Merge pull request #945 from flatcar/krnowak/move-openssh

Move net-misc/openssh from overlay to portage-stable, configuration changes

changelog/changes/2023-09-29-openssh-update.md

@@ -0,0 +1 @@
+- Started shipping default ssh client and ssh daemon configs in `/etc/ssh/ssh_config` and `/etc/ssh/sshd_config` which include config snippets in `/etc/ssh/ssh_config.d` and `/etc/ssh/sshd_config.d`, respectively.

changelog/updates/2023-09-29-openssh-update.md

@@ -0,0 +1 @@
+- openssh ([9.4p1](https://www.openssh.com/releasenotes.html#9.4p1))

sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch

@@ -1,4 +1,4 @@
-From 90b28746c0d8698a080eb7082e0e14054aee0a02 Mon Sep 17 00:00:00 2001
+From dd1512513b407e23155f58400cacecac8576d6f9 Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <[email protected]>
 Date: Mon, 27 Feb 2023 15:59:21 +0100
 Subject: [PATCH] flatcar changes
@@ -7,12 +7,12 @@ Subject: [PATCH] flatcar changes
  azurelinuxagent/common/osutil/coreos.py       |  39 +-----
  azurelinuxagent/common/osutil/coreoscommon.py |  57 ++++++++
  azurelinuxagent/common/osutil/factory.py      |   3 +
- azurelinuxagent/common/osutil/flatcar.py      |  41 ++++++
+ azurelinuxagent/common/osutil/flatcar.py      |  60 +++++++++
  config/flatcar/waagent.conf                   | 122 ++++++++++++++++++
  init/flatcar/10-waagent-sysext.conf           |   2 +
  init/flatcar/waagent.service                  |  30 +++++
  setup.py                                      |  20 ++-
- 8 files changed, 272 insertions(+), 42 deletions(-)
+ 8 files changed, 291 insertions(+), 42 deletions(-)
  create mode 100644 azurelinuxagent/common/osutil/coreoscommon.py
  create mode 100644 azurelinuxagent/common/osutil/flatcar.py
  create mode 100644 config/flatcar/waagent.conf
@@ -164,10 +164,10 @@ index b5ee0b09..9280c645 100644
      if distro_name in ("suse", "sle_hpc", "sles", "opensuse"):
 diff --git a/azurelinuxagent/common/osutil/flatcar.py b/azurelinuxagent/common/osutil/flatcar.py
 new file mode 100644
-index 00000000..3d1bf535
+index 00000000..bf739a8e
 --- /dev/null
 +++ b/azurelinuxagent/common/osutil/flatcar.py
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,60 @@
 +#
 +# Copyright 2023 Microsoft Corporation
 +#
@@ -187,28 +187,47 @@ index 00000000..3d1bf535
 +#
 +
 +import os
++import os.path
 +import shutil
++import stat
 +
 +import azurelinuxagent.common.conf as conf
++import azurelinuxagent.common.logger as logger
++import azurelinuxagent.common.utils.fileutil as fileutil
 +
 +from azurelinuxagent.common.osutil.coreoscommon import CoreosCommonUtil
 +
-+
 +class FlatcarUtil(CoreosCommonUtil):
 +
 +    @staticmethod
 +    def get_systemd_unit_file_install_path():
 +        return "/usr/lib/systemd/system"
 +
 +    def conf_sshd(self, disable_password):
-+        # make sure that the config file stops being a symlink
-+        conf_file_path = conf.get_sshd_conf_file_path()
-+        conf_file_path2 = f"{conf_file_path}.wal.tmp"
-+        shutil.copy(conf_file_path, conf_file_path2)
-+        os.remove(conf_file_path)
-+        os.rename(conf_file_path2, conf_file_path)
-+        super(CoreosCommonUtil, self).conf_sshd(disable_password)
-+        pass
++        ssh_dir = conf.get_ssh_dir()
++        snippet_dir = os.path.join(ssh_dir, "sshd_config.d")
++        statinfo = os.lstat(snippet_dir)
++        if stat.S_ISDIR(statinfo.st_mode):
++            # This adds a configuration snippet that will be loaded by
++            # openssh.
++            snippet_file = os.path.join(snippet_dir, "80-flatcar-walinuxagent.conf")
++            option = "no" if disable_password else "yes"
++            lines = [
++                f"PasswordAuthentication {option}",
++                f"ChallengeResponseAuthentication {option}",
++                f"ClientAliveInterval {str(conf.get_ssh_client_alive_interval())}"
++            ]
++            fileutil.write_file(snippet_file, "\n".join(lines))
++            logger.info("Added a configuration snippet {0} SSH password-based authentication methods. It also configures SSH client probing to keep connections alive."
++                        .format("disabling" if disable_password else "enabling"))
++        else:
++            # Make sure that the config file stops being a symlink.
++            conf_file_path = conf.get_sshd_conf_file_path()
++            conf_file_path2 = f"{conf_file_path}.wal.tmp"
++            shutil.copy(conf_file_path, conf_file_path2)
++            os.remove(conf_file_path)
++            os.rename(conf_file_path2, conf_file_path)
++            super(CoreosCommonUtil, self).conf_sshd(disable_password)
 diff --git a/config/flatcar/waagent.conf b/config/flatcar/waagent.conf
 new file mode 100644
 index 00000000..b453c634

