	}
+-	if (!options.x11_forwarding) {
++	if (!options.x11_forwarding || options.disable_forwarding) {
+ 		debug("X11 forwarding disabled in server configuration file.");
+ 		return 0;
+ 	}
+-- 
+2.25.1
+

sources/poky/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch

@@ -0,0 +1,47 @@
+Adjust test cases to work with busybox.
+
+- Replace dd parameter "obs" with "bs".
+- Replace "head -<num>" with "head -n <num>".
+
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+Upstream-Status: Pending
+
+Index: openssh-7.6p1/regress/cipher-speed.sh
+===================================================================
+--- openssh-7.6p1.orig/regress/cipher-speed.sh
++++ openssh-7.6p1/regress/cipher-speed.sh
+@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for
+ 		printf "%-60s" "$c/$m:"
+ 		( ${SSH} -o 'compression no' \
+ 			-F $OBJ/ssh_proxy -m $m -c $c somehost \
+-			exec sh -c \'"dd of=/dev/null obs=32k"\' \
++			exec sh -c \'"dd of=/dev/null bs=32k"\' \
+ 		< ${DATA} ) 2>&1 | getbytes
+ 
+ 		if [ $? -ne 0 ]; then
+Index: openssh-7.6p1/regress/transfer.sh
+===================================================================
+--- openssh-7.6p1.orig/regress/transfer.sh
++++ openssh-7.6p1/regress/transfer.sh
+@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY}		|| fail "corrupted
+ for s in 10 100 1k 32k 64k 128k 256k; do
+ 	trace "dd-size ${s}"
+ 	rm -f ${COPY}
+-	dd if=$DATA obs=${s} 2> /dev/null | \
++	dd if=$DATA bs=${s} 2> /dev/null | \
+ 		${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
+ 	if [ $? -ne 0 ]; then
+ 		fail "ssh cat $DATA failed"
+Index: openssh-7.6p1/regress/key-options.sh
+===================================================================
+--- openssh-7.6p1.orig/regress/key-options.sh
++++ openssh-7.6p1/regress/key-options.sh
+@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
+ 	fi
+ 
+ 	sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
+-	from=`head -1 $authkeys | cut -f1 -d ' '`
++	from=`head -n 1 $authkeys | cut -f1 -d ' '`
+ 	verbose "key option $from"
+ 	r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
+ 	if [ "$r" = "true" ]; then

sources/poky/meta/recipes-connectivity/openssh/openssh/init

@@ -0,0 +1,90 @@
+#! /bin/sh
+set -e
+
+PIDFILE=/var/run/sshd.pid
+
+# source function library
+. /etc/init.d/functions
+
+# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon
+
+test -x /usr/sbin/sshd || exit 0
+( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
+
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
+if test -f /etc/default/ssh; then
+    . /etc/default/ssh
+fi
+
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+check_for_no_start() {
+    # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
+    if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then
+	echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)"
+	exit 0
+    fi
+}
+
+check_privsep_dir() {
+    # Create the PrivSep empty dir if necessary
+    if [ ! -d /var/run/sshd ]; then
+	mkdir /var/run/sshd
+	chmod 0755 /var/run/sshd
+    fi
+}
+
+check_config() {
+    /usr/sbin/sshd $SSHD_OPTS -t || exit 1
+}
+
+export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
+
+case "$1" in
+  start)
+	check_for_no_start
+	echo "Starting OpenBSD Secure Shell server: sshd"
+	@LIBEXECDIR@/sshd_check_keys
+	check_privsep_dir
+	start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
+	echo "done."
+	;;
+  stop)
+	echo -n "Stopping OpenBSD Secure Shell server: sshd"
+	start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd
+	echo "."
+	;;
+
+  reload|force-reload)
+	check_for_no_start
+	@LIBEXECDIR@/sshd_check_keys
+	check_config
+	echo -n "Reloading OpenBSD Secure Shell server's configuration"
+	start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd
+	echo "."
+	;;
+
+  restart)
+	@LIBEXECDIR@/sshd_check_keys
+	check_config
+	echo -n "Restarting OpenBSD Secure Shell server: sshd"
+	start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd
+	check_for_no_start
+	check_privsep_dir
+	sleep 2
+	start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
+	echo "."
+	;;
+
+  status)
+	status /usr/sbin/sshd
+	exit $?
+  ;;
+
+  *)
+	echo "Usage: /etc/init.d/ssh {start|stop|status|reload|force-reload|restart}"
+	exit 1
+esac
+
+exit 0

