diff options
-rw-r--r-- | .SRCINFO | 81 | ||||
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | .nvchecker.toml | 5 | ||||
-rw-r--r-- | 99-archlinux.conf | 4 | ||||
-rw-r--r-- | PKGBUILD | 246 | ||||
-rw-r--r-- | glibc-2.31.patch | 100 | ||||
-rw-r--r-- | install | 20 | ||||
-rw-r--r-- | keys/pgp/7168B983815A5EEF59A4ADFD2A3F414E736060BA.asc | 51 | ||||
-rw-r--r-- | openssh.tmpfiles | 9 | ||||
-rw-r--r-- | ssh-agent.service | 15 | ||||
-rw-r--r-- | sshd.conf | 1 | ||||
-rw-r--r-- | sshd.pam | 2 | ||||
-rw-r--r-- | sshdgenkeys.service | 2 |
13 files changed, 293 insertions, 244 deletions
@@ -1,41 +1,76 @@ pkgbase = openssh-selinux - pkgdesc = Premier connectivity tool for remote login with the SSH protocol, with SELinux support - pkgver = 8.2p1 - pkgrel = 1 + pkgdesc = SSH protocol implementation for remote login, command execution and file transfer, with SELinux support + pkgver = 9.7p1 + pkgrel = 2 url = https://www.openssh.com/portable.html - install = install arch = x86_64 + arch = aarch64 groups = selinux - license = custom:BSD + license = BSD-2-Clause + license = BSD-3-Clause + license = ISC + license = LicenseRef-Public-Domain + license = MIT + makedepends = krb5 + makedepends = libedit + makedepends = libfido2 + makedepends = libxcrypt makedepends = linux-headers - makedepends = git - depends = krb5 - depends = openssl - depends = libedit - depends = ldns + makedepends = openssl + makedepends = pam + makedepends = zlib + depends = glibc depends = libselinux - optdepends = xorg-xauth: X11 forwarding + optdepends = libfido2: FIDO/U2F support + optdepends = sh: for ssh-copy-id and findssl.sh optdepends = x11-ssh-askpass: input passphrase in X - provides = openssh=8.2p1-1 - provides = selinux-openssh=8.2p1-1 + optdepends = xorg-xauth: X11 forwarding + provides = openssh=9.7p1-2 + provides = selinux-openssh=9.7p1-2 conflicts = openssh conflicts = selinux-openssh + backup = etc/pam.d/sshd backup = etc/ssh/ssh_config backup = etc/ssh/sshd_config - backup = etc/pam.d/sshd - source = git://anongit.mindrot.org/openssh.git?signed#tag=V_8_2_P1 + source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz + source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz.asc + source = 99-archlinux.conf + source = openssh.tmpfiles source = sshdgenkeys.service source = sshd.service - source = sshd.conf + source = ssh-agent.service source = sshd.pam - source = glibc-2.31.patch - validpgpkeys = 59C2118ED206D927E667EBE3D3E5F56B6D920D30 + validpgpkeys = 7168B983815A5EEF59A4ADFD2A3F414E736060BA + sha256sums = 490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd sha256sums = SKIP - sha256sums = 4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7 + sha256sums = 78b806c38bc1e246daaa941bfe7880e6eb6f53f093bea5d5868525ae6d223d30 + sha256sums = 975904668c3c98fff5dbf840717ae959593fa05e90e215e67bf7ee24369d6369 + sha256sums = e5305767b2d317183ad1c5022a5f6705bd9014a8b22495a000fd482713738611 sha256sums = e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7 - sha256sums = 