diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest index 990973c32b..c86d6d05e1 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest @@ -1,7 +1,10 @@ -DIST openssh-9.1_p1-X509-glue-13.5.patch.xz 1092 BLAKE2B 19da945547472048d01a6ec26f28cba11afe1a0590a115582d1e21a852b6b66589b091ab4440d57952200522318aeffb7d9404e53f9532ae80e47685c24c4097 SHA512 96de9f59bacfd99aa9ef03362d55d88b3eea0acc57a11fb72e5c612bfb0f5e48455b0a0d0add9a8a5524b9d4701f47db1ff7859f1d3c2a12947b27292961cbd5 -DIST openssh-9.1_p1-hpn-15.2-X509-glue.patch.xz 5504 BLAKE2B 776b467ddde16e268536c5632b028a32db22b26d7bc11e2a9fa6c8e29528be3eb781066d6b30fb2f561a73a24c34a29963fcd7c872aa92dc19d715d8ffbf2cbe SHA512 aa753da5f75d90165f5922ead1dd495a15a4c581360d5862ec6f802caea54055da8e308c1919efa8e78b31a7ea082f8693dda0ab84ccee414c562ec062c50fb1 -DIST openssh-9.1_p1-hpn-15.2-glue.patch.xz 3840 BLAKE2B 06fb14d8c6f52f1c6fae7971fc4da810c814d7b52063f8cc7e83356baa7ed70c84476c1d1cc896eba6d0d51813dc994e3c82278e66c04998431c8123a09fe7df SHA512 99c88c08fb384336a9680629bc04a89121780d64ee8b03ac164c4e446cc30b865004292e98516b6f857bd75e1b4393291427c046ffcabc1578629e6075636cbf -DIST openssh-9.1p1+x509-13.5.diff.gz 1213948 BLAKE2B 5663a1c865c80f590642bb855f7d7a17e71e0db099deb4cea5750cfe734bd506b70a1b266fccc2a58174ae2b1b96a7f1ced56382d5d7e741b07e46422b03f7e6 SHA512 70a1f12e98b8fa8170c208803ee482aea2fcf6b9e41ecada5fabaa0288ed5a32574f42a7b50718bb484978f3c65f50e55966c9f555a9de100dc8d695b9aec531 -DIST openssh-9.1p1-sctp-1.2.patch.xz 6772 BLAKE2B 8393c1ca5f0df7e4d490cef5c38d50d45da83a9c3f650e9af15d95825f9e682a6aaf6a0e85fc1704d41d6567aec8f0b34e43b20652e0141008ccdbe91426dfac SHA512 6750394d0fb7b7f93a0e4f94204e53277cc341c5b2427130559e443557dbb95f2e85a71cfe8d40cfa17dd015b0f3880f79a1f868374e60e94e8385c9b45acec5 -DIST openssh-9.1p1.tar.gz 1838747 BLAKE2B 287b6b1cc4858b27af88f4a4674670afff1fb5b99461892083393c53ef3747c5a0fcd90cba95d2c27465a919e00f7f42732c93af4f306665ba0393bbb7a534f5 SHA512 a1f02c407f6b621b1d0817d1a0c9a6839b67e416c84f3b76c63003b119035b24c19a1564b22691d1152e1d2d55f4dc7eb1af2d2318751e431a99c4efa77edc70 -DIST openssh-9.1p1.tar.gz.asc 833 BLAKE2B 83efe3c705f6a02c25a9fc9bac2a4efd77470598d9e0fcb86dff2d265c58cffec1afecad3621769b2bd78ac25884f0ee20ae9b311e895db93e3bb552dffd6e74 SHA512 47dc7295f9694250bcbb86d7ca0830a47da4f3df7795bb05ebaf1590284ccce5317022c536bea1b09bd2fa4d8013295cc0de287ebe3f9dc605582077e9f11ddd +DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f +DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a +DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914 +DIST openssh-9.2_p1-X509-glue-14.1.patch.xz 900 BLAKE2B 1cfde24cdd636390bcd9b546da182b0848d637c366ff387f045e8d9158e94ff9577c0dff9d87a552208a56aac4ae8319bb17fd772719a7aa2cbc8baf2bfe59fc SHA512 b3f87fb0c339ffe627b347b4cc56fc6a056e5e9a4f23481bb18fc55262e1de3f0394d2f7a85c4fa120f74616a5872cf6628118bcda6973dfa9baec8d7e0e65b1 +DIST openssh-9.2_p1-hpn-15.2-X509-14.1-glue.patch.xz 6040 BLAKE2B d032d1f03ab1bd310af055a452375e6b85ebe40f3d09effdfb07085981155b751c6fdc74a9ee10afe807c2cd10be3444baf712eb0b211bdaff4dc43dc4f65938 SHA512 696f5ee26eeef7a1d56c212eb8bf7c7a568ded2a576eddae92b98b9b3b6bd5bd66e0944b9328e93ec4d55d16f72215a13c25d27de81f75aaae8fdbe68e3df51e +DIST openssh-9.2_p1-hpn-15.2-glue.patch.xz 4172 BLAKE2B 7bec61008f02c07bf24112995066bcd434820354155eb022ffa550baa8f7be896d915423698427ec921473190eb8e83739d2ceff04f79967759fc82b74435dac SHA512 c669a70611479f4ee0f3ba8417afc052f0212cb2d338c524fb3bf6c52a1bf3ca78fe78ab04118de5aa472a10d30b95f084c3ed00a542a8b3d0f541f8ea3f26af +DIST openssh-9.2p1+x509-14.1.diff.gz 1210737 BLAKE2B 6b1cb2392c3fdbc7627b44a055da7662c686786cddaefcdf63f33fa92c1d97a5fb9ff54d03b7aef700715baa44f4485ad2dd73f59aac5b19617597832e135773 SHA512 88ba0dfd6e7eddf06e47d27299ee900dd1a9dc24df706bde51231b290f666848935204281577a9e47267939e7ee852f7232caaccdae6ac3eb503e53c075e630d +DIST openssh-9.2p1-sctp-1.2.patch.xz 6828 BLAKE2B 8a57b85ce5d18dca34ef71b486f2f24bbc82f6bf263a4f162a1222d96ef2adc469cce62f368c9192512efaa8e1e2496a7bd8f79a11698bf0118eee07a703e6ef SHA512 3713847ef7b280f8b74a1b493644152c948ce74e06c1d0bff52996647963ca156cbc845b4459bcdbd4745eb440e409af07af2f0b696c65950a8a6d7ddb46f6c8 +DIST openssh-9.2p1.tar.gz 1852380 BLAKE2B 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21 