sources/poky/meta/recipes-connectivity/openssh/openssh/run-ptest

@@ -0,0 +1,59 @@
+#!/bin/sh
+
+export TEST_SHELL=sh
+export SKIP_UNIT=1
+
+cd regress
+
+# copied from openssh-portable/.github/run_test.sh
+output_failed_logs() {
+    for i in failed*.log; do
+        if [ -f "$i" ]; then
+            echo -------------------------------------------------------------------------
+            echo LOGFILE $i
+            cat $i
+            echo -------------------------------------------------------------------------
+        fi
+    done
+}
+trap output_failed_logs 0
+
+sed -i "/\t\tagent-ptrace /d" Makefile
+make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="" tests \
+        | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g'
+
+SSHAGENT=`which ssh-agent`
+GDB=`which gdb`
+
+if [ -z "${SSHAGENT}" -o -z "${GDB}" ]; then
+       echo "SKIP: agent-ptrace"
+       exit
+fi
+
+useradd openssh-test
+
+eval `su -c "${SSHAGENT} -s" openssh-test` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+	echo "FAIL: could not start ssh-agent: exit code $r"
+else
+	su -c "gdb -p ${SSH_AGENT_PID}" openssh-test > /tmp/gdb.out 2>&1 << EOF
+		quit
+EOF
+	r=$?
+	if [ $r -ne 0 ]; then
+		echo "gdb failed: exit code $r"
+	fi
+	egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null /tmp/gdb.out
+	r=$?
+	rm -f /tmp/gdb.out
+	if [ $r -ne 0 ]; then
+		echo "FAIL: ptrace agent"
+	else
+		echo "PASS: ptrace agent"
+	fi
+
+	${SSHAGENT} -k > /dev/null
+fi
+userdel openssh-test
+

sources/poky/meta/recipes-connectivity/openssh/openssh/ssh_config

@@ -0,0 +1,48 @@
+#	$OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
+
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Include /etc/ssh/ssh_config.d/*.conf
+
+# Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_ecdsa
+#   IdentityFile ~/.ssh/id_ed25519
+#   Port 22
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   RekeyLimit 1G 1h
+#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k

sources/poky/meta/recipes-connectivity/openssh/openssh/sshd

@@ -0,0 +1,10 @@
+#%PAM-1.0
+
+auth       include      common-auth
+account    required     pam_nologin.so
+account    include      common-account
+password   include      common-password
+session    optional     pam_keyinit.so force revoke
+session    include      common-session
+session    required     pam_loginuid.so
+

sources/poky/meta/recipes-connectivity/openssh/openssh/sshd.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenSSH server daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+
+[Service]
+Type=notify-reload
+Environment="SSHD_OPTS="
+EnvironmentFile=-/etc/default/ssh
+ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
+ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
+KillMode=process
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target

sources/poky/meta/recipes-connectivity/openssh/openssh/sshd.socket

@@ -0,0 +1,11 @@
+[Unit]
+Conflicts=sshd.service
+Wants=sshdgenkeys.service
+
+[Socket]
+ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target

sources/poky/meta/recipes-connectivity/openssh/openssh/sshd@.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Per-Connection Daemon
+After=sshdgenkeys.service
+
+[Service]
+Environment="SSHD_OPTS="
+EnvironmentFile=-/etc/default/ssh
+ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS
+StandardInput=socket
+KillMode=process

