diff options
-rw-r--r-- | .SRCINFO | 85 | ||||
-rw-r--r-- | .nvchecker.toml | 5 | ||||
-rw-r--r-- | 99-archlinux.conf | 4 | ||||
-rw-r--r-- | PKGBUILD | 220 | ||||
-rw-r--r-- | keys/pgp/7168B983815A5EEF59A4ADFD2A3F414E736060BA.asc | 51 | ||||
-rw-r--r-- | openssh.tmpfiles | 9 | ||||
-rw-r--r-- | ssh-agent.service | 15 | ||||
-rw-r--r-- | sshd.conf | 1 | ||||
-rw-r--r-- | sshd.pam | 2 | ||||
-rw-r--r-- | sshd.service | 3 | ||||
-rw-r--r-- | sshd.socket | 10 | ||||
-rw-r--r-- | sshd@.service | 9 | ||||
-rw-r--r-- | sshdgenkeys.service | 2 |
13 files changed, 291 insertions, 125 deletions
@@ -1,43 +1,76 @@ pkgbase = openssh-selinux - pkgdesc = Premier connectivity tool for remote login with the SSH protocol, with SELinux support - pkgver = 7.9p1 - pkgrel = 1 + pkgdesc = SSH protocol implementation for remote login, command execution and file transfer, with SELinux support + pkgver = 9.7p1 + pkgrel = 2 url = https://www.openssh.com/portable.html arch = x86_64 + arch = aarch64 groups = selinux - license = custom:BSD + license = BSD-2-Clause + license = BSD-3-Clause + license = ISC + license = LicenseRef-Public-Domain + license = MIT + makedepends = krb5 + makedepends = libedit + makedepends = libfido2 + makedepends = libxcrypt makedepends = linux-headers - depends = krb5 - depends = openssl - depends = libedit - depends = ldns + makedepends = openssl + makedepends = pam + makedepends = zlib + depends = glibc depends = libselinux - optdepends = xorg-xauth: X11 forwarding + optdepends = libfido2: FIDO/U2F support + optdepends = sh: for ssh-copy-id and findssl.sh optdepends = x11-ssh-askpass: input passphrase in X - provides = openssh=7.9p1-1 - provides = selinux-openssh=7.9p1-1 + optdepends = xorg-xauth: X11 forwarding + provides = openssh=9.7p1-2 + provides = selinux-openssh=9.7p1-2 conflicts = openssh conflicts = selinux-openssh + backup = etc/pam.d/sshd backup = etc/ssh/ssh_config backup = etc/ssh/sshd_config - backup = etc/pam.d/sshd - source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz - source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz.asc + source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz + source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz.asc + source = 99-archlinux.conf + source = openssh.tmpfiles source = sshdgenkeys.service - source = sshd@.service source = sshd.service - source = sshd.socket - source = sshd.conf + source = ssh-agent.service source = sshd.pam - validpgpkeys = 59C2118ED206D927E667EBE3D3E5F56B6D920D30 - sha256sums = 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad + validpgpkeys = 7168B983815A5EEF59A4ADFD2A3F414E736060BA + sha256sums = 490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd sha256sums = SKIP - sha256sums = 4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7 - sha256sums = 3a0845737207f4eda221c9c9fb64e766ade9684562d8ba4f705f7ae6826886e5 - sha256sums = c5ed9fa629f8f8dbf3bae4edbad4441c36df535088553fe82695c52d7bde30aa - sha256sums = de14363e9d4ed92848e524036d9e6b57b2d35cc77d377b7247c38111d2a3defd - sha256sums = 4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6 - sha256sums = 64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846 + sha256sums = 78b806c38bc1e246daaa941bfe7880e6eb6f53f093bea5d5868525ae6d223d30 + sha256sums = 975904668c3c98fff5dbf840717ae959593fa05e90e215e67bf7ee24369d6369 + sha256sums = e5305767b2d317183ad1c5022a5f6705bd9014a8b22495a000fd482713738611 + sha256sums = e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7 + sha256sums = b3b1e4f7af169cd5fccdcdf9538ef37fc919c79a9905f797925153a94e723998 + sha256sums = 633e24cbfcb045ba777d3e06d5f85dfaa06d44f4727d38c7fb2187c57498221d + b2sums = 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b + b2sums = SKIP + b2sums = 1ff8cd4ae22efed2b4260f1e518de919c4b290be4e0b5edbc8e2225ffe63788678d1961e6f863b85974c4697428ee827bcbabad371cfc91cc8b36eae9402eb97 + b2sums = 43bf32158d6b14cf298e5e92a54d93577d6a45b32b3c0fad7a3722e55a53e446fd30df10002bc945c71528904bb397aaadc4f439dd81e5a87263a31b1daa7fc2 + b2sums = 09fad3648f48f13ee80195b90913feeba21240d121b1178e0ce62f4a17b1f7e58e8edc22c04403e377ab300f5022a804c848f5be132765d5ca26a38aab262e50 + b2sums = 07ad5c7fb557411a6646ff6830bc9d564c07cbddc4ce819641d31c05dbdf677bfd8a99907cf529a7ee383b8c250936a6423f4b4b97ba0f1c14f627bbd629bd4e + b2sums = 046ea6bd6aa00440991e5f7998db33864a7baa353ec6071f96a3ccb5cca5b548cb9e75f9dee56022ca39daa977d18452851d91e6ba36a66028b84b375ded9bc5 + b2sums = 1d24cc029eccf71cee54dda84371cf9aa8d805433e751575ab237df654055dd869024b50facd8b73390717e63100c76bca28b493e0c8be9791c76a2e0d60990a pkgname = openssh-selinux - + depends = glibc + depends = libselinux + depends = krb5 + depends = libkrb5.so + depends = libgssapi_krb5.so + depends = libedit + depends = libedit.so + depends = libxcrypt + depends = libcrypt.so + depends = openssl + depends = libcrypto.so + depends = pam + depends = libpam.so + depends = zlib + depends = libz.so diff --git a/.nvchecker.toml b/.nvchecker.toml new file mode 100644 index 000000000000..fcb03c9f5351 --- /dev/null +++ b/.nvchecker.toml @@ -0,0 +1,5 @@ +[openssh] +source = "git" +git = "https://github.com/openssh/openssh-portable" +from_pattern = 'V_(\d+)_(\d+)_P(\d+)' +to_pattern = '\1.\2p\3' diff --git a/99-archlinux.conf b/99-archlinux.conf new file mode 100644 index 000000000000..365f1151f2d9 --- /dev/null +++ b/99-archlinux.conf @@ -0,0 +1,4 @@ +# sshd_config defaults on Arch Linux +KbdInteractiveAuthentication no +UsePAM yes +PrintMotd no @@ -1,4 +1,7 @@ -# Maintainer: Gaetan Bisson <bisson@archlinux.org> +# Maintainer: David Runge <dvzrv@archlinux.org> +# Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org> +# Maintainer: Giancarlo Razzolini <grazzolini@archlinux.org> +# Contributor: Gaetan Bisson <bisson@archlinux.org> # Contributor: Aaron Griffin <aaron@archlinux.org> # Contributor: judd <jvinet@zeroflux.org> # SELinux Maintainer: Nicolas Iooss (nicolas <dot> iooss <at> m4x <dot> org) @@ -9,96 +12,167 @@ # If you want to help keep it up to date, please open a Pull