From 21c3c57ce93454c588971592192be75a41017065 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 25 Sep 2023 16:41:34 +0200 Subject: [PATCH 01/11] net-misc/openssh: Sync with Gentoo It's from Gentoo commit 5b974a3c903327b37f46a0212bf397ef634a67fd. --- .../coreos-overlay/net-misc/openssh/Manifest | 4 +- ...openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch | 11 ---- ...-9.3_p1-openssl-version-compat-check.patch | 58 ------------------- .../files/openssh-9.3_p2-zlib-1.3.patch | 21 +++++++ .../net-misc/openssh/files/sshd.socket | 1 - ...9.3_p2-r1.ebuild => openssh-9.4_p1.ebuild} | 56 ++++-------------- 6 files changed, 34 insertions(+), 117 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/{openssh-9.3_p2-r1.ebuild => openssh-9.4_p1.ebuild} (86%) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest index c70a2636a8..570a72c142 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest @@ -1,2 +1,2 @@ -DIST openssh-9.3p2.tar.gz 1835850 BLAKE2B 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f SHA512 15b8c57aa120186f1d1c3c2b8dc6ffd26733e12f755a6b0a4255d9ec1815a61506275ff5723b4ac029e44bc2ad22852ac36e1101f292348fbfa79aa1a4cd3f35 -DIST openssh-9.3p2.tar.gz.asc 833 BLAKE2B cfba3867d7f97cb2c904bd3ae111bd63e8a050464b66e3f3f22390839a153d57ef5819182f8ad99a6b520f27881143552dc64fccfc33dcc0483ffe1ef33a5a47 SHA512 759e512a36a3a62264803b517298a65c83e1daebd9867e28ea1ca4999c38539368815ccda86540a4f5d45fa79c539d8242995ba55f2918baf2a7404c105e337a +DIST openssh-9.4p1.tar.gz 1845094 BLAKE2B d13d758129cce947d3f12edb6e88406aad10de6887b19ffa3ebd8e382b742a05f2a692a8824aec99939f6c7e13fbccc3bb14e5ee112f9a9255d4882eb87dcf53 SHA512 0aaedeced7dbc70419c7245eb0e9db4ef570e0e7739b890ebae04d56da5fe8d147e8e150f3c943f60730976569e3ac6cc8da62ec7e2a78e2ef47d295ca0b1d25 +DIST openssh-9.4p1.tar.gz.asc 833 BLAKE2B 95eedd9356766e5d0ea1261da3dc4c7869f054b418c626fb35815a0aa655b1ddbf54436b437d98c4344b05c9196c8fa1f592eac07b3ccf08bd3e980f8b6955af SHA512 983b4ebaa3b98e70831ce686cb503270926c065163a2510eef0c5102ef50b6e665b889ee15ea8c0bd7c4bbddb19270f036e1d554a8212ef2c292f9c682c8631a diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch deleted file mode 100644 index b50ac7c001..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/gss-serv.c -+++ b/gss-serv.c -@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) - gss_create_empty_oid_set(&status, &oidset); - gss_add_oid_set_member(&status, ctx->oid, &oidset); - -- if (gethostname(lname, MAXHOSTNAMELEN)) { -+ if (gethostname(lname, HOST_NAME_MAX)) { - gss_release_oid_set(&status, &oidset); - return (-1); - } diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch deleted file mode 100644 index b571ae253f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch +++ /dev/null @@ -1,58 +0,0 @@ -https://bugzilla.mindrot.org/show_bug.cgi?id=3548 ---- a/openbsd-compat/openssl-compat.c -+++ b/openbsd-compat/openssl-compat.c -@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver) - if (headerver == libver) - return 1; - -- /* for versions < 1.0.0, major,minor,fix,status must match */ -- if (headerver < 0x1000000f) { -- mask = 0xfffff00fL; /* major,minor,fix,status */ -- return (headerver & mask) == (libver & mask); -+ /* -+ * For versions < 3.0.0, major,minor,status must match and library -+ * fix version must be equal to or newer than the header. -+ */ -+ if (headerver < 0x3000000f) { -+ mask = 0xfff0000fL; /* major,minor,status */ -+ hfix = (headerver & 0x000ff000) >> 12; -+ lfix = (libver & 0x000ff000) >> 12; -+ if ( (headerver & mask) == (libver & mask) && lfix >= hfix) -+ return 1; - } - - /* -- * For versions >= 1.0.0, major,minor,status must match and library -- * fix version must be equal to or newer than the header. -+ * For versions >= 3.0.0, major must match and minor,status must be -+ * equal to or greater than the header. - */ -- mask = 0xfff00000L; /* major,minor,status */ -- hfix = (headerver & 