4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6 - sha256sums = 64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846 - sha256sums = 25b4a4d9e2d9d3289ef30636a30e85fa1c71dd930d5efd712cca1a01a5019f93 + sha256sums = b3b1e4f7af169cd5fccdcdf9538ef37fc919c79a9905f797925153a94e723998 + sha256sums = 633e24cbfcb045ba777d3e06d5f85dfaa06d44f4727d38c7fb2187c57498221d + b2sums = 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b + b2sums = SKIP + b2sums = 1ff8cd4ae22efed2b4260f1e518de919c4b290be4e0b5edbc8e2225ffe63788678d1961e6f863b85974c4697428ee827bcbabad371cfc91cc8b36eae9402eb97 + b2sums = 43bf32158d6b14cf298e5e92a54d93577d6a45b32b3c0fad7a3722e55a53e446fd30df10002bc945c71528904bb397aaadc4f439dd81e5a87263a31b1daa7fc2 + b2sums = 09fad3648f48f13ee80195b90913feeba21240d121b1178e0ce62f4a17b1f7e58e8edc22c04403e377ab300f5022a804c848f5be132765d5ca26a38aab262e50 + b2sums = 07ad5c7fb557411a6646ff6830bc9d564c07cbddc4ce819641d31c05dbdf677bfd8a99907cf529a7ee383b8c250936a6423f4b4b97ba0f1c14f627bbd629bd4e + b2sums = 046ea6bd6aa00440991e5f7998db33864a7baa353ec6071f96a3ccb5cca5b548cb9e75f9dee56022ca39daa977d18452851d91e6ba36a66028b84b375ded9bc5 + b2sums = 1d24cc029eccf71cee54dda84371cf9aa8d805433e751575ab237df654055dd869024b50facd8b73390717e63100c76bca28b493e0c8be9791c76a2e0d60990a pkgname = openssh-selinux - + depends = glibc + depends = libselinux + depends = krb5 + depends = libkrb5.so + depends = libgssapi_krb5.so + depends = libedit + depends = libedit.so + depends = libxcrypt + depends = libcrypt.so + depends = openssl + depends = libcrypto.so + depends = pam + depends = libpam.so + depends = zlib + depends = libz.so diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 5372489a586f..000000000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/openssh/ diff --git a/.nvchecker.toml b/.nvchecker.toml new file mode 100644 index 000000000000..fcb03c9f5351 --- /dev/null +++ b/.nvchecker.toml @@ -0,0 +1,5 @@ +[openssh] +source = "git" +git = "https://github.com/openssh/openssh-portable" +from_pattern = 'V_(\d+)_(\d+)_P(\d+)' +to_pattern = '\1.\2p\3' diff --git a/99-archlinux.conf b/99-archlinux.conf new file mode 100644 index 000000000000..365f1151f2d9 --- /dev/null +++ b/99-archlinux.conf @@ -0,0 +1,4 @@ +# sshd_config defaults on Arch Linux +KbdInteractiveAuthentication no +UsePAM yes +PrintMotd no @@ -1,4 +1,7 @@ -# Maintainer: Gaetan Bisson <bisson@archlinux.org> +# Maintainer: David Runge <dvzrv@archlinux.org> +# Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org> +# Maintainer: Giancarlo Razzolini <grazzolini@archlinux.org> +# Contributor: Gaetan Bisson <bisson@archlinux.org> # Contributor: Aaron Griffin <aaron@archlinux.org> # Contributor: judd <jvinet@zeroflux.org> # SELinux Maintainer: Nicolas Iooss (nicolas <dot> iooss <at> m4x <dot> org) @@ -9,116 +12,167 @@ # If you want to help keep it up to date, please open a Pull Request there. pkgname=openssh-selinux -pkgver=8.2p1 -pkgrel=1 -pkgdesc='Premier connectivity tool for remote login with the SSH protocol, with