sources/poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys

@@ -0,0 +1,78 @@
+#! /bin/sh
+
+generate_key() {
+    local FILE=$1
+    local TYPE=$2
+    local DIR="$(dirname "$FILE")"
+
+    mkdir -p "$DIR"
+    rm -f ${FILE}.tmp
+    ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
+
+    # Atomically rename file public key
+    mv -f "${FILE}.tmp.pub" "${FILE}.pub"
+
+    # This sync does double duty: Ensuring that the data in the temporary
+    # private key file is on disk before the rename, and ensuring that the
+    # public key rename is completed before the private key rename, since we
+    # switch on the existence of the private key to trigger key generation.
+    # This does mean it is possible for the public key to exist, but be garbage
+    # but this is OK because in that case the private key won't exist and the
+    # keys will be regenerated.
+    #
+    # In the event that sync understands arguments that limit what it tries to
+    # fsync(), we provided them. If it does not, it will simply call sync()
+    # which is just as well
+    sync "${FILE}.pub" "$DIR" "${FILE}.tmp"
+
+    mv "${FILE}.tmp" "$FILE"
+
+    # sync to ensure the atomic rename is committed
+    sync "$DIR"
+}
+
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
+if test -f /etc/default/ssh; then
+    . /etc/default/ssh
+fi
+
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+# parse sshd options
+set -- ${SSHD_OPTS} --
+sshd_config=/etc/ssh/sshd_config
+while true ; do
+    case "$1" in
+    -f*) if [ "$1" = "-f" ] ; then
+            sshd_config="$2"
+            shift
+        else
+            sshd_config="${1#-f}"
+        fi
+        shift
+        ;;
+    --) shift; break;;
+    *) shift;;
+    esac
+done
+
+HOST_KEYS=$(sshd -G -f "${sshd_config}" | grep -i '^hostkey ' | cut -f2 -d' ')
+
+for key in ${HOST_KEYS} ; do
+    [ -f $key ] && continue
+    case $key in
+    *_rsa_key)
+        echo "  generating ssh RSA host key..."
+        generate_key $key rsa
+        ;;
+    *_ecdsa_key)
+        echo "  generating ssh ECDSA host key..."
+        generate_key $key ecdsa
+        ;;
+    *_ed25519_key)
+        echo "  generating ssh ED25519 host key..."
+        generate_key $key ed25519
+        ;;
+    esac
+done

sources/poky/meta/recipes-connectivity/openssh/openssh/sshd_config

@@ -0,0 +1,119 @@
+#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable keyboard-interactive authentication (beware issues
+# with some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+Compression no
+ClientAliveInterval 15
+ClientAliveCountMax 4
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

sources/poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=OpenSSH Key Generation
+RequiresMountsFor=/var /run
+
+[Service]
+ExecStart=@LIBEXECDIR@/sshd_check_keys
+Type=oneshot
+RemainAfterExit=yes
+Nice=10

sources/poky/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd

@@ -0,0 +1,2 @@
+d root root 0755 /var/run/sshd none
+f root root 0644 /var/log/lastlog none