SHA512 c4b79ef3a05b96bfc477ffb31f734635bffd5be213ab58e043111c3232dbe999ff24665fa1069518237cffa5126ded0dda8984e1b8f098f4f09b8c1dae20e604 +DIST openssh-9.2p1.tar.gz.asc 833 BLAKE2B 36210757aaa4ee8e6bdf4cfbb5590e6c54a617817d1657ebb446e54530d01a9e9f5559408b3d424d5efdb4ba06f0c02755637f5480dc81f9b4e32963de91087a SHA512 2a56f8946ed00fcd5a92935e090523d40b5c3747e25661d575b799b1825bf5e47a95eed5e7ed968fe042349c2c7d94d6b0e6bf2d9145b5c6ff5df2ca538d56e5 diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch new file mode 100644 index 0000000000..7199227589 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch @@ -0,0 +1,18 @@ +diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff +--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700 ++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700 +@@ -1414,14 +1414,3 @@ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +-diff --git a/version.h b/version.h +-index 6b4fa372..332fb486 100644 +---- a/version.h +-+++ b/version.h +-@@ -3,4 +3,5 @@ +- #define SSH_VERSION "OpenSSH_8.5" +- +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_HPN "-hpn15v2" +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch new file mode 100644 index 0000000000..6dc290d673 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch @@ -0,0 +1,13 @@ +diff --git a/kex.c b/kex.c +index 34808b5c..88d7ccac 100644 +--- a/kex.c ++++ b/kex.c +@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, + if (version_addendum != NULL && *version_addendum == '\0') + version_addendum = NULL; + if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, + version_addendum == NULL ? "" : " ", + version_addendum == NULL ? "" : version_addendum)) != 0) { + oerrno = errno; diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch deleted file mode 100644 index dc93182e1d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -ur '--exclude=.*.un~' a/openssh-9.0p1+x509-13.4.1.diff b/openssh-9.0p1+x509-13.4.1.diff ---- a/openssh-9.0p1+x509-13.4.1.diff 2022-06-23 10:43:33.957093896 -0700 -+++ b/openssh-9.0p1+x509-13.4.1.diff 2022-06-23 10:44:17.232396805 -0700 -@@ -48941,8 +48941,8 @@ - gss_create_empty_oid_set(&status, &oidset); - gss_add_oid_set_member(&status, ctx->oid, &oidset); - --- if (gethostname(lname, MAXHOSTNAMELEN)) { --+ if (gethostname(lname, MAXHOSTNAMELEN) == -1) { -+- if (gethostname(lname, HOST_NAME_MAX)) { -++ if (gethostname(lname, HOST_NAME_MAX) == -1) { - gss_release_oid_set(&status, &oidset); - return (-1); - } -@@ -57102,12 +57102,11 @@ - - install-files: - $(MKDIR_P) $(DESTDIR)$(bindir) --@@ -395,6 +372,8 @@ -+@@ -395,6 +372,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) -@@ -78638,7 +78637,7 @@ - +if test "$sshd_type" = "pkix" ; then - + unset_arg='' - +else --+ unset_arg=none -++ unset_arg='' - +fi - + - cat > $OBJ/sshd_config.i << _EOF -@@ -143777,16 +143776,6 @@ - +int asnmprintf(char **, size_t, int *, const char *, ...) - __attribute__((format(printf, 4, 5))); - void msetlocale(void); --diff -ruN openssh-9.0p1/version.h openssh-9.0p1+x509-13.4.1/version.h ----- openssh-9.0p1/version.h 2022-04-06 03:47:48.000000000 +0300 --+++ openssh-9.0p1+x509-13.4.1/version.h 2022-06-23 09:07:00.000000000 +0300 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_9.0" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-9.0p1/version.m4 openssh-9.0p1+x509-13.4.1/version.m4 - --- openssh-9.0p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-9.0p1+x509-13.4.1/version.m4 2022-06-23 09:07:00.000000000 +0300 diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch new file mode 100644 index 0000000000..2a83ed37d1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch @@ -0,0 +1,12 @@ +diff -ur a/auth2.c b/auth2.c +--- a/auth2.c 2022-05-19 15:59:32.875160028 -0700 ++++ b/auth2.c 2022-05-19 16:03:44.291594908 -0700 +@@ -226,7 +226,7 @@ + int digest_alg; + size_t len; + u_char *hash; +- double delay; ++ double delay = 0; + + digest_alg = ssh_digest_maxbytes(); + if (len = ssh_digest_bytes(digest_alg) > 0) { diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch deleted file mode 100644 index 62f51a8782..