Merge pull request #945 from flatcar/krnowak/move-openssh

Move net-misc/openssh from overlay to portage-stable, configuration changes

changelog/changes/2023-09-29-openssh-update.md

@@ -0,0 +1 @@
+- Started shipping default ssh client and ssh daemon configs in `/etc/ssh/ssh_config` and `/etc/ssh/sshd_config` which include config snippets in `/etc/ssh/ssh_config.d` and `/etc/ssh/sshd_config.d`, respectively.

changelog/updates/2023-09-29-openssh-update.md

@@ -0,0 +1 @@
+- openssh ([9.4p1](https://www.openssh.com/releasenotes.html#9.4p1))

sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch

@@ -1,4 +1,4 @@
-From 90b28746c0d8698a080eb7082e0e14054aee0a02 Mon Sep 17 00:00:00 2001
+From dd1512513b407e23155f58400cacecac8576d6f9 Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <knowak@microsoft.com>
 Date: Mon, 27 Feb 2023 15:59:21 +0100
 Subject: [PATCH] flatcar changes
@@ -7,12 +7,12 @@ Subject: [PATCH] flatcar changes
  azurelinuxagent/common/osutil/coreos.py       |  39 +-----
  azurelinuxagent/common/osutil/coreoscommon.py |  57 ++++++++
  azurelinuxagent/common/osutil/factory.py      |   3 +
- azurelinuxagent/common/osutil/flatcar.py      |  41 ++++++
+ azurelinuxagent/common/osutil/flatcar.py      |  60 +++++++++
  config/flatcar/waagent.conf                   | 122 ++++++++++++++++++
  init/flatcar/10-waagent-sysext.conf           |   2 +
  init/flatcar/waagent.service                  |  30 +++++
  setup.py                                      |  20 ++-
- 8 files changed, 272 insertions(+), 42 deletions(-)
+ 8 files changed, 291 insertions(+), 42 deletions(-)
  create mode 100644 azurelinuxagent/common/osutil/coreoscommon.py
  create mode 100644 azurelinuxagent/common/osutil/flatcar.py
  create mode 100644 config/flatcar/waagent.conf
@@ -164,10 +164,10 @@ index b5ee0b09..9280c645 100644
      if distro_name in ("suse", "sle_hpc", "sles", "opensuse"):
 diff --git a/azurelinuxagent/common/osutil/flatcar.py b/azurelinuxagent/common/osutil/flatcar.py
 new file mode 100644
-index 00000000..3d1bf535
+index 00000000..bf739a8e
 --- /dev/null
 +++ b/azurelinuxagent/common/osutil/flatcar.py
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,60 @@
 +#
 +# Copyright 2023 Microsoft Corporation
 +#
@@ -187,13 +187,16 @@ index 00000000..3d1bf535
 +#
 +
 +import os
++import os.path
 +import shutil
++import stat
 +
 +import azurelinuxagent.common.conf as conf
++import azurelinuxagent.common.logger as logger
++import azurelinuxagent.common.utils.fileutil as fileutil
 +
 +from azurelinuxagent.common.osutil.coreoscommon import CoreosCommonUtil
 +
-+
 +class FlatcarUtil(CoreosCommonUtil):
 +
 +    @staticmethod
@@ -201,14 +204,30 @@ index 00000000..3d1bf535
 +        return "/usr/lib/systemd/system"
 +
 +    def conf_sshd(self, disable_password):
-+        # make sure that the config file stops being a symlink
-+        conf_file_path = conf.get_sshd_conf_file_path()
-+        conf_file_path2 = f"{conf_file_path}.wal.tmp"
-+        shutil.copy(conf_file_path, conf_file_path2)
-+        os.remove(conf_file_path)
-+        os.rename(conf_file_path2, conf_file_path)
-+        super(CoreosCommonUtil, self).conf_sshd(disable_password)
-+        pass
++        ssh_dir = conf.get_ssh_dir()
++        snippet_dir = os.path.join(ssh_dir, "sshd_config.d")
++        statinfo = os.lstat(snippet_dir)
++        if stat.S_ISDIR(statinfo.st_mode):
++            # This adds a configuration snippet that will be loaded by
++            # openssh.
++            snippet_file = os.path.join(snippet_dir, "80-flatcar-walinuxagent.conf")
++            option = "no" if disable_password else "yes"
++            lines = [
++                f"PasswordAuthentication {option}",
++                f"ChallengeResponseAuthentication {option}",
++                f"ClientAliveInterval {str(conf.get_ssh_client_alive_interval())}"
++            ]
++            fileutil.write_file(snippet_file, "\n".join(lines))
++            logger.info("Added a configuration snippet {0} SSH password-based authentication methods. It also configures SSH client probing to keep connections alive."
++                        .format("disabling" if disable_password else "enabling"))
++        else:
++            # Make sure that the config file stops being a symlink.
++            conf_file_path = conf.get_sshd_conf_file_path()
++            conf_file_path2 = f"{conf_file_path}.wal.tmp"
++            shutil.copy(conf_file_path, conf_file_path2)
++            os.remove(conf_file_path)
++            os.rename(conf_file_path2, conf_file_path)
++            super(CoreosCommonUtil, self).conf_sshd(disable_password)
 diff --git a/config/flatcar/waagent.conf b/config/flatcar/waagent.conf
 new file mode 100644
 index 00000000..b453c634