SELinux support' +pkgver=9.7p1 +pkgrel=2 +pkgdesc="SSH protocol implementation for remote login, command execution and file transfer, with SELinux support" +arch=(x86_64 aarch64) url='https://www.openssh.com/portable.html' -license=('custom:BSD') -arch=('x86_64') -makedepends=('linux-headers' 'git') -depends=('krb5' 'openssl' 'libedit' 'ldns' 'libselinux') -optdepends=('xorg-xauth: X11 forwarding' - 'x11-ssh-askpass: input passphrase in X') +license=( + BSD-2-Clause + BSD-3-Clause + ISC + LicenseRef-Public-Domain + MIT +) +depends=( + glibc + libselinux +) +makedepends=( + krb5 + libedit + libfido2 + libxcrypt + linux-headers + openssl + pam + zlib +) +optdepends=( + 'libfido2: FIDO/U2F support' + 'sh: for ssh-copy-id and findssl.sh' + 'x11-ssh-askpass: input passphrase in X' + 'xorg-xauth: X11 forwarding' +) +backup=( + etc/pam.d/sshd + etc/ssh/ssh_config + etc/ssh/sshd_config +) conflicts=("${pkgname/-selinux}" "selinux-${pkgname/-selinux}") provides=("${pkgname/-selinux}=${pkgver}-${pkgrel}" "selinux-${pkgname/-selinux}=${pkgver}-${pkgrel}") groups=('selinux') -validpgpkeys=('59C2118ED206D927E667EBE3D3E5F56B6D920D30') -#source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux}-${pkgver}.tar.gz"{,.asc} -source=("git://anongit.mindrot.org/openssh.git?signed#tag=V_8_2_P1" - 'sshdgenkeys.service' - 'sshd.service' - 'sshd.conf' - 'sshd.pam' - 'glibc-2.31.patch') -sha256sums=('SKIP' - '4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7' +source=( + https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux}-${pkgver}.tar.gz{,.asc} + 99-archlinux.conf + ${pkgname/-selinux}.tmpfiles + sshdgenkeys.service + sshd.service + ssh-agent.service + sshd.pam +) +sha256sums=('490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd' + 'SKIP' + '78b806c38bc1e246daaa941bfe7880e6eb6f53f093bea5d5868525ae6d223d30' + '975904668c3c98fff5dbf840717ae959593fa05e90e215e67bf7ee24369d6369' + 'e5305767b2d317183ad1c5022a5f6705bd9014a8b22495a000fd482713738611' 'e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7' - '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6' - '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846' - '25b4a4d9e2d9d3289ef30636a30e85fa1c71dd930d5efd712cca1a01a5019f93') - -backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd') - -install=install + 'b3b1e4f7af169cd5fccdcdf9538ef37fc919c79a9905f797925153a94e723998' + '633e24cbfcb045ba777d3e06d5f85dfaa06d44f4727d38c7fb2187c57498221d') +b2sums=('520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b' + 'SKIP' + '1ff8cd4ae22efed2b4260f1e518de919c4b290be4e0b5edbc8e2225ffe63788678d1961e6f863b85974c4697428ee827bcbabad371cfc91cc8b36eae9402eb97' + '43bf32158d6b14cf298e5e92a54d93577d6a45b32b3c0fad7a3722e55a53e446fd30df10002bc945c71528904bb397aaadc4f439dd81e5a87263a31b1daa7fc2' + '09fad3648f48f13ee80195b90913feeba21240d121b1178e0ce62f4a17b1f7e58e8edc22c04403e377ab300f5022a804c848f5be132765d5ca26a38aab262e50' + '07ad5c7fb557411a6646ff6830bc9d564c07cbddc4ce819641d31c05dbdf677bfd8a99907cf529a7ee383b8c250936a6423f4b4b97ba0f1c14f627bbd629bd4e' + '046ea6bd6aa00440991e5f7998db33864a7baa353ec6071f96a3ccb5cca5b548cb9e75f9dee56022ca39daa977d18452851d91e6ba36a66028b84b375ded9bc5' + '1d24cc029eccf71cee54dda84371cf9aa8d805433e751575ab237df654055dd869024b50facd8b73390717e63100c76bca28b493e0c8be9791c76a2e0d60990a') +validpgpkeys=('7168B983815A5EEF59A4ADFD2A3F414E736060BA') # Damien