Request there. pkgname=openssh-selinux -pkgver=7.9p1 -pkgrel=1 -pkgdesc='Premier connectivity tool for remote login with the SSH protocol, with SELinux support' +pkgver=9.7p1 +pkgrel=2 +pkgdesc="SSH protocol implementation for remote login, command execution and file transfer, with SELinux support" +arch=(x86_64 aarch64) url='https://www.openssh.com/portable.html' -license=('custom:BSD') -arch=('x86_64') -makedepends=('linux-headers') -depends=('krb5' 'openssl' 'libedit' 'ldns' 'libselinux') -optdepends=('xorg-xauth: X11 forwarding' - 'x11-ssh-askpass: input passphrase in X') +license=( + BSD-2-Clause + BSD-3-Clause + ISC + LicenseRef-Public-Domain + MIT +) +depends=( + glibc + libselinux +) +makedepends=( + krb5 + libedit + libfido2 + libxcrypt + linux-headers + openssl + pam + zlib +) +optdepends=( + 'libfido2: FIDO/U2F support' + 'sh: for ssh-copy-id and findssl.sh' + 'x11-ssh-askpass: input passphrase in X' + 'xorg-xauth: X11 forwarding' +) +backup=( + etc/pam.d/sshd + etc/ssh/ssh_config + etc/ssh/sshd_config +) conflicts=("${pkgname/-selinux}" "selinux-${pkgname/-selinux}") provides=("${pkgname/-selinux}=${pkgver}-${pkgrel}" "selinux-${pkgname/-selinux}=${pkgver}-${pkgrel}") groups=('selinux') -validpgpkeys=('59C2118ED206D927E667EBE3D3E5F56B6D920D30') -source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux}-${pkgver}.tar.gz"{,.asc} - 'sshdgenkeys.service' - 'sshd@.service' - 'sshd.service' - 'sshd.socket' - 'sshd.conf' - 'sshd.pam') -sha256sums=('6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad' +source=( + https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux}-${pkgver}.tar.gz{,.asc} + 99-archlinux.conf + ${pkgname/-selinux}.tmpfiles + sshdgenkeys.service + sshd.service + ssh-agent.service + sshd.pam +) +sha256sums=('490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd' 'SKIP' - '4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7' - '3a0845737207f4eda221c9c9fb64e766ade9684562d8ba4f705f7ae6826886e5' - 'c5ed9fa629f8f8dbf3bae4edbad4441c36df535088553fe82695c52d7bde30aa' - 'de14363e9d4ed92848e524036d9e6b57b2d35cc77d377b7247c38111d2a3defd' - '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6' - '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846') + '78b806c38bc1e246daaa941bfe7880e6eb6f53f093bea5d5868525ae6d223d30' + '975904668c3c98fff5dbf840717ae959593fa05e90e215e67bf7ee24369d6369' + 'e5305767b2d317183ad1c5022a5f6705bd9014a8b22495a000fd482713738611' + 'e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7' + 'b3b1e4f7af169cd5fccdcdf9538ef37fc919c79a9905f797925153a94e723998' + '633e24cbfcb045ba777d3e06d5f85dfaa06d44f4727d38c7fb2187c57498221d') +b2sums=('520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b' + 