overlay coreos-base/misc-files: Import Flatcar modifications for openssh

- Import and update configs for ssh client and daemon from the flatcar/init repository. These configs have now became snippets that the main configuration file will include. - Install a drop-in file for the ssh.socket unit disabling the rate limiting. - Install compatibility symlinks in old ssh config locations that will point to respective files in /usr/share/flatcar/etc. - Make all these actions optional - openssh USE flag needs to be enabled. That way, generic images can pull those changes, while SDK can avoid doing so.
2025-08-10 06:26:57 +02:00 · 2023-06-19 17:16:12 +02:00 · 2023-06-19 17:16:12 +02:00 · af874a04e2
commit af874a04e2
parent 50cb35e9b3
4 changed files with 67 additions and 2 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf
@ -0,0 +1 @@
+# Use defaults for ssh client system-wide configuration.
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf
@ -0,0 +1,26 @@
+# Use most defaults for sshd configuration.
+Subsystem sftp internal-sftp
+ClientAliveInterval 180
+
+# These are either defaults or already set up by config generated by
+# the Gentoo ebuild. But we need to keep them, as the older
+# installations may still use the old symlink from
+# /etc/ssh/sshd_config to /usr/share/ssh/sshd_config.
+#
+# BEGIN SETTINGS KEPT FOR COMPATIBILITY
+UseDNS no
+UsePAM yes
+# handled by PAM
+PrintLastLog no
+# handled by PAM
+PrintMotd no
+# END SETTINGS KEPT FOR COMPATIBILITY
+
+Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128-etm@openssh.com,umac-128@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+
+# Temporarily accept ssh-rsa algorithm for openssh >= 8.8,
+# until most ssh clients could deprecate ssh-rsa.
+HostkeyAlgorithms +ssh-rsa
+PubkeyAcceptedAlgorithms +ssh-rsa
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf
@ -0,0 +1,2 @@
+[Socket]
+TriggerLimitBurst=0
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild
@ -4,7 +4,7 @@
 EAPI=8

 TMPFILES_OPTIONAL=1
-inherit tmpfiles
+inherit systemd tmpfiles

 DESCRIPTION='Flatcar miscellaneous files'
 HOMEPAGE='https://www.flatcar.org/'
@ -12,13 +12,24 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
+IUSE="openssh"

 # No source directory.
 S="${WORKDIR}"

+# Versions listed below are version of packages that shedded the
+# modifications in their ebuilds.
+#
+# net-misc/openssh must be installed on host for enabling its unit to
+# work during installation.
+DEPEND="
+	openssh? ( >=net-misc/openssh-9.4_p1 )
+"
+
 # Versions listed below are version of packages that shedded the
 # modifications in their ebuilds.
 RDEPEND="
+	${DEPEND}
 	>=app-shells/bash-5.2_p15-r2
 "

@ -56,7 +67,7 @@ src_install() {
    # /etc will be moved in its place.
    #
    # These links exist because old installations can still have
-    # references to `/usr/share/(bash|skel)`.
+    # references to them.
    local -A compat_symlinks
    compat_symlinks=(
        ['/usr/share/bash/bash_logout']='/usr/share/flatcar/etc/bash/bash_logout'
@ -68,6 +79,12 @@ src_install() {
        ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
        ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
    )
+    if use openssh; then
+        compat_symlinks+=(
+            ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
+            ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+        )
+    fi

    local link target
    for link in "${!compat_symlinks[@]}"; do
@ -106,4 +123,23 @@ src_install() {
        dosym "${target}" "${link}"
        fowners --no-dereference 500:500 "${link}"
    done
+
+    if use openssh; then
+        # Install our configuration snippets.
+        insinto /etc/ssh/ssh_config.d
+        doins "${FILESDIR}/50-flatcar-ssh.conf"
+        insinto /etc/ssh/sshd_config.d
+        doins "${FILESDIR}/50-flatcar-sshd.conf"
+
+        # Install our socket drop-in file that disables the rate
+        # limiting on the sshd socket.
+        local override_dir
+        override_dir="$(systemd_get_systemunitdir)/sshd.socket.d"
+        dodir "${override_dir}"
+        insinto "${override_dir}"
+        doins "${FILESDIR}/no-trigger-limit-burst.conf"
+
+        # Enable some sockets that aren't enabled by their own ebuilds.
+        systemd_enable_service sockets.target sshd.socket
+    fi
 }
				`@ -0,0 +1 @@`
				`# Use defaults for ssh client system-wide configuration.`