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/README

@@ -1,2 +0,0 @@
-If /etc/sshd_config changes make sure to apply the change to sys-auth/google-oslogin.
-Those files must be kept in sync.

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild

@@ -10,11 +10,11 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="1b5a096a4d91076d0121308caa5c7dbe40f7aafe" # flatcar-master
+	CROS_WORKON_COMMIT="22c07b1270fb2f40dedef00f0d0fb1699727d995" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
-PYTHON_COMPAT=( python3_{6..11} )
+PYTHON_COMPAT=( python3_{9..11} )
 
 inherit cros-workon systemd python-any-r1
 
@@ -24,9 +24,7 @@ SRC_URI=""
 
 LICENSE="BSD"
 SLOT="0/${PVR}"
-IUSE="test symlink-usr"
-
-REQUIRED_USE="symlink-usr"
+IUSE="test"
 
 # Daemons we enable here must installed during build/install in addition to
 # during runtime so the systemd unit enable step works.
@@ -47,9 +45,6 @@ RDEPEND="${DEPEND}
 src_install() {
 	emake DESTDIR="${D}" install
 
-	# Enable some sockets that aren't enabled by their own ebuilds.
-	systemd_enable_service sockets.target sshd.socket
-
 	# Enable some services that aren't enabled elsewhere.
 	systemd_enable_service rpcbind.target rpcbind.service
 

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf

@@ -0,0 +1 @@
+# Use defaults for ssh client system-wide configuration.

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf

@@ -0,0 +1,26 @@
+# Use most defaults for sshd configuration.
+Subsystem sftp internal-sftp
+ClientAliveInterval 180
+
+# These are either defaults or already set up by config generated by
+# the Gentoo ebuild. But we need to keep them, as the older
+# installations may still use the old symlink from
+# /etc/ssh/sshd_config to /usr/share/ssh/sshd_config.
+#
+# BEGIN SETTINGS KEPT FOR COMPATIBILITY
+UseDNS no
+UsePAM yes
+# handled by PAM
+PrintLastLog no
+# handled by PAM
+PrintMotd no
+# END SETTINGS KEPT FOR COMPATIBILITY
+
+Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128-etm@openssh.com,umac-128@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+
+# Temporarily accept ssh-rsa algorithm for openssh >= 8.8,
+# until most ssh clients could deprecate ssh-rsa.
+HostkeyAlgorithms +ssh-rsa
+PubkeyAcceptedAlgorithms +ssh-rsa

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf

@@ -0,0 +1,2 @@
+[Socket]
+TriggerLimitBurst=0

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild

@@ -4,7 +4,7 @@
 EAPI=8
 
 TMPFILES_OPTIONAL=1
-inherit tmpfiles
+inherit systemd tmpfiles
 
 DESCRIPTION='Flatcar miscellaneous files'
 HOMEPAGE='https://www.flatcar.org/'
@@ -12,13 +12,24 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
+IUSE="openssh"
 
 # No source directory.
 S="${WORKDIR}"
 
+# Versions listed below are version of packages that shedded the
+# modifications in their ebuilds.
+#
+# net-misc/openssh must be installed on host for enabling its unit to
+# work during installation.
+DEPEND="
+	openssh? ( >=net-misc/openssh-9.4_p1 )
+"
+
 # Versions listed below are version of packages that shedded the
 # modifications in their ebuilds.
 RDEPEND="
+	${DEPEND}
 	>=app-shells/bash-5.2_p15-r2
 "
 