'SKIP' + '1ff8cd4ae22efed2b4260f1e518de919c4b290be4e0b5edbc8e2225ffe63788678d1961e6f863b85974c4697428ee827bcbabad371cfc91cc8b36eae9402eb97' + '43bf32158d6b14cf298e5e92a54d93577d6a45b32b3c0fad7a3722e55a53e446fd30df10002bc945c71528904bb397aaadc4f439dd81e5a87263a31b1daa7fc2' + '09fad3648f48f13ee80195b90913feeba21240d121b1178e0ce62f4a17b1f7e58e8edc22c04403e377ab300f5022a804c848f5be132765d5ca26a38aab262e50' + '07ad5c7fb557411a6646ff6830bc9d564c07cbddc4ce819641d31c05dbdf677bfd8a99907cf529a7ee383b8c250936a6423f4b4b97ba0f1c14f627bbd629bd4e' + '046ea6bd6aa00440991e5f7998db33864a7baa353ec6071f96a3ccb5cca5b548cb9e75f9dee56022ca39daa977d18452851d91e6ba36a66028b84b375ded9bc5' + '1d24cc029eccf71cee54dda84371cf9aa8d805433e751575ab237df654055dd869024b50facd8b73390717e63100c76bca28b493e0c8be9791c76a2e0d60990a') +validpgpkeys=('7168B983815A5EEF59A4ADFD2A3F414E736060BA') # Damien Miller <djm@mindrot.org> -backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd') +prepare() { + cd ${pkgname/-selinux}-$pkgver + # remove variable (but useless) first line in config (related to upstream VCS) + sed '/^#.*\$.*\$$/d' -i ssh{,d}_config -build() { - cd "${srcdir}/${pkgname/-selinux}-${pkgver}" - - ./configure \ - --prefix=/usr \ - --sbindir=/usr/bin \ - --libexecdir=/usr/lib/ssh \ - --sysconfdir=/etc/ssh \ - --with-ldns \ - --with-libedit \ - --with-ssl-engine \ - --with-pam \ - --with-privsep-user=nobody \ - --with-kerberos5=/usr \ - --with-xauth=/usr/bin/xauth \ - --with-md5-passwords \ - --with-pid-dir=/run \ - --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' \ - --with-selinux - - make + # prepend configuration option to include drop-in configuration files for sshd_config + printf "# Include drop-in configurations\nInclude /etc/ssh/sshd_config.d/*.conf\n" | cat - sshd_config > sshd_config.tmp + mv -v sshd_config.tmp sshd_config + # prepend configuration option to include drop-in configuration files for ssh_config + printf "# Include drop-in configurations\nInclude /etc/ssh/ssh_config.d/*.conf\n" | cat - ssh_config > ssh_config.tmp + mv -v ssh_config.tmp ssh_config + + # extract separate licenses + sed -n '89,113p' LICENCE > ../rijndael.Public-Domain.txt + sed -n '116,145p' LICENCE > ../ssh.BSD-3-Clause.txt + sed -n '148,209p' LICENCE > ../BSD-2-Clause.txt + sed -n '213,218p' LICENCE > ../snprintf.Public-Domain.txt + sed -n '222,258p' LICENCE > ../openbsd-compat.BSD-3-Clause.txt + sed -n '260,278p' LICENCE > ../openbsd-compat.ISC.txt + sed -n '280,308p' LICENCE > ../openbsd-compat.MIT.txt + sed -n '280,308p' LICENCE > ../openbsd-compat.MIT.txt + sed -n '310,338p' LICENCE > ../blowfish.BSD-3-Clause.txt + sed -n '340,368p' LICENCE > ../replacement.BSD-2-Clause.txt } -check() { - cd "${srcdir}/${pkgname/-selinux}-${pkgver}" +build() { + local configure_options=( + --prefix=/usr + --sbindir=/usr/bin + --libexecdir=/usr/lib/ssh + --sysconfdir=/etc/ssh + --disable-strip + --with-libedit + --with-security-key-builtin + --with-ssl-engine + --with-pam + --with-privsep-user=nobody + --with-kerberos5=/usr + --with-xauth=/usr/bin/xauth + --with-pid-dir=/run + --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' + --without-zlib-version-check + --with-selinux + ) - # Tests require openssh to be already installed system-wide, - # also connectivity tests will fail under makechrootpkg