Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move net-misc/openssh from overlay to portage-stable, configuration changes #945

Merged
merged 11 commits into from
Sep 29, 2023
Merged
1 change: 1 addition & 0 deletions changelog/changes/2023-09-29-openssh-update.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- Started shipping default ssh client and ssh daemon configs in `/etc/ssh/ssh_config` and `/etc/ssh/sshd_config` which include config snippets in `/etc/ssh/ssh_config.d` and `/etc/ssh/sshd_config.d`, respectively.
1 change: 1 addition & 0 deletions changelog/updates/2023-09-29-openssh-update.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- openssh ([9.4p1](https://www.openssh.com/releasenotes.html#9.4p1))
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
From 90b28746c0d8698a080eb7082e0e14054aee0a02 Mon Sep 17 00:00:00 2001
From dd1512513b407e23155f58400cacecac8576d6f9 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <[email protected]>
Date: Mon, 27 Feb 2023 15:59:21 +0100
Subject: [PATCH] flatcar changes
Expand All @@ -7,12 +7,12 @@ Subject: [PATCH] flatcar changes
azurelinuxagent/common/osutil/coreos.py | 39 +-----
azurelinuxagent/common/osutil/coreoscommon.py | 57 ++++++++
azurelinuxagent/common/osutil/factory.py | 3 +
azurelinuxagent/common/osutil/flatcar.py | 41 ++++++
azurelinuxagent/common/osutil/flatcar.py | 60 +++++++++
config/flatcar/waagent.conf | 122 ++++++++++++++++++
init/flatcar/10-waagent-sysext.conf | 2 +
init/flatcar/waagent.service | 30 +++++
setup.py | 20 ++-
8 files changed, 272 insertions(+), 42 deletions(-)
8 files changed, 291 insertions(+), 42 deletions(-)
create mode 100644 azurelinuxagent/common/osutil/coreoscommon.py
create mode 100644 azurelinuxagent/common/osutil/flatcar.py
create mode 100644 config/flatcar/waagent.conf
Expand Down Expand Up @@ -164,10 +164,10 @@ index b5ee0b09..9280c645 100644
if distro_name in ("suse", "sle_hpc", "sles", "opensuse"):
diff --git a/azurelinuxagent/common/osutil/flatcar.py b/azurelinuxagent/common/osutil/flatcar.py
new file mode 100644
index 00000000..3d1bf535
index 00000000..bf739a8e
--- /dev/null
+++ b/azurelinuxagent/common/osutil/flatcar.py
@@ -0,0 +1,41 @@
@@ -0,0 +1,60 @@
+#
+# Copyright 2023 Microsoft Corporation
+#
Expand All @@ -187,28 +187,47 @@ index 00000000..3d1bf535
+#
+
+import os
+import os.path
+import shutil
+import stat
+
+import azurelinuxagent.common.conf as conf
+import azurelinuxagent.common.logger as logger
+import azurelinuxagent.common.utils.fileutil as fileutil
+
+from azurelinuxagent.common.osutil.coreoscommon import CoreosCommonUtil
+
+
+class FlatcarUtil(CoreosCommonUtil):
+
+ @staticmethod
+ def get_systemd_unit_file_install_path():
+ return "/usr/lib/systemd/system"
+
+ def conf_sshd(self, disable_password):
+ # make sure that the config file stops being a symlink
+ conf_file_path = conf.get_sshd_conf_file_path()
+ conf_file_path2 = f"{conf_file_path}.wal.tmp"
+ shutil.copy(conf_file_path, conf_file_path2)
+ os.remove(conf_file_path)
+ os.rename(conf_file_path2, conf_file_path)
+ super(CoreosCommonUtil, self).conf_sshd(disable_password)
+ pass
+ ssh_dir = conf.get_ssh_dir()
+ snippet_dir = os.path.join(ssh_dir, "sshd_config.d")
+ statinfo = os.lstat(snippet_dir)
+ if stat.S_ISDIR(statinfo.st_mode):
+ # This adds a configuration snippet that will be loaded by
+ # openssh.
+ snippet_file = os.path.join(snippet_dir, "80-flatcar-walinuxagent.conf")
+ option = "no" if disable_password else "yes"
+ lines = [
+ f"PasswordAuthentication {option}",
+ f"ChallengeResponseAuthentication {option}",
+ f"ClientAliveInterval {str(conf.get_ssh_client_alive_interval())}"
+ ]
+ fileutil.write_file(snippet_file, "\n".join(lines))
+ logger.info("Added a configuration snippet {0} SSH password-based authentication methods. It also configures SSH client probing to keep connections alive."
+ .format("disabling" if disable_password else "enabling"))
+ else:
+ # Make sure that the config file stops being a symlink.
+ conf_file_path = conf.get_sshd_conf_file_path()
+ conf_file_path2 = f"{conf_file_path}.wal.tmp"
+ shutil.copy(conf_file_path, conf_file_path2)
+ os.remove(conf_file_path)
+ os.rename(conf_file_path2, conf_file_path)
+ super(CoreosCommonUtil, self).conf_sshd(disable_password)
diff --git a/config/flatcar/waagent.conf b/config/flatcar/waagent.conf
new file mode 100644
index 00000000..b453c634
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ CROS_WORKON_REPO="https://github.com"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm ~arm64 ~x86"
else
CROS_WORKON_COMMIT="1b5a096a4d91076d0121308caa5c7dbe40f7aafe" # flatcar-master
CROS_WORKON_COMMIT="22c07b1270fb2f40dedef00f0d0fb1699727d995" # flatcar-master
KEYWORDS="amd64 arm arm64 x86"
fi