0x000ff000) >> 12; -- lfix = (libver & 0x000ff000) >> 12; -+ mask = 0xf000000fL; /* major, status */ -+ hfix = (headerver & 0x0ffffff0L) >> 12; -+ lfix = (libver & 0x0ffffff0L) >> 12; - if ( (headerver & mask) == (libver & mask) && lfix >= hfix) - return 1; - return 0; ---- a/openbsd-compat/regress/opensslvertest.c -+++ b/openbsd-compat/regress/opensslvertest.c -@@ -31,7 +31,7 @@ struct version_test { - { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */ - { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */ - { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */ -- { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */ -+ { 0x0090802fL, 0x0090902fL, 1}, /* newer library minor version: ok */ - { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */ - { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */ - -@@ -41,7 +41,7 @@ struct version_test { - { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ - { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ - { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */ -- { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */ -+ { 0x1000101fL, 0x1010101fL, 1}, /* newer library minor version: ok */ - { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */ - { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */ - }; diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch new file mode 100644 index 0000000000..f1336bbe03 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch @@ -0,0 +1,21 @@ +https://bugs.gentoo.org/912766 +https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621 + +From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Sat, 19 Aug 2023 07:39:08 +1000 +Subject: [PATCH] Fix zlib version check for 1.3 and future version. + +bz#3604. +--- a/configure.ac ++++ b/configure.ac +@@ -1464,7 +1464,7 @@ else + [[ + int a=0, b=0, c=0, d=0, n, v; + n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); +- if (n != 3 && n != 4) ++ if (n < 1) + exit(1); + v = a*1000000 + b*10000 + c*100 + d; + fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket index d19f34be86..94b9533180 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket @@ -5,7 +5,6 @@ Conflicts=sshd.service [Socket] ListenStream=22 Accept=yes -TriggerLimitBurst=0 [Install] WantedBy=sockets.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild index 8f01a48dc7..5d1ffb94eb 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild @@ -19,7 +19,7 @@ S="${WORKDIR}/${PARCH}" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss" @@ -86,8 +86,7 @@ PATCHES=( "${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch" "${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch" "${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" - "${FILESDIR}/${PN}-9.3_p1-gss-use-HOST_NAME_MAX.patch" #834044 - "${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch" + "${FILESDIR}/${PN}-9.3_p2-zlib-1.3.patch" #912766 ) pkg_pretend() { @@ -100,6 +99,9 @@ pkg_pretend() { done if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + # Skip for binary packages entirely because of environment saving, bug #907892 + [[ ${MERGE_TYPE} == binary ]] && return + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," ewarn "since these USE flags required third-party patches that often trigger bugs" @@ -227,37 +229,6 @@ src_test() { emake -j1 "${tests[@]}" "${src_config}" - rm -f "${copy}" || die -} - # Gentoo tweaks to default config files. tweak_ssh_configs() { local locale_vars=( @@ -271,9 +242,12 @@ tweak_ssh_configs() { ) dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d - - insert_include "${ED}"/etc/ssh/ssh_config 'Host,Match' '/etc/ssh/ssh_config.d' - insert_include "${ED}"/etc/ssh/sshd_config 'Match' '/etc/ssh/sshd_config.d' + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die + Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf" + EOF + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die + Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf" + EOF cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die # Send locale environment variables (bug #367017) @@ -292,10 +266,6 @@ tweak_ssh_configs() { ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== EOF - # Move sshd's Subsystem option to a drop-in file. - grep -ie 'subsystem' "${ED}"/etc/ssh/sshd_config >"${ED}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die - sed -i -e '/[Ss]ubsystem/d' "${ED}"/etc/ssh/sshd_config - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die # Allow client to pass locale environment variables (bug #367017) AcceptEnv ${locale_vars[*]} @@ -321,10 +291,6 @@ tweak_ssh_configs() { PermitRootLogin Yes EOF fi - - local sshd_drop_ins=("${ED}"/etc/ssh/sshd_config.d/*.conf) - fperms 0700 /etc/ssh/sshd_config.d - fperms 0600 "${sshd_drop_ins[@]#${ED}}" } src_install() { From 51e1bd31b538c0df34e8f43c7604a2a7458712a5 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 25 Sep 2023 16:43:28 +0200 Subject: [PATCH 02/11] overlay net-misc/openssh: Apply Flatcar modifications None of these modifications are Flatcar-specific. We are trying to upstream them in https://github.com/gentoo/gentoo/pull/31615. When they reach Gentoo, we can move net-misc/openssh to portage-stable. --- .../net-misc/openssh/openssh-9.4_p1.ebuild | 48 ++++++++++++++++--- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild index 5d1ffb94eb..baac0b9956 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild @@ -229,6 +229,37 @@ src_test() { emake -j1 "${tests[@]}" "${src_config}" + rm -f "${copy}" || die +} + # Gentoo tweaks to default config files. tweak_ssh_configs() { local locale_vars=( @@ -242,12 +273,9 @@ tweak_ssh_configs() { ) dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die - Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf" - EOF - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die - Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf" - EOF + + insert_include "${ED}"/etc/ssh/ssh_config 'Host,Match' '/etc/ssh/ssh_config.d' + insert_include "${ED}"/etc/ssh/sshd_config 'Match' '/etc/ssh/sshd_config.d' cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die # Send locale environment variables (bug #367017) @@ -266,6 +294,10 @@ tweak_ssh_configs() { ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== EOF + # Move sshd's Subsystem option to a drop-in file. + grep -ie 'subsystem' "${ED}"/etc/ssh/sshd_config >"${ED}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die + sed -i -e '/[Ss]ubsystem/d' "${ED}"/etc/ssh/sshd_config + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die # Allow client to pass locale environment variables (bug #367017) AcceptEnv ${locale_vars[*]} @@ -291,6 +323,10 @@ tweak_ssh_configs() { PermitRootLogin Yes EOF fi + + local sshd_drop_ins=("${ED}"/etc/ssh/sshd_config.d/*.conf) + fperms 0700 /etc/ssh/sshd_config.d + fperms 0600 "${sshd_drop_ins[@]#${ED}}" } src_install() { From 50cb35e9b3077fe7ebc4ebecbbf5ac7da8d3170a Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 28 Jul 2023 12:40:55 +0200 Subject: [PATCH 03/11] overlay profiles: Add accept keywords for net-misc/openssh --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index c6f276fe7c..966eb183bb 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -58,6 +58,9 @@ # Required for addressing CVE-2023-38039. =net-misc/curl-8.3.0 ~amd64 ~arm64 +# Required to allow us to override the sftp subsystem in sshd config. +=net-misc/openssh-9.4_p1 ~amd64 ~arm64 + # Keep versions on both arches in sync. =net-nds/openldap-2.6.4-r1 ~amd64 =sec-policy/selinux-base-2.20200818-r3 ~arm64 From af874a04e2c3bb12a15e552520e8c3057648994c Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 19 Jun 2023 17:16:12 +0200 Subject: [PATCH 04/11] overlay coreos-base/misc-files: Import Flatcar modifications for openssh - Import and update configs for ssh client and