diff --git a/changelog/changes/2023-09-29-openssh-update.md b/changelog/changes/2023-09-29-openssh-update.md new file mode 100644 index 00000000000..30d136b89ee --- /dev/null +++ b/changelog/changes/2023-09-29-openssh-update.md @@ -0,0 +1 @@ +- Started shipping default ssh client and ssh daemon configs in `/etc/ssh/ssh_config` and `/etc/ssh/sshd_config` which include config snippets in `/etc/ssh/ssh_config.d` and `/etc/ssh/sshd_config.d`, respectively. diff --git a/changelog/updates/2023-09-29-openssh-update.md b/changelog/updates/2023-09-29-openssh-update.md new file mode 100644 index 00000000000..8c23da29505 --- /dev/null +++ b/changelog/updates/2023-09-29-openssh-update.md @@ -0,0 +1 @@ +- openssh ([9.4p1](https://www.openssh.com/releasenotes.html#9.4p1)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch index 6953cdea859..917c71629a7 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch @@ -1,4 +1,4 @@ -From 90b28746c0d8698a080eb7082e0e14054aee0a02 Mon Sep 17 00:00:00 2001 +From dd1512513b407e23155f58400cacecac8576d6f9 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 27 Feb 2023 15:59:21 +0100 Subject: [PATCH] flatcar changes @@ -7,12 +7,12 @@ Subject: [PATCH] flatcar changes azurelinuxagent/common/osutil/coreos.py | 39 +----- azurelinuxagent/common/osutil/coreoscommon.py | 57 ++++++++ azurelinuxagent/common/osutil/factory.py | 3 + - azurelinuxagent/common/osutil/flatcar.py | 41 ++++++ + azurelinuxagent/common/osutil/flatcar.py | 60 +++++++++ config/flatcar/waagent.conf | 122 ++++++++++++++++++ init/flatcar/10-waagent-sysext.conf | 2 + init/flatcar/waagent.service | 30 +++++ setup.py | 20 ++- - 8 files changed, 272 insertions(+), 42 deletions(-) + 8 files changed, 291 insertions(+), 42 deletions(-) create mode 100644 azurelinuxagent/common/osutil/coreoscommon.py create mode 100644 azurelinuxagent/common/osutil/flatcar.py create mode 100644 config/flatcar/waagent.conf @@ -164,10 +164,10 @@ index b5ee0b09..9280c645 100644 if distro_name in ("suse", "sle_hpc", "sles", "opensuse"): diff --git a/azurelinuxagent/common/osutil/flatcar.py b/azurelinuxagent/common/osutil/flatcar.py new file mode 100644 -index 00000000..3d1bf535 +index 00000000..bf739a8e --- /dev/null +++ b/azurelinuxagent/common/osutil/flatcar.py -@@ -0,0 +1,41 @@ +@@ -0,0 +1,60 @@ +# +# Copyright 2023 Microsoft Corporation +# @@ -187,13 +187,16 @@ index 00000000..3d1bf535 +# + +import os ++import os.path +import shutil ++import stat + +import azurelinuxagent.common.conf as conf ++import azurelinuxagent.common.logger as logger ++import azurelinuxagent.common.utils.fileutil as fileutil + +from azurelinuxagent.common.osutil.coreoscommon import CoreosCommonUtil + -+ +class FlatcarUtil(CoreosCommonUtil): + + @staticmethod @@ -201,14 +204,30 @@ index 00000000..3d1bf535 + return "/usr/lib/systemd/system" + + def conf_sshd(self, disable_password): -+ # make sure that the config file stops being a symlink -+ conf_file_path = conf.get_sshd_conf_file_path() -+ conf_file_path2 = f"{conf_file_path}.wal.tmp" -+ shutil.copy(conf_file_path, conf_file_path2) -+ os.remove(conf_file_path) -+ os.rename(conf_file_path2, conf_file_path) -+ super(CoreosCommonUtil, self).conf_sshd(disable_password) -+ pass ++ ssh_dir = conf.get_ssh_dir() ++ snippet_dir = os.path.join(ssh_dir, "sshd_config.d") ++ statinfo = os.lstat(snippet_dir) ++ if stat.S_ISDIR(statinfo.st_mode): ++ # This adds a configuration snippet that will be loaded by ++ # openssh. ++ snippet_file = os.path.join(snippet_dir, "80-flatcar-walinuxagent.conf") ++ option = "no" if disable_password else "yes" ++ lines = [ ++ f"PasswordAuthentication {option}", ++ f"ChallengeResponseAuthentication {option}", ++ f"ClientAliveInterval {str(conf.get_ssh_client_alive_interval())}" ++ ] ++ fileutil.write_file(snippet_file, "\n".join(lines)) ++ logger.info("Added a configuration snippet {0} SSH password-based authentication methods. It also configures SSH client probing to keep connections alive." ++ .format("disabling" if disable_password else "enabling")) ++ else: ++ # Make sure that the config file stops being a symlink. ++ conf_file_path = conf.get_sshd_conf_file_path() ++ conf_file_path2 = f"{conf_file_path}.wal.tmp" ++ shutil.copy(conf_file_path, conf_file_path2) ++ os.remove(conf_file_path) ++ os.rename(conf_file_path2, conf_file_path) ++ super(CoreosCommonUtil, self).conf_sshd(disable_password) diff --git a/config/flatcar/waagent.conf b/config/flatcar/waagent.conf new file mode 100644 index 00000000..b453c634 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.6.0.2-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.6.0.2-r4.