Miller <djm@mindrot.org> prepare() { -# cd "${srcdir}/${pkgname/-selinux}-${pkgver}" - cd "${srcdir}/${pkgname/-selinux}" - patch -p1 -i "${srcdir}/glibc-2.31.patch" - autoreconf + cd ${pkgname/-selinux}-$pkgver + # remove variable (but useless) first line in config (related to upstream VCS) + sed '/^#.*\$.*\$$/d' -i ssh{,d}_config + + # prepend configuration option to include drop-in configuration files for sshd_config + printf "# Include drop-in configurations\nInclude /etc/ssh/sshd_config.d/*.conf\n" | cat - sshd_config > sshd_config.tmp + mv -v sshd_config.tmp sshd_config + # prepend configuration option to include drop-in configuration files for ssh_config + printf "# Include drop-in configurations\nInclude /etc/ssh/ssh_config.d/*.conf\n" | cat - ssh_config > ssh_config.tmp + mv -v ssh_config.tmp ssh_config + + # extract separate licenses + sed -n '89,113p' LICENCE > ../rijndael.Public-Domain.txt + sed -n '116,145p' LICENCE > ../ssh.BSD-3-Clause.txt + sed -n '148,209p' LICENCE > ../BSD-2-Clause.txt + sed -n '213,218p' LICENCE > ../snprintf.Public-Domain.txt + sed -n '222,258p' LICENCE > ../openbsd-compat.BSD-3-Clause.txt + sed -n '260,278p' LICENCE > ../openbsd-compat.ISC.txt + sed -n '280,308p' LICENCE > ../openbsd-compat.MIT.txt + sed -n '280,308p' LICENCE > ../openbsd-compat.MIT.txt + sed -n '310,338p' LICENCE > ../blowfish.BSD-3-Clause.txt + sed -n '340,368p' LICENCE > ../replacement.BSD-2-Clause.txt } build() { -# cd "${srcdir}/${pkgname/-selinux}-${pkgver}" - cd "${srcdir}/${pkgname/-selinux}" - - ./configure \ - --prefix=/usr \ - --sbindir=/usr/bin \ - --libexecdir=/usr/lib/ssh \ - --sysconfdir=/etc/ssh \ - --disable-strip \ - --with-ldns \ - --with-libedit \ - --with-ssl-engine \ - --with-pam \ - --with-privsep-user=nobody \ - --with-kerberos5=/usr \ - --with-xauth=/usr/bin/xauth \ - --with-md5-passwords \ - --with-pid-dir=/run \ - --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' \ - --with-selinux - - make + local configure_options=( + --prefix=/usr + --sbindir=/usr/bin + --libexecdir=/usr/lib/ssh + --sysconfdir=/etc/ssh + --disable-strip + --with-libedit + --with-security-key-builtin + --with-ssl-engine + --with-pam + --with-privsep-user=nobody + --with-kerberos5=/usr + --with-xauth=/usr/bin/xauth + --with-pid-dir=/run + --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' + --without-zlib-version-check + --with-selinux + ) + + cd ${pkgname/-selinux}-$pkgver + + ./configure "${configure_options[@]}" + make } check() { -# cd "${srcdir}/${pkgname/-selinux}-${pkgver}" - cd "${srcdir}/${pkgname/-selinux}" - - # Tests require openssh to be already installed system-wide, - # also