sources/poky/meta/recipes-connectivity/openssh/openssh_9.6p1.bb

@@ -0,0 +1,206 @@
+SUMMARY = "A suite of security-related network utilities based on \
+the SSH protocol including the ssh client and sshd server"
+DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \
+Ssh (Secure Shell) is a program for logging into a remote machine \
+and for executing commands on a remote machine."
+HOMEPAGE = "http://www.openssh.com/"
+SECTION = "console/network"
+LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT"
+LIC_FILES_CHKSUM = "file://LICENCE;md5=072979064e691d342002f43cd89c0394"
+
+DEPENDS = "zlib openssl virtual/crypt"
+DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
+
+SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
+           file://sshd_config \
+           file://ssh_config \
+           file://init \
+           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+           file://sshd.service \
+           file://sshd.socket \
+           file://sshd@.service \
+           file://sshdgenkeys.service \
+           file://volatiles.99_sshd \
+           file://run-ptest \
+           file://sshd_check_keys \
+           file://add-test-support-for-busybox.patch \
+           file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
+           file://0001-notify-systemd-on-listen-and-reload.patch \
+           file://CVE-2024-6387.patch \
+           file://CVE-2024-39894.patch \
+           file://0001-Fix-missing-header-for-systemd-notification.patch \
+           file://CVE-2025-26466.patch \
+           file://CVE-2025-26465.patch \
+           file://CVE-2025-32728.patch \
+           "
+SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
+
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
+
+# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
+# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
+
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
+CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
+
+PAM_SRC_URI = "file://sshd"
+
+inherit manpages useradd update-rc.d update-alternatives systemd
+
+USERADD_PACKAGES = "${PN}-sshd"
+USERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
+INITSCRIPT_PACKAGES = "${PN}-sshd"
+INITSCRIPT_NAME:${PN}-sshd = "sshd"
+INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9"
+
+SYSTEMD_PACKAGES = "${PN}-sshd"
+SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
+
+inherit autotools-brokensep ptest pkgconfig
+
+# systemd-sshd-socket-mode means installing sshd.socket
+# and systemd-sshd-service-mode corresponding to sshd.service
+PACKAGECONFIG ??= "systemd-sshd-socket-mode"
+PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2"
+PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
+PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
+PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
+PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
+PACKAGECONFIG[systemd-sshd-socket-mode] = ""
+PACKAGECONFIG[systemd-sshd-service-mode] = ""
+
+EXTRA_AUTORECONF += "--exclude=aclocal"
+
+# login path is hardcoded in sshd
+EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
+                ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
+                --without-zlib-version-check \
+                --with-privsep-path=${localstatedir}/run/sshd \
+                --sysconfdir=${sysconfdir}/ssh \
+                --with-xauth=${bindir}/xauth \
+                --disable-strip \
+                "
+
+# musl doesn't implement wtmp/utmp and logwtmp
+EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
+
+# Work around ICE on mips/mips64 starting in 9.6p1
+EXTRA_OECONF:append:mips = " --without-hardening"
+EXTRA_OECONF:append:mips64 = " --without-hardening"
+
+# Work around ICE on powerpc64le starting in 9.6p1
+EXTRA_OECONF:append:powerpc64le = " --without-hardening"
+
+# Since we do not depend on libbsd, we do not want configure to use it
+# just because it finds libutil.h.  But, specifying --disable-libutil
+# causes compile errors, so...
+CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no"
+
+# passwd path is hardcoded in sshd
+CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
+
+# We don't want to depend on libblockfile
+CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
+
+do_configure:prepend () {
+	export LD="${CC}"
+	install -m 0644 ${WORKDIR}/sshd_config ${B}/
+	install -m 0644 ${WORKDIR}/ssh_config ${B}/
+}
+
+do_compile_ptest() {
+	oe_runmake regress-binaries regress-unit-binaries
+}
+
+do_install:append () {
+	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
+		install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
+		sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
+	fi
+
+	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
+		sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
+	fi
+
+	install -d ${D}${sysconfdir}/init.d
+	install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
+	rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
+	rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
+	install -d ${D}/${sysconfdir}/default/volatiles
+	install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
+	install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
+
+	# Create config files for read-only rootfs
+	install -d ${D}${sysconfdir}/ssh
+	install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
+	sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
+	echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+	echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+	echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+
+	install -d ${D}${systemd_system_unitdir}
+	if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
+	    install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir}
+	    install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir}
+	    sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
+		    -e 's,@SBINDIR@,${sbindir},g' \
+		    -e 's,@BINDIR@,${bindir},g' \
+		    -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
+            ${D}${systemd_system_unitdir}/sshd.socket
+	fi
+	if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then
+	    install -c -m 0644 ${WORKDIR}/sshd.service ${D}${systemd_system_unitdir}
+	fi
+	install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
+	sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
+		-e 's,@SBINDIR@,${sbindir},g' \
+		-e 's,@BINDIR@,${bindir},g' \
+		-e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
+		${D}${systemd_system_unitdir}/*.service
+
+	sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
+		${D}${sysconfdir}/init.d/sshd
+
+	install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
+}
+
+do_install_ptest () {
+	sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh
+	cp -r regress ${D}${PTEST_PATH}
+	cp config.h ${D}${PTEST_PATH}
+}
+
+ALLOW_EMPTY:${PN} = "1"
+
+PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
+FILES:${PN}-scp = "${bindir}/scp.${BPN}"
+FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
+FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
+FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
+FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
+FILES:${PN}-sftp = "${bindir}/sftp"
+FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
+FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
+FILES:${PN}-keygen = "${bindir}/ssh-keygen"
+
+RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
+RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
+# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
+RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed coreutils openssl-bin"
+
+RPROVIDES:${PN}-ssh = "ssh"
+RPROVIDES:${PN}-sshd = "sshd"
+
+RCONFLICTS:${PN} = "dropbear"
+RCONFLICTS:${PN}-sshd = "dropbear"
+
+CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
+CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
+
+ALTERNATIVE_PRIORITY = "90"
+ALTERNATIVE:${PN}-scp = "scp"
+ALTERNATIVE:${PN}-ssh = "ssh"
+
+BBCLASSEXTEND += "nativesdk"