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in -index dd8cdc4b7..c446f0aa2 100644 ---- a/openbsd-compat/regress/Makefile.in -+++ b/openbsd-compat/regress/Makefile.in -@@ -10,7 +10,7 @@ CFLAGS=@CFLAGS@ - CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. -I$(srcdir)/../.. @CPPFLAGS@ @DEFS@ - EXEEXT=@EXEEXT@ - LIBCOMPAT=../libopenbsd-compat.a --LIBS=@LIBS@ -+LIBS=@LIBS@ -lssl -lcrypto - LDFLAGS=@LDFLAGS@ $(LIBCOMPAT) - - TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \ diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd new file mode 100644 index 0000000000..cf430371bf --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd @@ -0,0 +1,33 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Wait one second (length chosen arbitrarily) to see if sshd actually +# creates a PID file, or if it crashes for some reason like not being +# able to bind to the address in ListenAddress. + +#SSHD_SSD_OPTS="--wait 1000" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd" + + +# Path to the ssh-keygen binary (needs to be absolute path). + +#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen" diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd new file mode 100644 index 0000000000..e91cd0116c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd @@ -0,0 +1,87 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd} +: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen} + +command="${SSHD_BINARY}" +pidfile="${SSHD_PIDFILE}" +command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}" + +# Wait one second (length chosen arbitrarily) to see if sshd actually +# creates a PID file, or if it crashes for some reason like not being +# able to bind to the address in ListenAddress (bug 617596). +: ${SSHD_SSD_OPTS:=--wait 1000} +start_stop_daemon_args="${SSHD_SSD_OPTS}" + +depend() { + # Entropy can be used by ssh-keygen, among other things, but + # is not strictly required (bug 470020). + use logger dns entropy + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty" + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ${SSHD_KEYGEN_BINARY} -A || return 2 + + "${command}" -t ${command_args} || return 3 +} + +start_pre() { + # Make sure that the user's config isn't busted before we try + # to start the daemon (this will produce better error messages + # than if we just try to start it blindly). + # + # We always need to call checkconfig because this function will + # also generate any missing host key and you can start a + # non-running service with "restart" argument. + checkconfig || return $? +} + +stop_pre() { + # If this is a restart, check to make sure the user's config + # isn't busted before we stop the running daemon. + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return $? + fi +} + +reload() { + checkconfig || return $? + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP --pidfile "${pidfile}" + eend $? +} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.service b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.service.1 similarity index 70% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.service rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.service.1 index 6b4da9132f..a541164cd7 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.service +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.service.1 @@ -1,12 +1,15 @@ [Unit] Description=OpenSSH server daemon -After=syslog.target network.target auditd.service +After=network.target auditd.service [Service] ExecStartPre=/usr/bin/ssh-keygen -A ExecStart=/usr/sbin/sshd -D -e ExecReload=/bin/kill -HUP $MAINPID KillMode=process +OOMPolicy=continue +Restart=on-failure +RestartSec=42s [Install] WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket index d19f34be86..94b9533180 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket @@ -5,7 +5,6 @@ Conflicts=sshd.service [Socket] ListenStream=22 Accept=yes -TriggerLimitBurst=0 [Install] WantedBy=sockets.