since - # it runs as nobody which has /bin/false as login shell. + cd ${pkgname/-selinux}-$pkgver - if [[ -e /usr/bin/scp && ! -e /.arch-chroot ]]; then - make tests - fi + ./configure "${configure_options[@]}" + make +} + +check() { + # NOTE: make t-exec does not work in our build environment + make file-tests interop-tests unit -C ${pkgname/-selinux}-$pkgver } package() { - cd "${srcdir}/${pkgname/-selinux}-${pkgver}" + depends+=( + krb5 libkrb5.so libgssapi_krb5.so + libedit libedit.so + libxcrypt libcrypt.so + openssl libcrypto.so + pam libpam.so + zlib libz.so + ) + + cd ${pkgname/-selinux}-$pkgver + + make DESTDIR="$pkgdir" install - make DESTDIR="${pkgdir}" install + install -vDm 644 ../99-archlinux.conf -t "$pkgdir/etc/ssh/sshd_config.d/" + install -vdm 755 "$pkgdir/etc/ssh/ssh_config.d" - ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz - install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE" + install -Dm644 LICENCE -t "$pkgdir/usr/share/licenses/${pkgname/-selinux}/" + install -Dm644 ../*.txt -t "$pkgdir/usr/share/licenses/${pkgname/-selinux}/" - install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service - install -Dm644 ../sshd@.service "${pkgdir}"/usr/lib/systemd/system/sshd@.service - install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service - install -Dm644 ../sshd.socket "${pkgdir}"/usr/lib/systemd/system/sshd.socket - install -Dm644 ../sshd.conf "${pkgdir}"/usr/lib/tmpfiles.d/sshd.conf - install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd + install -Dm644 ../sshdgenkeys.service -t "$pkgdir"/usr/lib/systemd/system/ + install -Dm644 ../sshd.service -t "$pkgdir"/usr/lib/systemd/system/ + install -Dm644 ../ssh-agent.service -t "$pkgdir"/usr/lib/systemd/user/ + install -Dm644 ../sshd.pam "$pkgdir"/etc/pam.d/sshd - install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh - install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id - install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1 + # factory files + install -Dm644 ../sshd.pam "$pkgdir"/usr/share/factory/etc/pam.d/sshd + install -Dm644 "$pkgdir/etc/ssh/moduli" -t "$pkgdir"/usr/share/factory/etc/ssh/ + install -Dm644 "$pkgdir/etc/ssh/ssh_config" -t "$pkgdir"/usr/share/factory/etc/ssh/ + install -Dm644 "$pkgdir/etc/ssh/sshd_config" -t "$pkgdir"/usr/share/factory/etc/ssh/ + install -vDm 644 ../99-archlinux.conf -t "$pkgdir/usr/share/factory/etc/ssh/sshd_config.d/" - sed \ - -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \ - -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \ - -e '/^#UsePAM no$/c UsePAM yes' \ - -i "${pkgdir}"/etc/ssh/sshd_config + install -vDm 644 ../${pkgname/-selinux}.tmpfiles "$pkgdir/usr/lib/tmpfiles.d/${pkgname/-selinux}.conf" + + install -Dm755 contrib/findssl.sh -t "$pkgdir"/usr/bin/ + install -Dm755 contrib/ssh-copy-id -t "$pkgdir"/usr/bin/ + install -Dm644 contrib/ssh-copy-id.1 -t "$pkgdir"/usr/share/man/man1/ } + +# vim: ts=2 sw=2 et: diff --git a/keys/pgp/7168B983815A5EEF59A4ADFD2A3F414E736060BA.asc