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.6.0.2-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.6.0.2-r4.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/README b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/README deleted file mode 100644 index ecfbc513fba..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/README +++ /dev/null @@ -1,2 +0,0 @@ -If /etc/sshd_config changes make sure to apply the change to sys-auth/google-oslogin. -Those files must be kept in sync. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r186.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r187.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r186.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r187.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild index cf6c424bd8d..4a924c6c9fb 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild @@ -10,11 +10,11 @@ CROS_WORKON_REPO="https://github.com" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - CROS_WORKON_COMMIT="1b5a096a4d91076d0121308caa5c7dbe40f7aafe" # flatcar-master + CROS_WORKON_COMMIT="22c07b1270fb2f40dedef00f0d0fb1699727d995" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi -PYTHON_COMPAT=( python3_{6..11} ) +PYTHON_COMPAT=( python3_{9..11} ) inherit cros-workon systemd python-any-r1 @@ -24,9 +24,7 @@ SRC_URI="" LICENSE="BSD" SLOT="0/${PVR}" -IUSE="test symlink-usr" - -REQUIRED_USE="symlink-usr" +IUSE="test" # Daemons we enable here must installed during build/install in addition to # during runtime so the systemd unit enable step works. @@ -47,9 +45,6 @@ RDEPEND="${DEPEND} src_install() { emake DESTDIR="${D}" install - # Enable some sockets that aren't enabled by their own ebuilds. - systemd_enable_service sockets.target sshd.socket - # Enable some services that aren't enabled elsewhere. systemd_enable_service rpcbind.target rpcbind.service diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf new file mode 100644 index 00000000000..1a88c1614ca --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf @@ -0,0 +1 @@ +# Use defaults for ssh client system-wide configuration. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf new file mode 100644 index 00000000000..2bf63df0283 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf @@ -0,0 +1,26 @@ +# Use most defaults for sshd configuration. +Subsystem sftp internal-sftp +ClientAliveInterval 180 + +# These are either defaults or already set up by config generated by +# the Gentoo ebuild. But we need to keep them, as the older +# installations may still use the old symlink from +# /etc/ssh/sshd_config to /usr/share/ssh/sshd_config. +# +# BEGIN SETTINGS KEPT FOR COMPATIBILITY +UseDNS no +UsePAM yes +# handled by PAM +PrintLastLog no +# handled by PAM +PrintMotd no +# END SETTINGS KEPT FOR COMPATIBILITY + +Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128-etm@openssh.com,umac-128@openssh.com +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 + +# Temporarily accept ssh-rsa algorithm for openssh >= 8.8, +# until most ssh clients could deprecate ssh-rsa. +HostkeyAlgorithms +ssh-rsa +PubkeyAcceptedAlgorithms +ssh-rsa diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf new file mode 100644 index 00000000000..da57a42f47b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf @@ -0,0 +1,2 @@ +[Socket] +TriggerLimitBurst=0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild similarity index 75% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild index b92882df678..77d53306889 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild @@ -4,7 +4,7 @@ EAPI=8 TMPFILES_OPTIONAL=1 -inherit tmpfiles +inherit systemd tmpfiles DESCRIPTION='Flatcar miscellaneous files' HOMEPAGE='https://www.flatcar.org/' @@ -12,13 +12,24 @@ HOMEPAGE='https://www.flatcar.org/' LICENSE='Apache-2.0' SLOT='0' KEYWORDS='amd64 arm64' +IUSE="openssh" # No source directory. S="${WORKDIR}" +# Versions listed below are version of packages