connectivity tests will fail under makechrootpkg since - # it runs as nobody which has /bin/false as login shell. - - if [[ -e /usr/bin/scp && ! -e /.arch-chroot ]]; then - # Running tests in parallel is broken in 8.1p1-4, so force -j1: - # - # openssh-selinux/src/openssh-8.1p1/regress/ssh-rsa already exists. - # Overwrite (y/n)? ssh-keygen for ssh-rsa failed - # putty interop tests not enabled - # run test putty-ciphers.sh ... - # ssh connect with failed - # failed simple connect - # make[1]: *** [Makefile:211: t-exec] Error 1 - # make[1]: Leaving directory 'openssh-selinux/src/openssh-8.1p1/regress' - # make: *** [Makefile:610: t-exec] Error 2 - make tests -j1 - fi + # NOTE: make t-exec does not work in our build environment + make file-tests interop-tests unit -C ${pkgname/-selinux}-$pkgver } package() { -# cd "${srcdir}/${pkgname/-selinux}-${pkgver}" - cd "${srcdir}/${pkgname/-selinux}" - - make DESTDIR="${pkgdir}" install - - ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz - install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE" - - install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service - install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service - install -Dm644 ../sshd.conf "${pkgdir}"/usr/lib/tmpfiles.d/sshd.conf - install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd - - install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh - install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id - install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1 - - sed \ - -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \ - -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \ - -e '/^#UsePAM no$/c UsePAM yes' \ - -i "${pkgdir}"/etc/ssh/sshd_config + depends+=( + krb5 libkrb5.so libgssapi_krb5.so + libedit libedit.so + libxcrypt libcrypt.so + openssl libcrypto.so + pam libpam.so + zlib libz.so + ) + + cd ${pkgname/-selinux}-$pkgver + + make DESTDIR="$pkgdir" install + + install -vDm 644 ../99-archlinux.conf -t "$pkgdir/etc/ssh/sshd_config.d/" + install -vdm 755 "$pkgdir/etc/ssh/ssh_config.d" + + install -Dm644 LICENCE -t "$pkgdir/usr/share/licenses/${pkgname/-selinux}/" + install -Dm644 ../*.txt -t "$pkgdir/usr/share/licenses/${pkgname/-selinux}/" + + install -Dm644 ../sshdgenkeys.service -t "$pkgdir"/usr/lib/systemd/system/ + install -Dm644 ../sshd.service -t "$pkgdir"/usr/lib/systemd/system/ + install -Dm644 ../ssh-agent.service -t "$pkgdir"/usr/lib/systemd/user/ + install -Dm644 ../sshd.pam "$pkgdir"/etc/pam.d/sshd + + # factory files + install -Dm644 ../sshd.pam "$pkgdir"/usr/share/factory/etc/pam.d/sshd + install -Dm644 "$pkgdir/etc/ssh/moduli" -t "$pkgdir"/usr/share/factory/etc/ssh/ + install -Dm644 "$pkgdir/etc/ssh/ssh_config" -t "$pkgdir"/usr/share/factory/etc/ssh/ + install -Dm644 "$pkgdir/etc/ssh/sshd_config" -t "$pkgdir"/usr/share/factory/etc/ssh/ + install -vDm 644 ../99-archlinux.conf -t "$pkgdir/usr/share/factory/etc/ssh/sshd_config.d/" + + install -vDm 644 ../${pkgname/-selinux}.tmpfiles "$pkgdir/usr/lib/tmpfiles.d/${pkgname/-selinux}.conf" + + install -Dm755 contrib/findssl.sh -t "$pkgdir"/usr/bin/ + install -Dm755 contrib/ssh-copy-id -t "$pkgdir"/usr/bin/ + install -Dm644 contrib/ssh-copy-id.1 -t "$pkgdir"/usr/share/man/man1/ } + +# vim: ts=2 sw=2 et: diff --git a/glibc-2.31.patch b/glibc-2.31.patch deleted file mode 100644 index 187042870deb..000000000000 --- a/glibc-2.31.patch +++ /dev/null @@ -1,100 +0,0 @@ -From beee0ef61866cb567b9abc23bd850f922e59e3f0 Mon Sep 17 00:00:00 2001 -From: Darren Tucker <dtucker@dtucker.net> -Date: Wed, 13 Nov 2019 23:19:35 +1100 -Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox. - -seccomp: Allow clock_nanosleep() to make OpenSSH working with latest -glibc. Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093. ---- - sandbox-seccomp-filter.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index b5cda70bb..96ab141f7 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -242,6 +242,12 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_nanosleep - SC_ALLOW(__NR_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep -+ SC_ALLOW(__NR_clock_nanosleep), -+#endif -+#ifdef __NR_clock_nanosleep -+ SC_ALLOW(__NR_clock_nanosleep), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif -From 69298ebfc2c066acee5d187eac8ce9f38c796630 Mon Sep 17 00:00:00 2001 -From: Darren Tucker <dtucker@dtucker.net> -Date: Wed, 13 Nov 2019 23:27:31 +1100 -Subject: [PATCH] Remove duplicate __NR_clock_nanosleep - ---- - sandbox-seccomp-filter.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 96ab141f7..be2397671 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -245,9 +245,6 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_clock_nanosleep - SC_ALLOW(__NR_clock_nanosleep), - #endif --#ifdef __NR_clock_nanosleep -- SC_ALLOW(__NR_clock_nanosleep), --#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif -From 030b4c2b8029563bc8a9fd764288fde08fa2347c Mon Sep 17 00:00:00 2001 -From: Darren Tucker <dtucker@dtucker.net> -Date: Mon, 16 Dec 2019 13:55:56 +1100 -Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox. - -Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com. ---- - sandbox-seccomp-filter.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index be2397671..3ef30c9d5 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -245,6 +245,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_clock_nanosleep - SC_ALLOW(__NR_clock_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep_time64 -+ SC_ALLOW(__NR_clock_nanosleep_time64), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif -From a991cc5ed5a7c455fefe909a30cf082011ef5dff Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Tue, 7 Jan 2020 16:26:45 -0800 -Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox. - -This helps sshd accept connections on mips platforms with -upcoming glibc ( 2.31 ) ---- - sandbox-seccomp-filter.