daemon from the flatcar/init repository. These configs have now became snippets that the main configuration file will include. - Install a drop-in file for the ssh.socket unit disabling the rate limiting. - Install compatibility symlinks in old ssh config locations that will point to respective files in /usr/share/flatcar/etc. - Make all these actions optional - openssh USE flag needs to be enabled. That way, generic images can pull those changes, while SDK can avoid doing so. --- .../misc-files/files/50-flatcar-ssh.conf | 1 + .../misc-files/files/50-flatcar-sshd.conf | 26 ++++++++++++ .../files/no-trigger-limit-burst.conf | 2 + ...les-0-r1.ebuild => misc-files-0-r2.ebuild} | 40 ++++++++++++++++++- 4 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/{misc-files-0-r1.ebuild => misc-files-0-r2.ebuild} (75%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf new file mode 100644 index 0000000000..1a88c1614c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf @@ -0,0 +1 @@ +# Use defaults for ssh client system-wide configuration. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf new file mode 100644 index 0000000000..2bf63df028 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf @@ -0,0 +1,26 @@ +# Use most defaults for sshd configuration. +Subsystem sftp internal-sftp +ClientAliveInterval 180 + +# These are either defaults or already set up by config generated by +# the Gentoo ebuild. But we need to keep them, as the older +# installations may still use the old symlink from +# /etc/ssh/sshd_config to /usr/share/ssh/sshd_config. +# +# BEGIN SETTINGS KEPT FOR COMPATIBILITY +UseDNS no +UsePAM yes +# handled by PAM +PrintLastLog no +# handled by PAM +PrintMotd no +# END SETTINGS KEPT FOR COMPATIBILITY + +Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128-etm@openssh.com,umac-128@openssh.com +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 + +# Temporarily accept ssh-rsa algorithm for openssh >= 8.8, +# until most ssh clients could deprecate ssh-rsa. +HostkeyAlgorithms +ssh-rsa +PubkeyAcceptedAlgorithms +ssh-rsa diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf new file mode 100644 index 0000000000..da57a42f47 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf @@ -0,0 +1,2 @@ +[Socket] +TriggerLimitBurst=0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild similarity index 75% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild index b92882df67..77d5330688 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild @@ -4,7 +4,7 @@ EAPI=8 TMPFILES_OPTIONAL=1 -inherit tmpfiles +inherit systemd tmpfiles DESCRIPTION='Flatcar miscellaneous files' HOMEPAGE='https://www.flatcar.org/' @@ -12,13 +12,24 @@ HOMEPAGE='https://www.flatcar.org/' LICENSE='Apache-2.0' SLOT='0' KEYWORDS='amd64 arm64' +IUSE="openssh" # No source directory. S="${WORKDIR}" +# Versions listed below are version of packages that shedded the +# modifications in their ebuilds. +# +# net-misc/openssh must be installed on host for enabling its unit to +# work during installation. +DEPEND=" + openssh? ( >=net-misc/openssh-9.4_p1 ) +" + # Versions listed below are version of packages that shedded the # modifications in their ebuilds. RDEPEND=" + ${DEPEND} >=app-shells/bash-5.2_p15-r2 " @@ -56,7 +67,7 @@ src_install() { # /etc will be moved in its place. # # These links exist because old installations can still have - # references to `/usr/share/(bash|skel)`. + # references to them. local -A compat_symlinks compat_symlinks=( ['/usr/share/bash/bash_logout']='/usr/share/flatcar/etc/bash/bash_logout' @@ -68,6 +79,12 @@ src_install() { ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs' ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf' ) + if use openssh; then + compat_symlinks+=( + ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf' + ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf' + ) + fi local link target for link in "${!compat_symlinks[@]}"; do @@ -106,4 +123,23 @@ src_install() { dosym "${target}" "${link}" fowners --no-dereference 500:500 "${link}" done + + if use openssh; then + # Install our configuration snippets. + insinto /etc/ssh/ssh_config.d + doins "${FILESDIR}/50-flatcar-ssh.conf" + insinto /etc/ssh/sshd_config.d + doins "${FILESDIR}/50-flatcar-sshd.conf" + + # Install our socket drop-in file that disables the rate + # limiting on the sshd socket. + local override_dir + override_dir="$(systemd_get_systemunitdir)/sshd.socket.d" + dodir "${override_dir}" + insinto "${override_dir}" + doins "${FILESDIR}/no-trigger-limit-burst.conf" + + # Enable some sockets that aren't enabled by their own ebuilds. + systemd_enable_service sockets.target sshd.socket + fi } From 29c85a2781ec7ab0f1607eaabaeb8c206110b91c Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 19 Jun 2023 17:17:01 +0200 Subject: [PATCH 05/11] overlay profiles: Enable openssh symlink installation on generic images --- .../profiles/coreos/targets/generic/package.use | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use index 71dfb579f2..eac7fcf10e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use @@ -6,6 +6,10 @@ app-admin/sudo ldap sssd app-editors/vim minimal -crypt # minimal: Don't pull app-vim/gentoo-syntax app-editors/vim-core minimal + +# Install our modifications and compatibility symlinks for ssh +coreos-base/misc-files openssh + dev-lang/python gdbm dev-libs/dbus-glib tools dev-libs/elfutils -utils From d6985267306707f62efb407756382b6d12aaac2a Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 19 Jun 2023 17:18:42 +0200 Subject: [PATCH 06/11] overlay coreos-base/coreos-init: Pull in ssh config removal The configs were moved to coreos-base/misc-files. In the meantime, update python compatibility and drop unused USE flag and an obsolete README file. --- .../coreos-overlay/coreos-base/coreos-init/README | 2 -- ....0.1-r186.ebuild => coreos-init-0.0.1-r187.ebuild} | 0 .../coreos-base/coreos-init/coreos-init-9999.ebuild | 11 +++-------- 3 files changed, 3 insertions(+), 10 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/README rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/{coreos-init-0.0.1-r186.ebuild => coreos-init-0.0.1-r187.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/README b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/README deleted file mode 100644 index ecfbc513fb..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/README +++ /dev/null @@ -1,2 +0,0 @@ -If /etc/sshd_config changes make sure to apply the change to sys-auth/google-oslogin. -Those files must be kept in sync. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r186.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r187.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r186.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r187.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild index cf6c424bd8..4a924c6c9f 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild @@ -10,11 +10,11 @@ CROS_WORKON_REPO="https://github.com" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - CROS_WORKON_COMMIT="1b5a096a4d91076d0121308caa5c7dbe40f7aafe" # flatcar-master + CROS_WORKON_COMMIT="22c07b1270fb2f40dedef00f0d0fb1699727d995" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi -PYTHON_COMPAT=( python3_{6..11} ) +PYTHON_COMPAT=( python3_{9..11} ) inherit cros-workon systemd python-any-r1 @@ -24,9 +24,7 @@ SRC_URI="" LICENSE="BSD" SLOT="0/${PVR}" -IUSE="test symlink-usr" - -REQUIRED_USE="symlink-usr" +IUSE="test" # Daemons we enable here must installed during build/install in addition to # during runtime so the systemd unit enable step works. @@ -47,9 +45,6 @@ RDEPEND="${DEPEND} src_install() { emake DESTDIR="${D}" install - # Enable some sockets that aren't enabled by their own ebuilds. - systemd_enable_service sockets.target sshd.socket - # Enable some