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild

@@ -10,11 +10,11 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="1b5a096a4d91076d0121308caa5c7dbe40f7aafe" # flatcar-master
+	CROS_WORKON_COMMIT="22c07b1270fb2f40dedef00f0d0fb1699727d995" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
-PYTHON_COMPAT=( python3_{6..11} )
+PYTHON_COMPAT=( python3_{9..11} )
 
 inherit cros-workon systemd python-any-r1
 
@@ -24,9 +24,7 @@ SRC_URI=""
 
 LICENSE="BSD"
 SLOT="0/${PVR}"
-IUSE="test symlink-usr"
-
-REQUIRED_USE="symlink-usr"
+IUSE="test"
 
 # Daemons we enable here must installed during build/install in addition to
 # during runtime so the systemd unit enable step works.
@@ -47,9 +45,6 @@ RDEPEND="${DEPEND}
 src_install() {
 	emake DESTDIR="${D}" install
 
-	# Enable some sockets that aren't enabled by their own ebuilds.
-	systemd_enable_service sockets.target sshd.socket
-
 	# Enable some services that aren't enabled elsewhere.
 	systemd_enable_service rpcbind.target rpcbind.service
 

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf

@@ -0,0 +1 @@
+# Use defaults for ssh client system-wide configuration.

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf

@@ -0,0 +1,26 @@
+# Use most defaults for sshd configuration.
+Subsystem sftp internal-sftp
+ClientAliveInterval 180
+
+# These are either defaults or already set up by config generated by
+# the Gentoo ebuild. But we need to keep them, as the older
+# installations may still use the old symlink from
+# /etc/ssh/sshd_config to /usr/share/ssh/sshd_config.
+#
+# BEGIN SETTINGS KEPT FOR COMPATIBILITY
+UseDNS no
+UsePAM yes
+# handled by PAM
+PrintLastLog no
+# handled by PAM
+PrintMotd no
+# END SETTINGS KEPT FOR COMPATIBILITY
+
+Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
+MACs [email protected],[email protected],hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
+KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+
+# Temporarily accept ssh-rsa algorithm for openssh >= 8.8,
+# until most ssh clients could deprecate ssh-rsa.
+HostkeyAlgorithms +ssh-rsa
+PubkeyAcceptedAlgorithms +ssh-rsa

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf

@@ -0,0 +1,2 @@
+[Socket]
+TriggerLimitBurst=0

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r1.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild

@@ -4,21 +4,32 @@
 EAPI=8
 
 TMPFILES_OPTIONAL=1
-inherit tmpfiles
+inherit systemd tmpfiles
 
 DESCRIPTION='Flatcar miscellaneous files'
 HOMEPAGE='https://www.flatcar.org/'
 
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
+IUSE="openssh"
 
 # No source directory.
 S="${WORKDIR}"
 
+# Versions listed below are version of packages that shedded the
+# modifications in their ebuilds.
+#
+# net-misc/openssh must be installed on host for enabling its unit to
+# work during installation.
+DEPEND="
+	openssh? ( >=net-misc/openssh-9.4_p1 )
+"
+
 # Versions listed below are version of packages that shedded the
 # modifications in their ebuilds.
 RDEPEND="
+	${DEPEND}
 	>=app-shells/bash-5.2_p15-r2
 "
 
@@ -56,7 +67,7 @@ src_install() {
     # /etc will be moved in its place.
     #
     # These links exist because old installations can still have
-    # references to `/usr/share/(bash|skel)`.
+    # references to them.
     local -A compat_symlinks
     compat_symlinks=(
         ['/usr/share/bash/bash_logout']='/usr/share/flatcar/etc/bash/bash_logout'
@@ -68,6 +79,12 @@ src_install() {
         ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
         ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
     )
+    if use openssh; then
+        compat_symlinks+=(
+            ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
+            ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+        )
+    fi
 
     local link target
     for link in "${!compat_symlinks[@]}"; do
@@ -106,4 +123,23 @@ src_install() {
         dosym "${target}" "${link}"
         fowners --no-dereference 500:500 "${link}"
     done
+
+    if use openssh; then
+        # Install our configuration snippets.
+        insinto /etc/ssh/ssh_config.d
+        doins "${FILESDIR}/50-flatcar-ssh.conf"
+        insinto /etc/ssh/sshd_config.d
+        doins "${FILESDIR}/50-flatcar-sshd.conf"
+
+        # Install our socket drop-in file that disables the rate
+        # limiting on the sshd socket.
+        local override_dir
+        override_dir="$(systemd_get_systemunitdir)/sshd.socket.d"
+        dodir "${override_dir}"
+        insinto "${override_dir}"
+        doins "${FILESDIR}/no-trigger-limit-burst.conf"
+
+        # Enable some sockets that aren't enabled by their own ebuilds.
+        systemd_enable_service sockets.target sshd.socket
+    fi
 }

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin

@@ -13,8 +13,13 @@ if [ "$(readlink -f /etc/nsswitch.conf)" != '/usr/share/baselayout/nsswitch.conf
 	exit 0
 fi
 
-if [ "$(readlink -f /etc/ssh/sshd_config)" != '/usr/share/ssh/sshd_config' ]; then
-	echo '/etc/ssh/sshd_config is not a symlink to /usr/share/ssh/sshd_config. Not enabling OS Login'
+if [[ ! -d '/etc/ssh/sshd_config.d' ]]; then
+	echo 'No /etc/ssh/sshd_config.d directory. Not enabling OS Login'
+	exit 0
+fi
+
+if ! grep --fixed-strings --no-messages --silent 'Include "/etc/ssh/sshd_config.d/*.conf"' '/etc/ssh/sshd_config'; then
+	echo '/etc/ssh/sshd_config does not include configuration snippets in /etc/ssh/sshd_config.d. Not enabling OS Login'
 	exit 0
 fi
 
