From 135893168bfe231950472e052e963efa1012e2a9 Mon Sep 17 00:00:00 2001 From: Willy Tu Date: Sat, 27 Aug 2022 19:53:37 +0000 Subject: [PATCH] hiba: Add initial recipe for hiba Discussion to install the HIBA Internal OpenSSH to fetch dependencies can be found in https://lists.openembedded.org/g/openembedded-core/topic/94475279#172977 HIBA is a system built on top of regular OpenSSH certificate-based authentication that allows to manage flexible authorization of principals on pools of target hosts without the need to push customized authorized_users files periodically. This recipe allow us to manage SSH to production machines easily and not rely on authorized keys. Tested: Ran the local-setup.sh and works fine on a BMC. ``` $ ssh -F /tmp/tmp.w8itTW/ssh_config -p 2201 root@localhost ##################################################### # setup-local.sh # # Host Identity Based Authorization SSHD example. # ##################################################### prodHost: limited access Connection to localhost closed. $ ssh -F /tmp/tmp.w8itTW/ssh_config -p 2202 root@localhost ##################################################### # setup-local.sh # # Host Identity Based Authorization SSHD example. # ##################################################### Last login: Thu Jan 1 00:47:28 1970 from ::1 ``` Signed-off-by: Willy Tu --- meta-oe/recipes-connectivity/hiba/hiba_git.bb | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 meta-oe/recipes-connectivity/hiba/hiba_git.bb diff --git a/meta-oe/recipes-connectivity/hiba/hiba_git.bb b/meta-oe/recipes-connectivity/hiba/hiba_git.bb new file mode 100644 index 00000000000..569059bba2e --- /dev/null +++ b/meta-oe/recipes-connectivity/hiba/hiba_git.bb @@ -0,0 +1,52 @@ +SUMMARY = "Google Host Identity Based Authorization" +DESCRIPTION = "HIBA is a system built on top of regular OpenSSH \ + certificate-based authentication that allows to manage flexible \ + authorization of principals on pools of target hosts without the need to \ + push customized authorized_users files periodically." + +S = "${WORKDIR}/git" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=7e161abe9a4585310725dd86c28d1ae2" + +SRC_URI = "git://github.com/google/hiba;protocol=https;branch=main" +SRCREV = "98b551e2a0297b1872851bb81b6d3a2b682778ee" + +# HIBA Internal OpenSSH Version (Should match the version in meta-oe). +# Discussion in +# https://lists.openembedded.org/g/openembedded-core/topic/94475279#172977 +OPENSSH_SRC_URI="git@github.com:openssh/openssh-portable.git" +OPENSSH_SRCREV="15a01cf15f396f87c6d221c5a6af98331c818962" + +PV = "1.0+git${SRCPV}" + +inherit autotools + +DEPENDS = "openssl openssh zlib" + +EXTRA_OECONF = " \ + --with-opensshdir=${WORKDIR}/openssh-portable \ + --prefix=/usr/ \ +" + +# Make sure that MACHINE_FEATURES includes hiba before continuing +do_configure:prepend(){ + if ${@bb.utils.contains("DISTRO_FEATURES", "hiba", "false", "true", d)} ; then + echo "Skip building ${PN} because hiba support is disabled, It can be enabled it via DISTRO_FEATURES" + exit 1 + fi + + pushd "${WORKDIR}" + git clone "${OPENSSH_SRC_URI}" + cd openssh-portable + git checkout "${OPENSSH_SRCREV}" + autoreconf + ./configure ${CONFIGUREOPTS} + oe_runmake + popd +} + +do_install:append() { + rm ${D}${sbindir}/hiba-ca.sh + rm -rf ${WORKDIR}/openssh-portable +}