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd_at.service b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd_at.service.1 similarity index 80% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd_at.service rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd_at.service.1 index ec2907b3b1..e43a457994 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd_at.service +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd_at.service.1 @@ -1,6 +1,6 @@ [Unit] Description=OpenSSH per-connection server daemon -After=syslog.target auditd.service +After=auditd.service [Service] ExecStart=-/usr/sbin/sshd -i -e diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml index 699281fbc1..9f064cdd11 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml @@ -20,7 +20,6 @@ the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. - Enable scp command with known security problems. See bug 733802 Enable high performance ssh Use LDNS for DNSSEC/SSHFP validation. Enable root password logins for live-cd environment. diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.1_p1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.2_p1-r2.ebuild similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.1_p1.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.2_p1-r2.ebuild index 4af396e5fc..f228e1636c 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.1_p1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.2_p1-r2.ebuild @@ -1,7 +1,7 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig @@ -19,22 +19,23 @@ HPN_PATCHES=( ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff ) -HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-glue.patch" +HPN_GLUE_PATCH="${PN}-9.2_p1-hpn-${HPN_VER}-glue.patch" +HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}" SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.5" +X509_VER="14.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch" -X509_HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-X509-glue.patch" +X509_HPN_GLUE_PATCH="${PN}-9.2_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch" DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="https://www.openssh.com/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} ${HPN_VER:+hpn? ( - $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") + $(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}") https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz )} ${X509_PATCH:+X509? ( @@ -49,7 +50,7 @@ S="${WORKDIR}/${PARCH}" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss" @@ -123,7 +124,6 @@ PATCHES=( "${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" "${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019 "${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044 - "${FILESDIR}/${PN}-9.1_p1-build-tests.patch" ) pkg_pretend() { @@ -164,7 +164,7 @@ src_prepare() { # don't break .ssh/authorized_keys2 for fun sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - eapply "${PATCHES[@]}" + eapply -- "${PATCHES[@]}" [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches @@ -269,10 +269,6 @@ src_prepare() { "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" fi - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - eapply_user #473004 # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox @@ -282,8 +278,6 @@ src_prepare() { tc-export PKG_CONFIG local sed_args=( -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' # Disable fortify flags ... our gcc does this for us -e 's:-D_FORTIFY_SOURCE=2::' ) @@ -425,6 +419,8 @@ src_install() { emake install-nokeys DESTDIR="${D}" fperms 600 /etc/ssh/sshd_config dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd-r1.initd sshd + newconfd "${FILESDIR}"/sshd-r1.confd sshd if use pam; then newpamd "${FILESDIR}"/sshd.pam_include.2 sshd @@ -441,8 +437,9 @@ src_install() { dodir /etc/skel/.ssh rmdir "${ED}"/var/empty || die - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' + systemd_dounit "${FILESDIR}"/sshd.socket + systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service + systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service' } pkg_preinst() { @@ -490,6 +487,14 @@ pkg_postinst() { ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" ewarn "connection is generally safe." fi + if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then + ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" + ewarn "'Restart=on-failure', which causes the service to automatically restart if it" + ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," + ewarn "but it can increase the vulnerability of the system in the event of a future exploit." + ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" + ewarn "set 'Restart=no' in your sshd unit file." + fi done if [[ -n ${show_ssl_warning} ]]; then