hiba: Add initial recipe for hiba#597
Conversation
kraj
left a comment
kraj
left a comment
There was a problem hiding this comment.
also squash changes into a single commit.
|
OK I will wait for the openssh changes to be merged before considering this patch. |
Updated the change to install an internal version of OpenSSH to get the library required based on the comments in this discussion: https://lists.openembedded.org/g/openembedded-core/topic/94475279#172977 |
| git clone "${OPENSSH_SRC_URI}" | ||
| cd openssh-portable | ||
| git checkout "${OPENSSH_SRCREV}" | ||
| autoreconf |
There was a problem hiding this comment.
Shouldn't this go better in a do_fetch:append() ?
There was a problem hiding this comment.
And I believe this can even be done in a more idiomatic way:
LIC_FILES_CHKSUM_hiba = "file://${S}/LICENSE;md5=7e161abe9a4585310725dd86c28d1ae2"
LIC_FILES_CHKSUM_openssh = "file://${S}/LICENSE;md5=7e161abe9a4585310725dd86c28d1ae2"
SRC_URI = "
git://github.com/google/hiba;protocol=https;branch=main;destsuffix=git/hiba;name=hiba
git://github.com/openssh/openssh-portable.git;protocol=https;branch=master;destsuffix=git/openssh-portable;name=openssh
"
SRCREV_hiba = "3199239c6a0a89dbd8f155204f44798c78195ab0"
SRCREV_openssh = "0ffb46f2ee2ffcc4daf45ee679e484da8fcf338c"
SRC_URI[hiba.sha256sum] = "79154c8cc144905d552540ef7b395289a029a43ac262bb913b99f475d6da1bec"
SRC_URI[openssh.sha256sum] = "f7a2969530cc025dbbe17b40c1413693e5b57cee04a194ba932b6b2465860bba"
SRCREV_FORMAT="hiba_openssh"
PV = "1.0+git${SRCPV}"
There was a problem hiding this comment.
actually, nevermind. Still some failures.
There was a problem hiding this comment.
I believe you still need the the SRC_URI[xxx.sha256sum] variables set
There was a problem hiding this comment.
Is it working now? I still do not see SRC_URI checksums for hib and OpenSSH. Is it expected?
wltu
force-pushed
the
hiba
branch
3 times, most recently
from
706db84 to
12629d7
Compare
|
friendly ping. |
| git clone "${OPENSSH_SRC_URI}" | ||
| cd openssh-portable | ||
| git checkout "${OPENSSH_SRCREV}" | ||
| autoreconf |
There was a problem hiding this comment.
I believe you still need the the SRC_URI[xxx.sha256sum] variables set
wltu
force-pushed
the
hiba
branch
3 times, most recently
from
1bc9bb3 to
108e1f1
Compare
| do_compile_openssh() { | ||
| cd "${WORKDIR}/git/openssh-portable" | ||
| oe_runmake | ||
| cd "${S}" |
There was a problem hiding this comment.
Here and above, this is probably not needed
| git clone "${OPENSSH_SRC_URI}" | ||
| cd openssh-portable | ||
| git checkout "${OPENSSH_SRCREV}" | ||
| autoreconf |
There was a problem hiding this comment.
Is it working now? I still do not see SRC_URI checksums for hib and OpenSSH. Is it expected?
| SRCREV_FORMAT = "hiba" | ||
|
|
||
| EXTRA_OECONF = " \ | ||
| --with-opensshdir=${WORKDIR}/git/openssh-portable \ |
There was a problem hiding this comment.
Can this be made relative ? absolute paths are troublesome for reproducibility
| } | ||
|
|
||
| addtask compile_openssh before do_configure after do_configure_openssh | ||
| addtask configure_openssh before do_compile_openssh after do_unpack |
There was a problem hiding this comment.
do_configure should be added after do_patch instead of do_unpack that way you can apply patches as needed to openssh in future
Discussion to install the HIBA Internal OpenSSH to fetch dependencies can be found in https://lists.openembedded.org/g/openembedded-core/topic/94475279#172977 HIBA is a system built on top of regular OpenSSH certificate-based authentication that allows to manage flexible authorization of principals on pools of target hosts without the need to push customized authorized_users files periodically. This recipe allow us to manage SSH to production machines easily and not rely on authorized keys. Tested: This copy of the recipe was used and tested internally to be working properly. Ran the local-setup.sh and works fine on a BMC. ``` $ ssh -F /tmp/tmp.w8itTW/ssh_config -p 2201 root@localhost ##################################################### # setup-local.sh # # Host Identity Based Authorization SSHD example. # ##################################################### prodHost: limited access Connection to localhost closed. $ ssh -F /tmp/tmp.w8itTW/ssh_config -p 2202 root@localhost ##################################################### # setup-local.sh # # Host Identity Based Authorization SSHD example. # ##################################################### Last login: Thu Jan 1 00:47:28 1970 from ::1 ``` Signed-off-by: Willy Tu <wltu@google.com>
5 participants
Discussion to install the HIBA Internal OpenSSH to fetch dependencies
can be found in
https://lists.openembedded.org/g/openembedded-core/topic/94475279#172977
HIBA is a system built on top of regular OpenSSH certificate-based
authentication that allows to manage flexible authorization of
principals on pools of target hosts without the need to push customized
authorized_users files periodically.
This recipe allow us to manage SSH to production machines easily and not
rely on authorized keys.
Added an bbappend to OpenSSH to install the headers + lib that is needed to build
hiba repo. Installing directly in OpenSSH is work in progress.
Tested:
Ran the local-setup.sh and works fine on a BMC.