@@ -56,7 +67,7 @@ src_install() {
     # /etc will be moved in its place.
     #
     # These links exist because old installations can still have
-    # references to `/usr/share/(bash|skel)`.
+    # references to them.
     local -A compat_symlinks
     compat_symlinks=(
         ['/usr/share/bash/bash_logout']='/usr/share/flatcar/etc/bash/bash_logout'
@@ -68,6 +79,12 @@ src_install() {
         ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
         ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
     )
+    if use openssh; then
+        compat_symlinks+=(
+            ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
+            ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+        )
+    fi
 
     local link target
     for link in "${!compat_symlinks[@]}"; do
@@ -106,4 +123,23 @@ src_install() {
         dosym "${target}" "${link}"
         fowners --no-dereference 500:500 "${link}"
     done
+
+    if use openssh; then
+        # Install our configuration snippets.
+        insinto /etc/ssh/ssh_config.d
+        doins "${FILESDIR}/50-flatcar-ssh.conf"
+        insinto /etc/ssh/sshd_config.d
+        doins "${FILESDIR}/50-flatcar-sshd.conf"
+
+        # Install our socket drop-in file that disables the rate
+        # limiting on the sshd socket.
+        local override_dir
+        override_dir="$(systemd_get_systemunitdir)/sshd.socket.d"
+        dodir "${override_dir}"
+        insinto "${override_dir}"
+        doins "${FILESDIR}/no-trigger-limit-burst.conf"
+
+        # Enable some sockets that aren't enabled by their own ebuilds.
+        systemd_enable_service sockets.target sshd.socket
+    fi
 }

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin

@@ -13,8 +13,13 @@ if [ "$(readlink -f /etc/nsswitch.conf)" != '/usr/share/baselayout/nsswitch.conf
 	exit 0
 fi
 
-if [ "$(readlink -f /etc/ssh/sshd_config)" != '/usr/share/ssh/sshd_config' ]; then
-	echo '/etc/ssh/sshd_config is not a symlink to /usr/share/ssh/sshd_config. Not enabling OS Login'
+if [[ ! -d '/etc/ssh/sshd_config.d' ]]; then
+	echo 'No /etc/ssh/sshd_config.d directory. Not enabling OS Login'
+	exit 0
+fi
+
+if ! grep --fixed-strings --no-messages --silent 'Include "/etc/ssh/sshd_config.d/*.conf"' '/etc/ssh/sshd_config'; then
+	echo '/etc/ssh/sshd_config does not include configuration snippets in /etc/ssh/sshd_config.d. Not enabling OS Login'
 	exit 0
 fi
 
@@ -25,6 +30,6 @@ mkdir -m 0750 -p '/var/lib/google-sudoers.d'
 mkdir -m 0750 -p '/var/lib/google-users.d'
 ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd'
 ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf'
-ln -f -s '/usr/share/google-oslogin/sshd_config' '/etc/ssh/sshd_config'
+ln -f -s '/usr/share/google-oslogin/60-flatcar-google-oslogin.conf' '/etc/ssh/sshd_config.d/60-flatcar-google-oslogin.conf'
 ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers'
 ln -f -s '/usr/share/google-oslogin/group.conf' '/etc/security/group.conf'

sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh

@@ -1,12 +1,9 @@
-# We install these with our chromeos-base package.
+# Do not install the setuid file in production images.
+#
+# Do not install the config snippet that defines a subsystem. We have
+# our own definition in coreos-init.
 if [[ $(cros_target) != "cros_host" ]] ; then
-	openssh_mask="
-		/etc/ssh/ssh_config
-		/etc/ssh/sshd_config
-		/etc/ssh/ssh_config.d
-		/etc/ssh/sshd_config.d
-		/usr/lib*/misc/ssh-keysign
-	"
+	openssh_mask="/usr/lib*/misc/ssh-keysign /etc/ssh/sshd_config.d/*gentoo-subsystem.conf"
 	PKG_INSTALL_MASK+=" ${openssh_mask}"
 	INSTALL_MASK+=" ${openssh_mask}"
 	unset openssh_mask