that shedded the +# modifications in their ebuilds. +# +# net-misc/openssh must be installed on host for enabling its unit to +# work during installation. +DEPEND=" + openssh? ( >=net-misc/openssh-9.4_p1 ) +" + # Versions listed below are version of packages that shedded the # modifications in their ebuilds. RDEPEND=" + ${DEPEND} >=app-shells/bash-5.2_p15-r2 " @@ -56,7 +67,7 @@ src_install() { # /etc will be moved in its place. # # These links exist because old installations can still have - # references to `/usr/share/(bash|skel)`. + # references to them. local -A compat_symlinks compat_symlinks=( ['/usr/share/bash/bash_logout']='/usr/share/flatcar/etc/bash/bash_logout' @@ -68,6 +79,12 @@ src_install() { ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs' ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf' ) + if use openssh; then + compat_symlinks+=( + ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf' + ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf' + ) + fi local link target for link in "${!compat_symlinks[@]}"; do @@ -106,4 +123,23 @@ src_install() { dosym "${target}" "${link}" fowners --no-dereference 500:500 "${link}" done + + if use openssh; then + # Install our configuration snippets. + insinto /etc/ssh/ssh_config.d + doins "${FILESDIR}/50-flatcar-ssh.conf" + insinto /etc/ssh/sshd_config.d + doins "${FILESDIR}/50-flatcar-sshd.conf" + + # Install our socket drop-in file that disables the rate + # limiting on the sshd socket. + local override_dir + override_dir="$(systemd_get_systemunitdir)/sshd.socket.d" + dodir "${override_dir}" + insinto "${override_dir}" + doins "${FILESDIR}/no-trigger-limit-burst.conf" + + # Enable some sockets that aren't enabled by their own ebuilds. + systemd_enable_service sockets.target sshd.socket + fi } diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin index abf9899b679..7a8cd816a13 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin @@ -13,8 +13,13 @@ if [ "$(readlink -f /etc/nsswitch.conf)" != '/usr/share/baselayout/nsswitch.conf exit 0 fi -if [ "$(readlink -f /etc/ssh/sshd_config)" != '/usr/share/ssh/sshd_config' ]; then - echo '/etc/ssh/sshd_config is not a symlink to /usr/share/ssh/sshd_config. Not enabling OS Login' +if [[ ! -d '/etc/ssh/sshd_config.d' ]]; then + echo 'No /etc/ssh/sshd_config.d directory. Not enabling OS Login' + exit 0 +fi + +if ! grep --fixed-strings --no-messages --silent 'Include "/etc/ssh/sshd_config.d/*.conf"' '/etc/ssh/sshd_config'; then + echo '/etc/ssh/sshd_config does not include configuration snippets in /etc/ssh/sshd_config.d. Not enabling OS Login' exit 0 fi @@ -25,6 +30,6 @@ mkdir -m 0750 -p '/var/lib/google-sudoers.d' mkdir -m 0750 -p '/var/lib/google-users.d' ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd' ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf' -ln -f -s '/usr/share/google-oslogin/sshd_config' '/etc/ssh/sshd_config' +ln -f -s '/usr/share/google-oslogin/60-flatcar-google-oslogin.conf' '/etc/ssh/sshd_config.d/60-flatcar-google-oslogin.conf' ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers' ln -f -s '/usr/share/google-oslogin/group.conf' '/etc/security/group.conf' diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r5.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r5.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh index 75f2a0f81c6..879f94faee6 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh @@ -1,12 +1,9 @@ -# We install these with our chromeos-base package. +# Do not install the setuid file in production images. +# +# Do not install the config snippet that defines a subsystem. We have +# our own definition in coreos-init. if [[ $(cros_target) != "cros_host" ]] ; then - openssh_mask=" - /etc/ssh/ssh_config - /etc/ssh/sshd_config - /etc/ssh/ssh_config.d - /etc/ssh/sshd_config.d - /usr/lib*/misc/ssh-keysign - " + openssh_mask="/usr/lib*/misc/ssh-keysign /etc/ssh/sshd_config.d/*gentoo-subsystem.conf" PKG_INSTALL_MASK+=" ${openssh_mask}" INSTALL_MASK+=" ${openssh_mask}" unset openssh_mask diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest index c70a2636a84..570a72c1424 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest @@ -1,2 +1,2 @@ -DIST openssh-9.3p2.tar.gz 1835850 BLAKE2B 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f