b/keys/pgp/7168B983815A5EEF59A4ADFD2A3F414E736060BA.asc new file mode 100644 index 000000000000..cbe47db371b8 --- /dev/null +++ b/keys/pgp/7168B983815A5EEF59A4ADFD2A3F414E736060BA.asc @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF/uZg0BEADPa+uw7cLPy9ilpe9zm0326WgcGl4yXsVvkDlThcHfq7HckTTe +bEhaClVoK0qDA8DBo6mvLAwF57eMmHbEEi6/dzLUlIH/MKXXZ6tQRCFKqTzBzhJa +i7+H15yXkvRvfbnmVtrJ5NYlprPYSNXN7NuJE6p4dNeR3wCCuNuvojNx3Jw5mJUr +xIuN2kI3wD1XOqMPsUuxD6Lgw32wT5XtCNQBKdMQ8GC9WGsRfXTFBNqCjIXbbfRe +VxhIq/asumCTsnYvOMVas1n+bYCuIwyDWNAYqKNgwdXV/k9D8NLJ7/1BNQ8vAfOJ +Fl6TsDelkZOO/hurVPLBzx3RWa8Tnoh9UiyfVxiFiriYGbYh5ZM74hzFWMBLa583 +xFS7wycWcUeiHMpUHpDsKDgeGJSCY2frGdETn03G5N3fQ5xMPFDRI2AmNJF8wyry +eXS6lAIMfmSytVIJQ8H3kYt47Za1KAw4Gx595lxBTfLRDLFGQFfWwHUfzi728Xbk +VkcfMwmZ34+FZb5XyfTTCevzOlR2+YHMgbPcL3VjQOMnF7CZ9i+CgEPzRxIX1IlD +kfC+TUz/Xbmx9QE3WsG+HTw43eYy9/F2zh15Pwa1zw3viCBZhEaAlSRi9MRzwejQ +UZaSD9VM15FMRju0jNWbZeiNYy90rXvfex/VveYRXc1PKpi4OefGOgNrRwARAQAB +tB9EYW1pZW4gTWlsbGVyIDxkam1AbWluZHJvdC5vcmc+iQJOBBMBCAA4FiEEcWi5 +g4FaXu9ZpK39Kj9BTnNgYLoFAl/uZg0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC +F4AACgkQKj9BTnNgYLqQjg/8DERhTxdO5kdjMCKbuwdGv5nUeeSeuA32YYvce4LL +wfxx05mRAucdI6ZiMZ84pE1PNaJuvfoJ3gREJc/5uUMK2SsXDVAugtEgJnmckJwV +KvkJqetTzvBTAJDTF+SQ+XyIXyPV2isgNk560Aq6afzvApic2mEZCJ89kXkZLQ1L +5enu+aD5H5ptNMJJOfEU0/CJAnBGb+Vc74DhsIdy48v9fW99URg4BFL6feXb2Cmc +dSiuiJYoL8X4dG+vqjh0gCaX6MyrrEEwHqP3JizLM2ur3oYzFcMu88JSQRp33r6B +Ha9Ekm8UxQxr23NzgL2f8qzy3mzu6breXd5JiUe5Uvpp0j1KVUtvPK50Gvs/6ZTe +vTPG9ijNPM8AvCCiGzhtiJap20T3L6ouwmuDnMzWDmAUlYAVY2FeR8HXQ16hg3Qv +wjJFkxoGrjXnh+D315pAERPOHWqjIATXBnkMXPMYyfRnmCrJh3qlPFiiX7pQgW+S +4huG/OjsCcRBv0IzMJx4lw9pIOhYmfwxeJuBxHzND5skv0Gg7B69O48FFGDh1bog +4EMSoGPNnKxIjsRPfpH31awGrSTG0+OatujkbroOSvAMGmzuyCBGDZjbe2Cas6yw +NWzM356sL7zRcKUNMHPybIHfLp3hVT51YbifRkMYkT7Dpg1k3/akIoRKWBTx7krm +pS25Ag0EX+5mDQEQANombPGwYrMa+WkBNYE1V8L4LZyDo0OmgzofW5op2gELYPp7 +bzRYuh1M0rwdF04wMPLB9gc9/ApHM7g33eGH2TswCUSUxufDQLmwDA4yd8h63z/7 +l5/ilRFHQ2L/sE22wOHD87TC4TcTScIDyo1S4/RRpHWCwnvsUw9zzosDDrWs6VuL +ncpzQnENT/gyD8x7jorCdQJGKg60oXJRFHIrTuOP/vCc4Yih/R8cKJji5Lu5cIxd +ZxMr1QusyV5calyJm3hRUWyi5SLXG61Q9UiVgRehLLRYEghXIxtPijfOi0QAX6ff +NODox4kgYgzk09FuFuYnA5yjs4/mZbHUnUiHMAJy8+57IKG4I1GkT6LNNd3XXDAx +UiEvkjbQBP7IuCR3SxlFQih+UYB8ljIytjEBsdywmhz1U/xItLi3UmyraS6UrGLD +aJJYsPOAs3erFI40fyIR4ye68g+HiUsl7e77menvbcMibpnDyb1sN33hYxqhipoc +KcOr4ipGBKg0pEuyCUanUvDMtTzJt/BMOtVmkmGHobnh9cjv/1rZaNoWHxYeDeB3 +LvROjXiQTRHNtIM+rU5JMm7iLgrGXUa/TBGYHBBMB/jH9/Oi6fv1an6ZspFGk+Fw +E5M4Uh4hRcd8tYw/4ApTeMwE5kvbNtXX/DaKHKlkyYzoy5ip/Z3r6eCa3+TRABEB +AAGJAjYEGAEIACAWIQRxaLmDgVpe71mkrf0qP0FOc2BgugUCX+5mDQIbDAAKCRAq +P0FOc2Bgumv6EACo6IB4kKkSi7GkY+coqcudorPL147A3Yb9vRkxVf9Gi6z3BceT +ZBz3+ZkLDf5NX2H8B2qtrsBri/2AekWunmQTj/8XdIuyaVC60j0wwVhIKheVM7mm +0CWPKGCvEXQOUUuk3OEN/C/X/UWx2Dxr0YA3m2Z4DFTlEDg9LOBJAGMKHzjhP2uU +vk8vtdqO7fgUxbnI4Bf0YqIDt/B8nlHqSoiRVL7kkXJbiLx2qKC7wzL35mU/52YW +bKgGt50+/NDoPWqKSN+rZlLmUkdXyeY2II+XVNyQNdR1mosG2YlVxJzQ4f1j68zP +JPihn/3ccpi7gm0TnPsMI4aolhp+3CiXFSx80gjtKz1Wib65Yk7otMrUS0ORdwPP +p7KvOJWx1w2Vp2DHBlRdIpbkJLG0JHPVT7p0SFQN1Hz7ezv6yvC5GZSbbSj2S9ON +iAu76zxWSBw22JeThEMKITueb/9DILWg83Pz5O5p1ZHC8r2i9cpfBVnvnymOCZPE +lAsoMMQgo7Qr+01mGjRnqXpUKJ8EVsQsn/sVGpxKzsYAB4S34K8xVt9alNp63dlG +27Y+o18LSTTHj9WQgS+QYHFKcqWFIfQ8sbI3Upo4ZhZOFFwQqaX+T6P9akqa+Sj5 +sLlk3dChghJ6LFPUUqSbRO/KYcapCmgfANx5kXjyYMkuIdgS9DYEESEVVg== +=NtKR +-----END PGP PUBLIC KEY BLOCK----- diff --git a/openssh.tmpfiles b/openssh.tmpfiles new file mode 100644 index 000000000000..0bf3870972f2 --- /dev/null +++ b/openssh.tmpfiles @@ -0,0 +1,9 @@ +C /etc/pam.d/sshd +C /etc/ssh/moduli +C /etc/ssh/ssh_config +C /etc/ssh/sshd_config +C /etc/ssh/sshd_config.d/99-archlinux.conf + +d /etc/ssh/ssh_config.d +d /etc/ssh/sshd_config.d +d /var/empty diff --git a/ssh-agent.service b/ssh-agent.service new file mode 100644 index 000000000000..4a5fe5543cce --- /dev/null +++ b/ssh-agent.service @@ -0,0 +1,15 @@ +# Requires SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket" to be set in environment +[Unit] +ConditionEnvironment=!SSH_AGENT_PID +Description=OpenSSH key agent +Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1) + +[Service] +Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket +ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK +PassEnvironment=SSH_AGENT_PID +SuccessExitStatus=2 +Type=simple + +[Install] +WantedBy=default.target diff --git a/sshd.conf b/sshd.conf deleted file mode 100644 index ca2a393542e7..000000000000 --- a/sshd.conf +++ /dev/null @@ -1 +0,0 @@ -d /var/empty 0755 root root @@ -1,5 +1,5 @@ #%PAM-1.0 -#auth required pam_securetty.so #disable remote root + auth include system-remote-login account include system-remote-login password include system-remote-login diff --git a/sshd.service b/sshd.service index 55ed95322da7..a893724f1767 100644 --- a/sshd.service +++ b/sshd.service @@ -12,6 +12,3 @@ Restart=always [Install] WantedBy=multi-user.target - -# This service file runs an SSH daemon that forks for each incoming connection. -# If you prefer to spawn on-demand daemons, use sshd.socket and sshd@.service. diff --git a/sshd.socket b/sshd.socket deleted file mode 100644 index e09e328690fd..000000000000 --- a/sshd.socket +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Conflicts=sshd.service -Wants=sshdgenkeys.service - -[Socket] -ListenStream=22 -Accept=yes - -[Install] -WantedBy=sockets.target diff --git a/sshd@.service b/sshd@.service deleted file mode 100644 index 0201a9d5ff28..000000000000 --- a/sshd@.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=OpenSSH Per-Connection Daemon -After=sshdgenkeys.service - -[Service] -ExecStart=-/usr/bin/sshd -i -StandardInput=socket -StandardError=syslog -KillMode=process diff --git a/sshdgenkeys.service b/sshdgenkeys.service index cfb9f6aa17f1..83230084f5dd 100644 --- a/sshdgenkeys.service +++ b/sshdgenkeys.service @@ -1,7 +1,5 @@ [Unit] Description=SSH Key Generation -ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key -ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key |