PYTHON_COMPAT=( python3_{6..11} )
PYTHON_COMPAT=( python3_{9..11} )

inherit cros-workon systemd python-any-r1

Expand All @@ -24,9 +24,7 @@ SRC_URI=""

LICENSE="BSD"
SLOT="0/${PVR}"
IUSE="test symlink-usr"

REQUIRED_USE="symlink-usr"
IUSE="test"

# Daemons we enable here must installed during build/install in addition to
# during runtime so the systemd unit enable step works.
Expand All @@ -47,9 +45,6 @@ RDEPEND="${DEPEND}
src_install() {
emake DESTDIR="${D}" install

# Enable some sockets that aren't enabled by their own ebuilds.
systemd_enable_service sockets.target sshd.socket

# Enable some services that aren't enabled elsewhere.
systemd_enable_service rpcbind.target rpcbind.service

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
# Use defaults for ssh client system-wide configuration.
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Use most defaults for sshd configuration.
Subsystem sftp internal-sftp
ClientAliveInterval 180

# These are either defaults or already set up by config generated by
# the Gentoo ebuild. But we need to keep them, as the older
# installations may still use the old symlink from
# /etc/ssh/sshd_config to /usr/share/ssh/sshd_config.
#
# BEGIN SETTINGS KEPT FOR COMPATIBILITY
UseDNS no
UsePAM yes
# handled by PAM
PrintLastLog no
# handled by PAM
PrintMotd no
# END SETTINGS KEPT FOR COMPATIBILITY

Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
MACs [email protected],[email protected],hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

# Temporarily accept ssh-rsa algorithm for openssh >= 8.8,
# until most ssh clients could deprecate ssh-rsa.
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[Socket]
TriggerLimitBurst=0
Original file line number Diff line number Diff line change
Expand Up @@ -4,21 +4,32 @@
EAPI=8

TMPFILES_OPTIONAL=1
inherit tmpfiles
inherit systemd tmpfiles

DESCRIPTION='Flatcar miscellaneous files'
HOMEPAGE='https://www.flatcar.org/'

LICENSE='Apache-2.0'
SLOT='0'
KEYWORDS='amd64 arm64'
IUSE="openssh"

# No source directory.
S="${WORKDIR}"

# Versions listed below are version of packages that shedded the
# modifications in their ebuilds.
#
# net-misc/openssh must be installed on host for enabling its unit to
# work during installation.
DEPEND="
openssh? ( >=net-misc/openssh-9.4_p1 )
"

# Versions listed below are version of packages that shedded the
# modifications in their ebuilds.
RDEPEND="
${DEPEND}
>=app-shells/bash-5.2_p15-r2
"

Expand Down Expand Up @@ -56,7 +67,7 @@ src_install() {
# /etc will be moved in its place.
#
# These links exist because old installations can still have
# references to `/usr/share/(bash|skel)`.
# references to them.
local -A compat_symlinks
compat_symlinks=(
['/usr/share/bash/bash_logout']='/usr/share/flatcar/etc/bash/bash_logout'
Expand All @@ -68,6 +79,12 @@ src_install() {
['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
)
if use openssh; then
compat_symlinks+=(
['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
)
fi

local link target
for link in "${!compat_symlinks[@]}"; do
Expand Down Expand Up @@ -106,4 +123,23 @@ src_install() {
dosym "${target}" "${link}"
fowners --no-dereference 500:500 "${link}"
done

if use openssh; then
# Install our configuration snippets.
insinto /etc/ssh/ssh_config.d
doins "${FILESDIR}/50-flatcar-ssh.conf"
insinto /etc/ssh/sshd_config.d
doins "${FILESDIR}/50-flatcar-sshd.conf"

# Install our socket drop-in file that disables the rate
# limiting on the sshd socket.
local override_dir
override_dir="$(systemd_get_systemunitdir)/sshd.socket.d"
dodir "${override_dir}"
insinto "${override_dir}"
doins "${FILESDIR}/no-trigger-limit-burst.conf"