services that aren't enabled elsewhere. systemd_enable_service rpcbind.target rpcbind.service From 8151bc3154039cc6cff12d5ebfca211c7a1256e2 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 22 Jun 2023 16:00:49 +0200 Subject: [PATCH 07/11] overlay sys-auth/google-oslogin: Add an sshd config snippet The sshd config provided by this package is now marked as provided for compatibility only - it will be there in case there is still a symlink in /etc pointing to it. The new config snippet will be used by the enable oslogin stuff in the updated coreos-base/oem-gce package in following commits. --- .../google-oslogin/files/60-flatcar-google-oslogin.conf | 3 +++ .../coreos-overlay/sys-auth/google-oslogin/files/sshd_config | 4 +++- ...0910.00-r2.ebuild => google-oslogin-20200910.00-r3.ebuild} | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf rename sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/{google-oslogin-20200910.00-r2.ebuild => google-oslogin-20200910.00-r3.ebuild} (96%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf new file mode 100644 index 0000000000..d9f62661bf --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf @@ -0,0 +1,3 @@ +# Needed for google oslogin +AuthorizedKeysCommand /usr/libexec/google_authorized_keys +AuthorizedKeysCommandUser root diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config index 5b174fcad4..7b51b214e4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config @@ -1,5 +1,7 @@ +# This is an old SSHD config file, unused in new Flatcar +# installations. We provide it for backward compatibility. + # Use most defaults for sshd configuration. -# Keep this in sync with coreos/init/configs/sshd_config Subsystem sftp internal-sftp ClientAliveInterval 180 UseDNS no diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild index e0799cc036..679e0c0b3a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild @@ -49,6 +49,7 @@ src_install() { # config files the base Ignition config will create links to insinto /usr/share/google-oslogin doins "${FILESDIR}/sshd_config" + doins "${FILESDIR}/60-flatcar-google-oslogin.conf" doins "${FILESDIR}/nsswitch.conf" doins "${FILESDIR}/pam_sshd" doins "${FILESDIR}/oslogin-sudoers" From e983b8fb5039c48501c822284a9a5cb699c85ac7 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 22 Jun 2023 16:02:03 +0200 Subject: [PATCH 08/11] overlay app-emulation/wa-linux-agent: Update ssh config setup This commit updates our Flatcar patch with a code that will install an sshd config snippet instead of editing the main sshd config file if snippets directory exists. --- .../files/0001-flatcar-changes.patch | 47 +++++++++++++------ ...build => wa-linux-agent-2.6.0.2-r4.ebuild} | 0 2 files changed, 33 insertions(+), 14 deletions(-) rename sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/{wa-linux-agent-2.6.0.2-r3.ebuild => wa-linux-agent-2.6.0.2-r4.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch index 6953cdea85..917c71629a 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch @@ -1,4 +1,4 @@ -From 90b28746c0d8698a080eb7082e0e14054aee0a02 Mon Sep 17 00:00:00 2001 +From dd1512513b407e23155f58400cacecac8576d6f9 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 27 Feb 2023 15:59:21 +0100 Subject: [PATCH] flatcar changes @@ -7,12 +7,12 @@ Subject: [PATCH] flatcar changes azurelinuxagent/common/osutil/coreos.py | 39 +----- azurelinuxagent/common/osutil/coreoscommon.py | 57 ++++++++ azurelinuxagent/common/osutil/factory.py | 3 + - azurelinuxagent/common/osutil/flatcar.py | 41 ++++++ + azurelinuxagent/common/osutil/flatcar.py | 60 +++++++++ config/flatcar/waagent.conf | 122 ++++++++++++++++++ init/flatcar/10-waagent-sysext.conf | 2 + init/flatcar/waagent.service | 30 +++++ setup.py | 20 ++- - 8 files changed, 272 insertions(+), 42 deletions(-) + 8 files changed, 291 insertions(+), 42 deletions(-) create mode 100644 azurelinuxagent/common/osutil/coreoscommon.py