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest

@@ -1,2 +1,2 @@
-DIST openssh-9.3p2.tar.gz 1835850 BLAKE2B 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f SHA512 15b8c57aa120186f1d1c3c2b8dc6ffd26733e12f755a6b0a4255d9ec1815a61506275ff5723b4ac029e44bc2ad22852ac36e1101f292348fbfa79aa1a4cd3f35
-DIST openssh-9.3p2.tar.gz.asc 833 BLAKE2B cfba3867d7f97cb2c904bd3ae111bd63e8a050464b66e3f3f22390839a153d57ef5819182f8ad99a6b520f27881143552dc64fccfc33dcc0483ffe1ef33a5a47 SHA512 759e512a36a3a62264803b517298a65c83e1daebd9867e28ea1ca4999c38539368815ccda86540a4f5d45fa79c539d8242995ba55f2918baf2a7404c105e337a
+DIST openssh-9.4p1.tar.gz 1845094 BLAKE2B d13d758129cce947d3f12edb6e88406aad10de6887b19ffa3ebd8e382b742a05f2a692a8824aec99939f6c7e13fbccc3bb14e5ee112f9a9255d4882eb87dcf53 SHA512 0aaedeced7dbc70419c7245eb0e9db4ef570e0e7739b890ebae04d56da5fe8d147e8e150f3c943f60730976569e3ac6cc8da62ec7e2a78e2ef47d295ca0b1d25
+DIST openssh-9.4p1.tar.gz.asc 833 BLAKE2B 95eedd9356766e5d0ea1261da3dc4c7869f054b418c626fb35815a0aa655b1ddbf54436b437d98c4344b05c9196c8fa1f592eac07b3ccf08bd3e980f8b6955af SHA512 983b4ebaa3b98e70831ce686cb503270926c065163a2510eef0c5102ef50b6e665b889ee15ea8c0bd7c4bbddb19270f036e1d554a8212ef2c292f9c682c8631a

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch

@@ -1,11 +0,0 @@
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- 		gss_create_empty_oid_set(&status, &oidset);
- 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
- 
--		if (gethostname(lname, MAXHOSTNAMELEN)) {
-+		if (gethostname(lname, HOST_NAME_MAX)) {
- 			gss_release_oid_set(&status, &oidset);
- 			return (-1);
- 		}

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch

@@ -1,58 +0,0 @@
-https://bugzilla.mindrot.org/show_bug.cgi?id=3548
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver)
- 	if (headerver == libver)
- 		return 1;
- 
--	/* for versions < 1.0.0, major,minor,fix,status must match */
--	if (headerver < 0x1000000f) {
--		mask = 0xfffff00fL; /* major,minor,fix,status */
--		return (headerver & mask) == (libver & mask);
-+	/*
-+	 * For versions < 3.0.0, major,minor,status must match and library
-+	 * fix version must be equal to or newer than the header.
-+	 */
-+	if (headerver < 0x3000000f) {
-+		mask = 0xfff0000fL; /* major,minor,status */
-+		hfix = (headerver & 0x000ff000) >> 12;
-+		lfix = (libver & 0x000ff000) >> 12;
-+		if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
-+			return 1;
- 	}
- 
- 	/*
--	 * For versions >= 1.0.0, major,minor,status must match and library
--	 * fix version must be equal to or newer than the header.
-+	 * For versions >= 3.0.0, major must match and minor,status must be
-+	 * equal to or greater than the header.
- 	 */
--	mask = 0xfff00000L; /* major,minor,status */
--	hfix = (headerver & 0x000ff000) >> 12;
--	lfix = (libver & 0x000ff000) >> 12;
-+	mask = 0xf000000fL; /* major, status */
-+	hfix = (headerver & 0x0ffffff0L) >> 12;
-+	lfix = (libver & 0x0ffffff0L) >> 12;
- 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
- 		return 1;
- 	return 0;
---- a/openbsd-compat/regress/opensslvertest.c
-+++ b/openbsd-compat/regress/opensslvertest.c
-@@ -31,7 +31,7 @@ struct version_test {
- 	{ 0x0090802fL, 0x0090804fL, 1},	/* newer library fix version: ok */
- 	{ 0x0090802fL, 0x0090801fL, 1},	/* older library fix version: ok */
- 	{ 0x0090802fL, 0x0090702fL, 0},	/* older library minor version: NO */
--	{ 0x0090802fL, 0x0090902fL, 0},	/* newer library minor version: NO */
-+	{ 0x0090802fL, 0x0090902fL, 1},	/* newer library minor version: ok */
- 	{ 0x0090802fL, 0x0080802fL, 0},	/* older library major version: NO */
- 	{ 0x0090802fL, 0x1000100fL, 0},	/* newer library major version: NO */
- 
-@@ -41,7 +41,7 @@ struct version_test {
- 	{ 0x1000101fL, 0x1000100fL, 1},	/* older library patch version: ok */
- 	{ 0x1000101fL, 0x1000201fL, 1},	/* newer library fix version: ok */
- 	{ 0x1000101fL, 0x1000001fL, 0},	/* older library fix version: NO */
--	{ 0x1000101fL, 0x1010101fL, 0},	/* newer library minor version: NO */
-+	{ 0x1000101fL, 0x1010101fL, 1},	/* newer library minor version: ok */
- 	{ 0x1000101fL, 0x0000101fL, 0},	/* older library major version: NO */
- 	{ 0x1000101fL, 0x2000101fL, 0},	/* newer library major version: NO */
- };

