[packages] add openssh-server-pam

this adds openssh-server with pam support
the user still has the change this settings in
/etc/ssh/sshd_config:

PasswordAuthentication no
UsePAM yes

to use pam. To avoid having two moduli files which is just
static data, openssh-moduli now depends on ssh-keygen.

based on patch from DkSouls

Signed-off-by: Peter Wagner <tripolar@gmx.at>


git-svn-id: svn://svn.openwrt.org/openwrt/packages@38494 3c298f89-4303-0410-b956-a3cf2f4a3e73

net/openssh/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssh
 PKG_VERSION:=6.3p1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
@@ -18,6 +18,9 @@ PKG_SOURCE_URL:=ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
 		ftp://ftp.de.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/
 PKG_MD5SUM:=225e75c9856f76011966013163784038
 
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+
 PKG_BUILD_DEPENDS:=libopenssl
 
 include $(INCLUDE_DIR)/package.mk
@@ -30,11 +33,12 @@ define Package/openssh/Default
   MAINTAINER:=Peter Wagner <tripolar@gmx.at>
   URL:=http://www.openssh.com/
   SUBMENU:=SSH
+  VARIANT:=without-pam
 endef
 
 define Package/openssh-moduli
   $(call Package/openssh/Default)
-  DEPENDS+= +openssh-server
+  DEPENDS+= +openssh-keygen
   TITLE+= moduli file
 endef
 
@@ -42,7 +46,6 @@ define Package/openssh-moduli/description
 OpenSSH server moduli file.
 endef
 
-
 define Package/openssh-client
   $(call Package/openssh/Default)
   TITLE+= client
@@ -89,6 +92,23 @@ define Package/openssh-server/conffiles
 /etc/ssh/sshd_config
 endef
 
+define Package/openssh-server-pam
+  $(call Package/openssh/Default)
+  DEPENDS+= +libpthread +openssh-keygen +libpam
+  TITLE+= server (with PAM support)
+  VARIANT:=with-pam
+endef
+
+define Package/openssh-server-pam/description
+OpenSSH server (with PAM support).
+endef
+
+define Package/openssh-server-pam/conffiles
+/etc/pam.d/sshd
+/etc/security/access-sshd-local.conf
+/etc/ssh/sshd_config
+endef
+
 define Package/openssh-sftp-client
   $(call Package/openssh/Default)
   TITLE+= SFTP client
@@ -124,9 +144,16 @@ CONFIGURE_ARGS+= \
 	--disable-wtmpx \
 	--without-bsd-auth \
 	--without-kerberos5 \
-	--without-pam \
 	--without-x
 
+ifeq ($(BUILD_VARIANT),with-pam)
+CONFIGURE_ARGS += \
+	--with-pam
+else
+CONFIGURE_ARGS += \
+	--without-pam
+endif
+
 ifeq ($(CONFIG_OPENSSL_ENGINE),y)
 CONFIGURE_ARGS+= \
 	--with-ssl-engine
@@ -139,6 +166,10 @@ endif
 
 CONFIGURE_VARS += LD="$(TARGET_CC)"
 
+ifeq ($(BUILD_VARIANT),with-pam)
+TARGET_LDFLAGS += -lpthread
+endif
+
 define Build/Compile
 	$(MAKE) -C $(PKG_BUILD_DIR) \
 		DESTDIR="$(PKG_INSTALL_DIR)" \
@@ -152,7 +183,7 @@ endef
 
 define Package/openssh-moduli/install
 	$(INSTALL_DIR) $(1)/etc/ssh
-	$(CP) $(PKG_INSTALL_DIR)/etc/ssh/moduli $(1)/etc/ssh/
+	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/moduli $(1)/etc/ssh/
 endef
 
 define Package/openssh-client/install
@@ -178,7 +209,21 @@ endef
 define Package/openssh-server/install
 	$(INSTALL_DIR) $(1)/etc/ssh
 	chmod 0700 $(1)/etc/ssh
-	$(CP) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/
+	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/sshd $(1)/usr/sbin/
+endef
+
+define Package/openssh-server-pam/install
+	$(INSTALL_DIR) $(1)/etc/ssh
+	chmod 0700 $(1)/etc/ssh
+	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/
+	$(INSTALL_DIR) $(1)/etc/pam.d
+	$(INSTALL_DATA) ./files/sshd.pam $(1)/etc/pam.d/sshd
+	$(INSTALL_DIR) $(1)/etc/security
+	$(INSTALL_DATA) ./files/sshd.pam-access $(1)/etc/security/access-sshd-local.conf
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd
 	$(INSTALL_DIR) $(1)/usr/sbin
@@ -202,5 +247,6 @@ $(eval $(call BuildPackage,openssh-moduli))
 $(eval $(call BuildPackage,openssh-client-utils))
 $(eval $(call BuildPackage,openssh-keygen))
 $(eval $(call BuildPackage,openssh-server))
+$(eval $(call BuildPackage,openssh-server-pam))
 $(eval $(call BuildPackage,openssh-sftp-client))
 $(eval $(call BuildPackage,openssh-sftp-server))

net/openssh/files/sshd.pam

@@ -0,0 +1,41 @@
+# PAM configuration for the Secure Shell service
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+auth       required     pam_env.so
+
+# Skip Google Authenticator if logging in from the local network.
+# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-sshd-local.conf
+# Google Authenticator 2-step verification.
+# auth       requisite    pam_google_authenticator.so
+
+# Standard Un*x authentication.
+auth       include      common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account    required     pam_access.so
+
+# Standard Un*x authorization.
+account    include      common-account
+
+# Standard Un*x session setup and teardown.
+session    include      common-session
+
+# Print the message of the day upon successful login.
+session    optional     pam_motd.so
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Set up SELinux capabilities (need modified pam)
+# session    required     pam_selinux.so multiple
+
+# Standard Un*x password updating.
+password   include      common-password

net/openssh/files/sshd.pam-access

@@ -0,0 +1,4 @@
+# Skip Google Authenticator for local network
+#+ : ALL : 192.168.1.0/24
++ : ALL : LOCAL
+- : ALL : ALL