SHA512 15b8c57aa120186f1d1c3c2b8dc6ffd26733e12f755a6b0a4255d9ec1815a61506275ff5723b4ac029e44bc2ad22852ac36e1101f292348fbfa79aa1a4cd3f35 -DIST openssh-9.3p2.tar.gz.asc 833 BLAKE2B cfba3867d7f97cb2c904bd3ae111bd63e8a050464b66e3f3f22390839a153d57ef5819182f8ad99a6b520f27881143552dc64fccfc33dcc0483ffe1ef33a5a47 SHA512 759e512a36a3a62264803b517298a65c83e1daebd9867e28ea1ca4999c38539368815ccda86540a4f5d45fa79c539d8242995ba55f2918baf2a7404c105e337a +DIST openssh-9.4p1.tar.gz 1845094 BLAKE2B d13d758129cce947d3f12edb6e88406aad10de6887b19ffa3ebd8e382b742a05f2a692a8824aec99939f6c7e13fbccc3bb14e5ee112f9a9255d4882eb87dcf53 SHA512 0aaedeced7dbc70419c7245eb0e9db4ef570e0e7739b890ebae04d56da5fe8d147e8e150f3c943f60730976569e3ac6cc8da62ec7e2a78e2ef47d295ca0b1d25 +DIST openssh-9.4p1.tar.gz.asc 833 BLAKE2B 95eedd9356766e5d0ea1261da3dc4c7869f054b418c626fb35815a0aa655b1ddbf54436b437d98c4344b05c9196c8fa1f592eac07b3ccf08bd3e980f8b6955af SHA512 983b4ebaa3b98e70831ce686cb503270926c065163a2510eef0c5102ef50b6e665b889ee15ea8c0bd7c4bbddb19270f036e1d554a8212ef2c292f9c682c8631a diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch deleted file mode 100644 index b50ac7c0018..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/gss-serv.c -+++ b/gss-serv.c -@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) - gss_create_empty_oid_set(&status, &oidset); - gss_add_oid_set_member(&status, ctx->oid, &oidset); - -- if (gethostname(lname, MAXHOSTNAMELEN)) { -+ if (gethostname(lname, HOST_NAME_MAX)) { - gss_release_oid_set(&status, &oidset); - return (-1); - } diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch deleted file mode 100644 index b571ae253ff..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch +++ /dev/null @@ -1,58 +0,0 @@ -https://bugzilla.mindrot.org/show_bug.cgi?id=3548 ---- a/openbsd-compat/openssl-compat.c -+++ b/openbsd-compat/openssl-compat.c -@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver) - if (headerver == libver) - return 1; - -- /* for versions < 1.0.0, major,minor,fix,status must match */ -- if (headerver < 0x1000000f) { -- mask = 0xfffff00fL; /* major,minor,fix,status */ -- return (headerver & mask) == (libver & mask); -+ /* -+ * For versions < 3.0.0, major,minor,status must match and library -+ * fix version must be equal to or newer than the header. -+ */ -+ if (headerver < 0x3000000f) { -+ mask = 0xfff0000fL; /* major,minor,status */ -+ hfix = (headerver & 0x000ff000) >> 12; -+ lfix = (libver & 0x000ff000) >> 12; -+ if ( (headerver & mask) == (libver & mask) && lfix >= hfix) -+ return 1; - } - - /* -- * For versions >= 1.0.0, major,minor,status must match and library -- * fix version must be equal to or newer than the header. -+ * For versions >= 3.0.0, major must match and minor,status must be -+ * equal to or greater than the header. - */ -- mask = 0xfff00000L; /* major,minor,status */ -- hfix = (headerver & 0x000ff000) >> 12; -- lfix = (libver & 0x000ff000) >> 12; -+ mask = 0xf000000fL; /* major, status */ -+ hfix = (headerver & 0x0ffffff0L) >> 12; -+ lfix = (libver & 0x0ffffff0L) >> 12; - if ( (headerver & mask) == (libver & mask) && lfix >= hfix) - return 1; - return 0; ---- a/openbsd-compat/regress/opensslvertest.c -+++ b/openbsd-compat/regress/opensslvertest.c -@@ -31,7 +31,7 @@ struct version_test { - { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */ - { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */ - { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */ -- { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */ -+ { 0x0090802fL, 0x0090902fL, 1}, /* newer library minor version: ok */ - { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */ - { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */ - -@@ -41,7 +41,7 @@ struct version_test { - { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ - { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ - { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */ -- { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */ -+ { 0x1000101fL, 0x1010101fL, 1}, /* newer library minor version: ok */ - { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */ - { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */ - }; diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch new file mode 100644 index 