create mode 100644 azurelinuxagent/common/osutil/flatcar.py create mode 100644 config/flatcar/waagent.conf @@ -164,10 +164,10 @@ index b5ee0b09..9280c645 100644 if distro_name in ("suse", "sle_hpc", "sles", "opensuse"): diff --git a/azurelinuxagent/common/osutil/flatcar.py b/azurelinuxagent/common/osutil/flatcar.py new file mode 100644 -index 00000000..3d1bf535 +index 00000000..bf739a8e --- /dev/null +++ b/azurelinuxagent/common/osutil/flatcar.py -@@ -0,0 +1,41 @@ +@@ -0,0 +1,60 @@ +# +# Copyright 2023 Microsoft Corporation +# @@ -187,13 +187,16 @@ index 00000000..3d1bf535 +# + +import os ++import os.path +import shutil ++import stat + +import azurelinuxagent.common.conf as conf ++import azurelinuxagent.common.logger as logger ++import azurelinuxagent.common.utils.fileutil as fileutil + +from azurelinuxagent.common.osutil.coreoscommon import CoreosCommonUtil + -+ +class FlatcarUtil(CoreosCommonUtil): + + @staticmethod @@ -201,14 +204,30 @@ index 00000000..3d1bf535 + return "/usr/lib/systemd/system" + + def conf_sshd(self, disable_password): -+ # make sure that the config file stops being a symlink -+ conf_file_path = conf.get_sshd_conf_file_path() -+ conf_file_path2 = f"{conf_file_path}.wal.tmp" -+ shutil.copy(conf_file_path, conf_file_path2) -+ os.remove(conf_file_path) -+ os.rename(conf_file_path2, conf_file_path) -+ super(CoreosCommonUtil, self).conf_sshd(disable_password) -+ pass ++ ssh_dir = conf.get_ssh_dir() ++ snippet_dir = os.path.join(ssh_dir, "sshd_config.d") ++ statinfo = os.lstat(snippet_dir) ++ if stat.S_ISDIR(statinfo.st_mode): ++ # This adds a configuration snippet that will be loaded by ++ # openssh. ++ snippet_file = os.path.join(snippet_dir, "80-flatcar-walinuxagent.conf") ++ option = "no" if disable_password else "yes" ++ lines = [ ++ f"PasswordAuthentication {option}", ++ f"ChallengeResponseAuthentication {option}", ++ f"ClientAliveInterval {str(conf.get_ssh_client_alive_interval())}" ++ ] ++ fileutil.write_file(snippet_file, "\n".join(lines)) ++ logger.info("Added a configuration snippet {0} SSH password-based authentication methods. It also configures SSH client probing to keep connections alive." ++ .format("disabling" if disable_password else "enabling")) ++ else: ++ # Make sure that the config file stops being a symlink. ++ conf_file_path = conf.get_sshd_conf_file_path() ++ conf_file_path2 = f"{conf_file_path}.wal.tmp" ++ shutil.copy(conf_file_path, conf_file_path2) ++ os.remove(conf_file_path) ++ os.rename(conf_file_path2, conf_file_path) ++ super(CoreosCommonUtil, self).conf_sshd(disable_password) diff --git a/config/flatcar/waagent.conf b/config/flatcar/waagent.conf new file mode 100644 index 00000000..b453c634 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.6.0.2-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.6.0.2-r4.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.6.0.2-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.6.0.2-r4.ebuild From 88b653b1a5e7002448d8e9796f9ee468146daea5 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 22 Jun 2023 16:05:17 +0200 Subject: [PATCH 09/11] overlay coreos-base/oem-gce: Update oslogin enablement We will be installing an sshd config snippet instead of replacing the whole sshd config. In order to pull this off, we need to make sure that the snippets directory exists and the main sshd config file actually includes the snippets in the directory. --- .../coreos-base/oem-gce/files/bin/enable-oslogin | 11 ++++++++--- ...-20180823-r4.ebuild => oem-gce-20180823-r5.ebuild} | 0 2 files changed, 8 insertions(+), 3 deletions(-) rename sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/{oem-gce-20180823-r4.ebuild => oem-gce-20180823-r5.