@@ -25,6 +30,6 @@ mkdir -m 0750 -p '/var/lib/google-sudoers.d'
 mkdir -m 0750 -p '/var/lib/google-users.d'
 ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd'
 ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf'
-ln -f -s '/usr/share/google-oslogin/sshd_config' '/etc/ssh/sshd_config'
+ln -f -s '/usr/share/google-oslogin/60-flatcar-google-oslogin.conf' '/etc/ssh/sshd_config.d/60-flatcar-google-oslogin.conf'
 ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers'
 ln -f -s '/usr/share/google-oslogin/group.conf' '/etc/security/group.conf'

sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh

@@ -1,12 +1,9 @@
-# We install these with our chromeos-base package.
+# Do not install the setuid file in production images.
+#
+# Do not install the config snippet that defines a subsystem. We have
+# our own definition in coreos-init.
 if [[ $(cros_target) != "cros_host" ]] ; then
-	openssh_mask="
-		/etc/ssh/ssh_config
-		/etc/ssh/sshd_config
-		/etc/ssh/ssh_config.d
-		/etc/ssh/sshd_config.d
-		/usr/lib*/misc/ssh-keysign
-	"
+	openssh_mask="/usr/lib*/misc/ssh-keysign /etc/ssh/sshd_config.d/*gentoo-subsystem.conf"
 	PKG_INSTALL_MASK+=" ${openssh_mask}"
 	INSTALL_MASK+=" ${openssh_mask}"
 	unset openssh_mask

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest

@@ -1,2 +1,2 @@
-DIST openssh-9.3p2.tar.gz 1835850 BLAKE2B 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f SHA512 15b8c57aa120186f1d1c3c2b8dc6ffd26733e12f755a6b0a4255d9ec1815a61506275ff5723b4ac029e44bc2ad22852ac36e1101f292348fbfa79aa1a4cd3f35
-DIST openssh-9.3p2.tar.gz.asc 833 BLAKE2B cfba3867d7f97cb2c904bd3ae111bd63e8a050464b66e3f3f22390839a153d57ef5819182f8ad99a6b520f27881143552dc64fccfc33dcc0483ffe1ef33a5a47 SHA512 759e512a36a3a62264803b517298a65c83e1daebd9867e28ea1ca4999c38539368815ccda86540a4f5d45fa79c539d8242995ba55f2918baf2a7404c105e337a
+DIST openssh-9.4p1.tar.gz 1845094 BLAKE2B d13d758129cce947d3f12edb6e88406aad10de6887b19ffa3ebd8e382b742a05f2a692a8824aec99939f6c7e13fbccc3bb14e5ee112f9a9255d4882eb87dcf53 SHA512 0aaedeced7dbc70419c7245eb0e9db4ef570e0e7739b890ebae04d56da5fe8d147e8e150f3c943f60730976569e3ac6cc8da62ec7e2a78e2ef47d295ca0b1d25
+DIST openssh-9.4p1.tar.gz.asc 833 BLAKE2B 95eedd9356766e5d0ea1261da3dc4c7869f054b418c626fb35815a0aa655b1ddbf54436b437d98c4344b05c9196c8fa1f592eac07b3ccf08bd3e980f8b6955af SHA512 983b4ebaa3b98e70831ce686cb503270926c065163a2510eef0c5102ef50b6e665b889ee15ea8c0bd7c4bbddb19270f036e1d554a8212ef2c292f9c682c8631a

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch

@@ -0,0 +1,21 @@
+https://bugs.gentoo.org/912766
+https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621
+
+From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <[email protected]>
+Date: Sat, 19 Aug 2023 07:39:08 +1000
+Subject: [PATCH] Fix zlib version check for 1.3 and future version.
+
+bz#3604.
+--- a/configure.ac
++++ b/configure.ac
+@@ -1464,7 +1464,7 @@ else
+ 	[[
+ 	int a=0, b=0, c=0, d=0, n, v;
+ 	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
+-	if (n != 3 && n != 4)
++	if (n < 1)
+ 		exit(1);
+ 	v = a*1000000 + b*10000 + c*100 + d;
+ 	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
+

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket

@@ -5,7 +5,6 @@ Conflicts=sshd.service
 [Socket]
 ListenStream=22
 Accept=yes
-TriggerLimitBurst=0
 
 [Install]
 WantedBy=sockets.target