From 2bd00ef7899654dd43f9c8c1decd1378cae16352 Mon Sep 17 00:00:00 2001
From: Mikael Magnusson <mikma@users.sourceforge.net>
Date: Wed, 26 Mar 2025 18:57:52 +0100
Subject: [PATCH] openssh: add FIDO U2F and FIDO2 hardware token support

Add openssh-sk-helper package containing ssh-sk-helper.

The helper can be used by openssh-client, openssh-sftp-client,
and openssh-keygen to access `ecdsa_sk` and `ed25519_sk keys
provided by a FIDO U2F or FIDO2 hardware token connected over USB.

Close #24509

Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net>
---
 net/openssh/Makefile | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/net/openssh/Makefile b/net/openssh/Makefile
index 5897768e97..6ad92a5b4f 100644
--- a/net/openssh/Makefile
+++ b/net/openssh/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=openssh
 PKG_REALVERSION:=9.9p2
 PKG_VERSION:=9.9_p2
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_REALVERSION).tar.gz
 PKG_SOURCE_URL:=https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
@@ -159,6 +159,18 @@ define Package/openssh-sftp-avahi-service/conffiles
 /etc/avahi/services/sftp-ssh.service
 endef
 
+define Package/openssh-sk-helper
+	$(call Package/openssh/Default)
+	DEPENDS+= +libopenssl +zlib +libfido2
+	TITLE+= helper for FIDO U2F and FIDO2 hardware token support
+endef
+
+define Package/openssh-sk-helper/description
+OpenSSH helper that can be used by openssh-client, openssh-sftp-client,
+and openssh-keygen to access `ecdsa_sk` and `ed25519_sk keys
+provided by a FIDO U2F or FIDO2 hardware token over USB.
+endef
+
 CONFIGURE_ARGS += \
 	--sysconfdir=/etc/ssh \
 	--with-privsep-user=sshd \
@@ -174,6 +186,7 @@ CONFIGURE_ARGS += \
 	--without-kerberos5 \
 	--with-stackprotect \
 	--with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine \
+	--with$(if $(CONFIG_PACKAGE_openssh-sk-helper),,out)-security-key-builtin \
 	--with-cflags-after=-fzero-call-used-regs=skip
 
 ifeq ($(BUILD_VARIANT),with-pam)
@@ -220,6 +233,11 @@ define Package/openssh-keygen/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/ssh-keygen $(1)/usr/libexec/ssh-keygen-openssh
 endef
 
+define Package/openssh-sk-helper/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ssh-sk-helper $(1)/usr/lib/
+endef
+
 define Package/openssh-server/install
 	install -d -m0700 $(1)/etc/ssh $(1)/etc/ssh/sshd_config.d
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/
@@ -265,6 +283,7 @@ $(eval $(call BuildPackage,openssh-client))
 $(eval $(call BuildPackage,openssh-moduli))
 $(eval $(call BuildPackage,openssh-client-utils))
 $(eval $(call BuildPackage,openssh-keygen))
+$(eval $(call BuildPackage,openssh-sk-helper))
 $(eval $(call BuildPackage,openssh-server))
 $(eval $(call BuildPackage,openssh-server-pam))
 $(eval $(call BuildPackage,openssh-sftp-client))
-- 
2.30.2