00000000000..f1336bbe038 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch @@ -0,0 +1,21 @@ +https://bugs.gentoo.org/912766 +https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621 + +From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Sat, 19 Aug 2023 07:39:08 +1000 +Subject: [PATCH] Fix zlib version check for 1.3 and future version. + +bz#3604. +--- a/configure.ac ++++ b/configure.ac +@@ -1464,7 +1464,7 @@ else + [[ + int a=0, b=0, c=0, d=0, n, v; + n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); +- if (n != 3 && n != 4) ++ if (n < 1) + exit(1); + v = a*1000000 + b*10000 + c*100 + d; + fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket index d19f34be865..94b9533180d 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket @@ -5,7 +5,6 @@ Conflicts=sshd.service [Socket] ListenStream=22 Accept=yes -TriggerLimitBurst=0 [Install] WantedBy=sockets.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild index 8f01a48dc71..baac0b99568 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild @@ -19,7 +19,7 @@ S="${WORKDIR}/${PARCH}" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss" @@ -86,8 +86,7 @@ PATCHES=( "${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch" "${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch" "${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" - "${FILESDIR}/${PN}-9.3_p1-gss-use-HOST_NAME_MAX.patch" #834044 - "${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch" + "${FILESDIR}/${PN}-9.3_p2-zlib-1.3.patch" #912766 ) pkg_pretend() { @@ -100,6 +99,9 @@ pkg_pretend() { done if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + # Skip for binary packages entirely because of environment saving, bug #907892 + [[ ${MERGE_TYPE} == binary ]] && return + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," ewarn "since these USE flags required third-party patches that often trigger bugs" @@ -228,7 +230,7 @@ src_test() { } insert_include() { - local src_config=${1} options=${2} includedir=${3} + local src_config="${1}" options="${2}" includedir="${3}" local name copy regexp_options regexp lineno comment_options name=${src_config##*/} diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index c6f276fe7c4..966eb183bba 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -58,6 +58,9 @@ # Required for addressing CVE-2023-38039. =net-misc/curl-8.3.0 ~amd64 ~arm64 +# Required to allow us to override the sftp subsystem in sshd config. +=net-misc/openssh-9.4_p1 ~amd64 ~arm64 + # Keep versions on both arches in sync. =net-nds/openldap-2.6.4-r1 ~amd64 =sec-policy/selinux-base-2.20200818-r3 ~arm64 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use index 71dfb579f23..eac7fcf10e9 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use @@ -6,6 +6,10 @@ app-admin/sudo ldap sssd app-editors/vim minimal -crypt # minimal: Don't pull app-vim/gentoo-syntax app-editors/vim-core minimal + +# Install our modifications and compatibility symlinks for ssh +coreos-base/misc-files openssh + dev-lang/python gdbm dev-libs/dbus-glib tools dev-libs/elfutils -utils diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf new file mode 100644 index 00000000000..d9f62661bf3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf @@ -0,0 +1,3 @@ +# Needed for google oslogin +AuthorizedKeysCommand /usr/libexec/google_authorized_keys +AuthorizedKeysCommandUser root diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config index 5b174fcad4a..7b51b214e4d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config @@ -1,5 +1,7 @@ +# This is an old SSHD config file, unused in new Flatcar +# installations. We provide it for backward compatibility. + # Use most defaults for sshd configuration. -# Keep this in sync with coreos/init/configs/sshd_config Subsystem sftp internal-sftp ClientAliveInterval 180 UseDNS no diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild index e0799cc036a..679e0c0b3a8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild @@ -49,6 +49,7 @@ src_install() { # config files the base Ignition config will create links to insinto /usr/share/google-oslogin doins "${FILESDIR}/sshd_config" + doins "${FILESDIR}/60-flatcar-google-oslogin.conf" doins "${FILESDIR}/nsswitch.conf" doins "${FILESDIR}/pam_sshd" doins "${FILESDIR}/oslogin-sudoers"