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin index abf9899b67..7a8cd816a1 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin @@ -13,8 +13,13 @@ if [ "$(readlink -f /etc/nsswitch.conf)" != '/usr/share/baselayout/nsswitch.conf exit 0 fi -if [ "$(readlink -f /etc/ssh/sshd_config)" != '/usr/share/ssh/sshd_config' ]; then - echo '/etc/ssh/sshd_config is not a symlink to /usr/share/ssh/sshd_config. Not enabling OS Login' +if [[ ! -d '/etc/ssh/sshd_config.d' ]]; then + echo 'No /etc/ssh/sshd_config.d directory. Not enabling OS Login' + exit 0 +fi + +if ! grep --fixed-strings --no-messages --silent 'Include "/etc/ssh/sshd_config.d/*.conf"' '/etc/ssh/sshd_config'; then + echo '/etc/ssh/sshd_config does not include configuration snippets in /etc/ssh/sshd_config.d. Not enabling OS Login' exit 0 fi @@ -25,6 +30,6 @@ mkdir -m 0750 -p '/var/lib/google-sudoers.d' mkdir -m 0750 -p '/var/lib/google-users.d' ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd' ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf' -ln -f -s '/usr/share/google-oslogin/sshd_config' '/etc/ssh/sshd_config' +ln -f -s '/usr/share/google-oslogin/60-flatcar-google-oslogin.conf' '/etc/ssh/sshd_config.d/60-flatcar-google-oslogin.conf' ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers' ln -f -s '/usr/share/google-oslogin/group.conf' '/etc/security/group.conf' diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r5.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r5.ebuild From 71ab9b10644909769b0aac126d1fdcb45275791c Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 22 Jun 2023 16:05:53 +0200 Subject: [PATCH 10/11] overlay coreos/config: Start installing default openssh configs The configs provided by the openssh and Gentoo projects usually keep everything commented out, meaning that the default values will be used. On top of that, they will also include snippets in the snippet directory. As such, start installing the default configs. We only mask a snippet that defines sftp subsystem, because we provide our own config snippet from coreos-base/misc-files that defines it. --- .../coreos/config/env/net-misc/openssh | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh index 75f2a0f81c..879f94faee 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh @@ -1,12 +1,9 @@ -# We install these with our chromeos-base package. +# Do not install the setuid file in production images. +# +# Do not install the config snippet that defines a subsystem. We have +# our own definition in coreos-init. if [[ $(cros_target) != "cros_host" ]] ; then - openssh_mask=" - /etc/ssh/ssh_config - /etc/ssh/sshd_config - /etc/ssh/ssh_config.d - /etc/ssh/sshd_config.d - /usr/lib*/misc/ssh-keysign - " + openssh_mask="/usr/lib*/misc/ssh-keysign /etc/ssh/sshd_config.d/*gentoo-subsystem.conf" PKG_INSTALL_MASK+=" ${openssh_mask}" INSTALL_MASK+=" ${openssh_mask}" unset openssh_mask From cabc3c079823bc43fa77a2a2a42eaa8cc0769557 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 29 Sep 2023 07:54:14 +0200 Subject: [PATCH 11/11] changelog: Add entries --- changelog/changes/2023-09-29-openssh-update.md | 1 + changelog/updates/2023-09-29-openssh-update.md | 1 + 2 files changed, 2 insertions(+) create mode 100644 changelog/changes/2023-09-29-openssh-update.md create mode 100644 changelog/updates/2023-09-29-openssh-update.md diff --git a/changelog/changes/2023-09-29-openssh-update.md b/changelog/changes/2023-09-29-openssh-update.md new file mode 100644 index 0000000000..30d136b89e --- /dev/null +++ b/changelog/changes/2023-09-29-openssh-update.md @@ -0,0 +1 @@ +- Started shipping default ssh client and ssh daemon configs in `/etc/ssh/ssh_config` and `/etc/ssh/sshd_config` which include config snippets in `/etc/ssh/ssh_config.d` and `/etc/ssh/sshd_config.d`, respectively. diff --git a/changelog/updates/2023-09-29-openssh-update.md b/changelog/updates/2023-09-29-openssh-update.md new file mode 100644 index 0000000000..8c23da2950 --- /dev/null +++ b/changelog/updates/2023-09-29-openssh-update.md @@ -0,0 +1 @@ +- openssh ([9.4p1](https://www.openssh.com/releasenotes.html#9.4p1))