# Enable some sockets that aren't enabled by their own ebuilds.
systemd_enable_service sockets.target sshd.socket
fi
}
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,13 @@ if [ "$(readlink -f /etc/nsswitch.conf)" != '/usr/share/baselayout/nsswitch.conf
exit 0
fi

if [ "$(readlink -f /etc/ssh/sshd_config)" != '/usr/share/ssh/sshd_config' ]; then
echo '/etc/ssh/sshd_config is not a symlink to /usr/share/ssh/sshd_config. Not enabling OS Login'
if [[ ! -d '/etc/ssh/sshd_config.d' ]]; then
echo 'No /etc/ssh/sshd_config.d directory. Not enabling OS Login'
exit 0
fi

if ! grep --fixed-strings --no-messages --silent 'Include "/etc/ssh/sshd_config.d/*.conf"' '/etc/ssh/sshd_config'; then
echo '/etc/ssh/sshd_config does not include configuration snippets in /etc/ssh/sshd_config.d. Not enabling OS Login'
exit 0
fi

Expand All @@ -25,6 +30,6 @@ mkdir -m 0750 -p '/var/lib/google-sudoers.d'
mkdir -m 0750 -p '/var/lib/google-users.d'
ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd'
ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf'
ln -f -s '/usr/share/google-oslogin/sshd_config' '/etc/ssh/sshd_config'
ln -f -s '/usr/share/google-oslogin/60-flatcar-google-oslogin.conf' '/etc/ssh/sshd_config.d/60-flatcar-google-oslogin.conf'
ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers'
ln -f -s '/usr/share/google-oslogin/group.conf' '/etc/security/group.conf'
Original file line number Diff line number Diff line change
@@ -1,12 +1,9 @@
# We install these with our chromeos-base package.
# Do not install the setuid file in production images.
#
# Do not install the config snippet that defines a subsystem. We have
# our own definition in coreos-init.
if [[ $(cros_target) != "cros_host" ]] ; then
openssh_mask="
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/ssh_config.d
/etc/ssh/sshd_config.d
/usr/lib*/misc/ssh-keysign
"
openssh_mask="/usr/lib*/misc/ssh-keysign /etc/ssh/sshd_config.d/*gentoo-subsystem.conf"
PKG_INSTALL_MASK+=" ${openssh_mask}"
INSTALL_MASK+=" ${openssh_mask}"
unset openssh_mask
Expand Down
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
DIST openssh-9.3p2.tar.gz 1835850 BLAKE2B 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f SHA512 15b8c57aa120186f1d1c3c2b8dc6ffd26733e12f755a6b0a4255d9ec1815a61506275ff5723b4ac029e44bc2ad22852ac36e1101f292348fbfa79aa1a4cd3f35
DIST openssh-9.3p2.tar.gz.asc 833 BLAKE2B cfba3867d7f97cb2c904bd3ae111bd63e8a050464b66e3f3f22390839a153d57ef5819182f8ad99a6b520f27881143552dc64fccfc33dcc0483ffe1ef33a5a47 SHA512 759e512a36a3a62264803b517298a65c83e1daebd9867e28ea1ca4999c38539368815ccda86540a4f5d45fa79c539d8242995ba55f2918baf2a7404c105e337a
DIST openssh-9.4p1.tar.gz 1845094 BLAKE2B d13d758129cce947d3f12edb6e88406aad10de6887b19ffa3ebd8e382b742a05f2a692a8824aec99939f6c7e13fbccc3bb14e5ee112f9a9255d4882eb87dcf53 SHA512 0aaedeced7dbc70419c7245eb0e9db4ef570e0e7739b890ebae04d56da5fe8d147e8e150f3c943f60730976569e3ac6cc8da62ec7e2a78e2ef47d295ca0b1d25
DIST openssh-9.4p1.tar.gz.asc 833 BLAKE2B 95eedd9356766e5d0ea1261da3dc4c7869f054b418c626fb35815a0aa655b1ddbf54436b437d98c4344b05c9196c8fa1f592eac07b3ccf08bd3e980f8b6955af SHA512 983b4ebaa3b98e70831ce686cb503270926c065163a2510eef0c5102ef50b6e665b889ee15ea8c0bd7c4bbddb19270f036e1d554a8212ef2c292f9c682c8631a

This file was deleted.

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
https://bugs.gentoo.org/912766
https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621

From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
From: Darren Tucker <[email protected]>
Date: Sat, 19 Aug 2023 07:39:08 +1000
Subject: [PATCH] Fix zlib version check for 1.3 and future version.

bz#3604.
--- a/configure.ac
+++ b/configure.ac
@@ -1464,7 +1464,7 @@ else
[[
int a=0, b=0, c=0, d=0, n, v;
n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
- if (n != 3 && n != 4)
+ if (n < 1)
exit(1);
v = a*1000000 + b*10000 + c*100 + d;
fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);

Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ Conflicts=sshd.service
[Socket]
ListenStream=22
Accept=yes
TriggerLimitBurst=0

[Install]
WantedBy=sockets.target
Loading
Loading