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch

@@ -0,0 +1,21 @@
+https://bugs.gentoo.org/912766
+https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621
+
+From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Sat, 19 Aug 2023 07:39:08 +1000
+Subject: [PATCH] Fix zlib version check for 1.3 and future version.
+
+bz#3604.
+--- a/configure.ac
++++ b/configure.ac
+@@ -1464,7 +1464,7 @@ else
+ 	[[
+ 	int a=0, b=0, c=0, d=0, n, v;
+ 	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
+-	if (n != 3 && n != 4)
++	if (n < 1)
+ 		exit(1);
+ 	v = a*1000000 + b*10000 + c*100 + d;
+ 	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
+

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket

@@ -5,7 +5,6 @@ Conflicts=sshd.service
 [Socket]
 ListenStream=22
 Accept=yes
-TriggerLimitBurst=0
 
 [Install]
 WantedBy=sockets.target

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild

@@ -19,7 +19,7 @@ S="${WORKDIR}/${PARCH}"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss"
 
@@ -86,8 +86,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch"
 	"${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch"
 	"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
-	"${FILESDIR}/${PN}-9.3_p1-gss-use-HOST_NAME_MAX.patch" #834044
-	"${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
+	"${FILESDIR}/${PN}-9.3_p2-zlib-1.3.patch" #912766
 )
 
 pkg_pretend() {
@@ -100,6 +99,9 @@ pkg_pretend() {
 	done
 
 	if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
+		# Skip for binary packages entirely because of environment saving, bug #907892
+		[[ ${MERGE_TYPE} == binary ]] && return
+
 		ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
 		ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
 		ewarn "since these USE flags required third-party patches that often trigger bugs"
@@ -228,7 +230,7 @@ src_test() {
 }
 
 insert_include() {
-	local src_config=${1} options=${2} includedir=${3}
+	local src_config="${1}" options="${2}" includedir="${3}"
 	local name copy regexp_options regexp lineno comment_options
 
 	name=${src_config##*/}

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -58,6 +58,9 @@
 # Required for addressing CVE-2023-38039.
 =net-misc/curl-8.3.0 ~amd64 ~arm64
 
+# Required to allow us to override the sftp subsystem in sshd config.
+=net-misc/openssh-9.4_p1 ~amd64 ~arm64
+
 # Keep versions on both arches in sync.
 =net-nds/openldap-2.6.4-r1 ~amd64
 =sec-policy/selinux-base-2.20200818-r3 ~arm64

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use

@@ -6,6 +6,10 @@ app-admin/sudo		ldap sssd
 app-editors/vim		minimal -crypt
 # minimal: Don't pull app-vim/gentoo-syntax
 app-editors/vim-core	minimal
+
+# Install our modifications and compatibility symlinks for ssh
+coreos-base/misc-files openssh
+
 dev-lang/python		gdbm
 dev-libs/dbus-glib	tools
 dev-libs/elfutils	-utils

sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf

@@ -0,0 +1,3 @@
+# Needed for google oslogin
+AuthorizedKeysCommand /usr/libexec/google_authorized_keys
+AuthorizedKeysCommandUser root

sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config

@@ -1,5 +1,7 @@
+# This is an old SSHD config file, unused in new Flatcar
+# installations. We provide it for backward compatibility.
+
 # Use most defaults for sshd configuration.
-# Keep this in sync with coreos/init/configs/sshd_config
 Subsystem sftp internal-sftp
 ClientAliveInterval 180
 UseDNS no

sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild

@@ -49,6 +49,7 @@ src_install() {
 	# config files the base Ignition config will create links to
 	insinto /usr/share/google-oslogin
 	doins "${FILESDIR}/sshd_config"
+	doins "${FILESDIR}/60-flatcar-google-oslogin.conf"
 	doins "${FILESDIR}/nsswitch.conf"
 	doins "${FILESDIR}/pam_sshd"
 	doins "${FILESDIR}/oslogin-sudoers"