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 3ef30c9d5..999c46c9f 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_clock_nanosleep_time64 - SC_ALLOW(__NR_clock_nanosleep_time64), - #endif -+#ifdef __NR_clock_gettime64 -+ SC_ALLOW(__NR_clock_gettime64), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif diff --git a/install b/install deleted file mode 100644 index 988e43f4e77f..000000000000 --- a/install +++ /dev/null @@ -1,20 +0,0 @@ -pre_upgrade() { - # Remove socket activation. See: https://bugs.archlinux.org/task/62248 - if (( $(vercmp $2 8.0p1-3) < 0 )); then - if systemctl is-enabled -q sshd.socket; then - cat <<EOF -==> This package no longer provides sshd.socket and sshd@.service; -==> copies of those files will be placed under /etc/systemd/system -==> but please migrate to sshd.service whenever possible. -EOF - src=/usr/lib/systemd/system - dst=/etc/systemd/system - for i in sshd.socket sshd\@.service; do - if [[ ! -e "$dst/$i" ]]; then - cp -v "$src/$i" "$dst/$i" - fi - done - systemctl reenable sshd.socket - fi - fi -} diff --git a/keys/pgp/7168B983815A5EEF59A4ADFD2A3F414E736060BA.asc b/keys/pgp/7168B983815A5EEF59A4ADFD2A3F414E736060BA.asc new file mode 100644 index 000000000000..cbe47db371b8 --- /dev/null +++ b/keys/pgp/7168B983815A5EEF59A4ADFD2A3F414E736060BA.asc @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF/uZg0BEADPa+uw7cLPy9ilpe9zm0326WgcGl4yXsVvkDlThcHfq7HckTTe +bEhaClVoK0qDA8DBo6mvLAwF57eMmHbEEi6/dzLUlIH/MKXXZ6tQRCFKqTzBzhJa +i7+H15yXkvRvfbnmVtrJ5NYlprPYSNXN7NuJE6p4dNeR3wCCuNuvojNx3Jw5mJUr +xIuN2kI3wD1XOqMPsUuxD6Lgw32wT5XtCNQBKdMQ8GC9WGsRfXTFBNqCjIXbbfRe +VxhIq/asumCTsnYvOMVas1n+bYCuIwyDWNAYqKNgwdXV/k9D8NLJ7/1BNQ8vAfOJ +Fl6TsDelkZOO/hurVPLBzx3RWa8Tnoh9UiyfVxiFiriYGbYh5ZM74hzFWMBLa583 +xFS7wycWcUeiHMpUHpDsKDgeGJSCY2frGdETn03G5N3fQ5xMPFDRI2AmNJF8wyry +eXS6lAIMfmSytVIJQ8H3kYt47Za1KAw4Gx595lxBTfLRDLFGQFfWwHUfzi728Xbk +VkcfMwmZ34+FZb5XyfTTCevzOlR2+YHMgbPcL3VjQOMnF7CZ9i+CgEPzRxIX1IlD +kfC+TUz/Xbmx9QE3WsG+HTw43eYy9/F2zh15Pwa1zw3viCBZhEaAlSRi9MRzwejQ +UZaSD9VM15FMRju0jNWbZeiNYy90rXvfex/VveYRXc1PKpi4OefGOgNrRwARAQAB +tB9EYW1pZW4gTWlsbGVyIDxkam1AbWluZHJvdC5vcmc+iQJOBBMBCAA4FiEEcWi5 +g4FaXu9ZpK39Kj9BTnNgYLoFAl/uZg0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC +F4AACgkQKj9BTnNgYLqQjg/8DERhTxdO5kdjMCKbuwdGv5nUeeSeuA32YYvce4LL +wfxx05mRAucdI6ZiMZ84pE1PNaJuvfoJ3gREJc/5uUMK2SsXDVAugtEgJnmckJwV +KvkJqetTzvBTAJDTF+SQ+XyIXyPV2isgNk560Aq6afzvApic2mEZCJ89kXkZLQ1L +5enu+aD5H5ptNMJJOfEU0/CJAnBGb+Vc74DhsIdy48v9fW99URg4BFL6feXb2Cmc +dSiuiJYoL8X4dG+vqjh0gCaX6MyrrEEwHqP3JizLM2ur3oYzFcMu88JSQRp33r6B +Ha9Ekm8UxQxr23NzgL2f8qzy3mzu6breXd5JiUe5Uvpp0j1KVUtvPK50Gvs/6ZTe +vTPG9ijNPM8AvCCiGzhtiJap20T3L6ouwmuDnMzWDmAUlYAVY2FeR8HXQ16hg3Qv +wjJFkxoGrjXnh+D315pAERPOHWqjIATXBnkMXPMYyfRnmCrJh3qlPFiiX7pQgW+S +4huG/OjsCcRBv0IzMJx4lw9pIOhYmfwxeJuBxHzND5skv0Gg7B69O48FFGDh1bog +4EMSoGPNnKxIjsRPfpH31awGrSTG0+OatujkbroOSvAMGmzuyCBGDZjbe2Cas6yw +NWzM356sL7zRcKUNMHPybIHfLp3hVT51YbifRkMYkT7Dpg1k3/akIoRKWBTx7krm +pS25Ag0EX+5mDQEQANombPGwYrMa+WkBNYE1V8L4LZyDo0OmgzofW5op2gELYPp7 +bzRYuh1M0rwdF04wMPLB9gc9/ApHM7g33eGH2TswCUSUxufDQLmwDA4yd8h63z/7 +l5/ilRFHQ2L/sE22wOHD87TC4TcTScIDyo1S4/RRpHWCwnvsUw9zzosDDrWs6VuL +ncpzQnENT/gyD8x7jorCdQJGKg60oXJRFHIrTuOP/vCc4Yih/R8cKJji5Lu5cIxd +ZxMr1QusyV5calyJm3hRUWyi5SLXG61Q9UiVgRehLLRYEghXIxtPijfOi0QAX6ff +NODox4kgYgzk09FuFuYnA5yjs4/mZbHUnUiHMAJy8+57IKG4I1GkT6LNNd3XXDAx +UiEvkjbQBP7IuCR3SxlFQih+UYB8ljIytjEBsdywmhz1U/xItLi3UmyraS6UrGLD +aJJYsPOAs3erFI40fyIR4ye68g+HiUsl7e77menvbcMibpnDyb1sN33hYxqhipoc +KcOr4ipGBKg0pEuyCUanUvDMtTzJt/BMOtVmkmGHobnh9cjv/1rZaNoWHxYeDeB3 +LvROjXiQTRHNtIM+rU5JMm7iLgrGXUa/TBGYHBBMB/jH9/Oi6fv1an6ZspFGk+Fw +E5M4Uh4hRcd8tYw/4ApTeMwE5kvbNtXX/DaKHKlkyYzoy5ip/Z3r6eCa3+TRABEB +AAGJAjYEGAEIACAWIQRxaLmDgVpe71mkrf0qP0FOc2BgugUCX+5mDQIbDAAKCRAq +P0FOc2Bgumv6EACo6IB4kKkSi7GkY+coqcudorPL147A3Yb9vRkxVf9Gi6z3BceT +ZBz3+ZkLDf5NX2H8B2qtrsBri/2AekWunmQTj/8XdIuyaVC60j0wwVhIKheVM7mm +0CWPKGCvEXQOUUuk3OEN/C/X/UWx2Dxr0YA3m2Z4DFTlEDg9LOBJAGMKHzjhP2uU +vk8vtdqO7fgUxbnI4Bf0YqIDt/B8nlHqSoiRVL7kkXJbiLx2qKC7wzL35mU/52YW +bKgGt50+/NDoPWqKSN+rZlLmUkdXyeY2II+XVNyQNdR1mosG2YlVxJzQ4f1j68zP +JPihn/3ccpi7gm0TnPsMI4aolhp+3CiXFSx80gjtKz1Wib65Yk7otMrUS0ORdwPP +p7KvOJWx1w2Vp2DHBlRdIpbkJLG0JHPVT7p0SFQN1Hz7ezv6yvC5GZSbbSj2S9ON +iAu76zxWSBw22JeThEMKITueb/9DILWg83Pz5O5p1ZHC8r2i9cpfBVnvnymOCZPE +lAsoMMQgo7Qr+01mGjRnqXpUKJ8EVsQsn/sVGpxKzsYAB4S34K8xVt9alNp63dlG +27Y+o18LSTTHj9WQgS+QYHFKcqWFIfQ8sbI3Upo4ZhZOFFwQqaX+T6P9akqa+Sj5 +sLlk3dChghJ6LFPUUqSbRO/KYcapCmgfANx5kXjyYMkuIdgS9DYEESEVVg== +=NtKR +-----END PGP PUBLIC KEY BLOCK----- diff --git a/openssh.tmpfiles b/openssh.tmpfiles new file mode 100644 index 000000000000..0bf3870972f2 --- /dev/null +++ b/openssh.tmpfiles @@ -0,0 +1,9 @@ +C /etc/pam.d/sshd +C /etc/ssh/moduli +C /etc/ssh/ssh_config +C /etc/ssh/sshd_config +C /etc/ssh/sshd_config.d/99-archlinux.conf + +d /etc/ssh/ssh_config.d +d /etc/ssh/sshd_config.d +d /var/empty diff --git a/ssh-agent.service b/ssh-agent.service new file mode 100644 index 000000000000..4a5fe5543cce --- /dev/null +++ b/ssh-agent.service @@ -0,0 +1,15 @@ +# Requires SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket" to be set in environment +[Unit] +ConditionEnvironment=!SSH_AGENT_PID +Description=OpenSSH key agent +Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1) + +[Service] +Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket +ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK +PassEnvironment=SSH_AGENT_PID +SuccessExitStatus=2 +Type=simple + +[Install] +WantedBy=default.target diff --git a/sshd.conf b/sshd.conf deleted file mode 100644 index ca2a393542e7..000000000000 --- a/sshd.conf +++ /dev/null @@ -1 +0,0 @@ -d /var/empty 0755 root root @@ -1,5 +1,5 @@ #%PAM-1.0 -#auth required pam_securetty.so #disable remote root + auth include system-remote-login account include system-remote-login password include system-remote-login diff --git a/sshdgenkeys.service b/sshdgenkeys.service index cfb9f6aa17f1..83230084f5dd 100644 --- a/sshdgenkeys.service +++ b/sshdgenkeys.service @@ -1,7 +1,5 @@ [Unit] Description=SSH Key Generation -ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key -ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key |