* [OE-core][PATCH v5 1/3] openssh: drop rejected patch fixed in 8.6p1 release
@ 2024-07-16 14:16 Jose Quaresma
2024-07-16 14:16 ` [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream Jose Quaresma
2024-07-16 14:16 ` [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 Jose Quaresma
0 siblings, 2 replies; 15+ messages in thread
From: Jose Quaresma @ 2024-07-16 14:16 UTC (permalink / raw)
To: openembedded-core; +Cc: Jose Quaresma
The rationale [1] is that C11 6.5.6.9 says:
"""
When two pointers are subtracted, both shall point to elements of the
same array object, or one past the last element of the array object; the
result is the difference of the subscripts of the two array elements.
"""
In these cases the objects are arrays of char so the result is defined,
and we believe that the compiler incorrectly trapping on defined behaviour.
I also found https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63303
("Pointer subtraction is broken when using -fsanitize=undefined") which seems to support this position.
[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2608
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
...igned-overflow-in-pointer-arithmatic.patch | 111 ------------------
.../openssh/openssh_9.7p1.bb | 1 -
2 files changed, 112 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
deleted file mode 100644
index 20036da931..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
-From: Yuanjie Huang <yuanjie.huang@windriver.com>
-Date: Wed, 24 Aug 2016 03:15:43 +0000
-Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
-
-Pointer arithmatic results in implementation defined signed integer
-type, so that 's - src' in strlcpy and others may trigger signed overflow.
-In case of compilation by gcc or clang with -ftrapv option, the overflow
-would lead to program abort.
-
-Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
-
-Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
-
-Complete the fix
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- openbsd-compat/strlcat.c | 10 +++++++---
- openbsd-compat/strlcpy.c | 8 ++++++--
- openbsd-compat/strnlen.c | 8 ++++++--
- 3 files changed, 19 insertions(+), 7 deletions(-)
-
-diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
-index bcc1b61..124e1e3 100644
---- a/openbsd-compat/strlcat.c
-+++ b/openbsd-compat/strlcat.c
-@@ -23,6 +23,7 @@
-
- #include <sys/types.h>
- #include <string.h>
-+#include <stdint.h>
-
- /*
- * Appends src to string dst of size siz (unlike strncat, siz is the
-@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
- /* Find the end of dst and adjust bytes left but don't go past end */
- while (n-- != 0 && *d != '\0')
- d++;
-- dlen = d - dst;
-+ dlen = (uintptr_t)d - (uintptr_t)dst;
- n = siz - dlen;
-
- if (n == 0)
-@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
- s++;
- }
- *d = '\0';
--
-- return(dlen + (s - src)); /* count does not include NUL */
-+ /*
-+ * Cast pointers to unsigned type before calculation, to avoid signed
-+ * overflow when the string ends where the MSB has changed.
-+ */
-+ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */
- }
-
- #endif /* !HAVE_STRLCAT */
-diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
-index b4b1b60..b06f374 100644
---- a/openbsd-compat/strlcpy.c
-+++ b/openbsd-compat/strlcpy.c
-@@ -23,6 +23,7 @@
-
- #include <sys/types.h>
- #include <string.h>
-+#include <stdint.h>
-
- /*
- * Copy src to string dst of size siz. At most siz-1 characters
-@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
- while (*s++)
- ;
- }
--
-- return(s - src - 1); /* count does not include NUL */
-+ /*
-+ * Cast pointers to unsigned type before calculation, to avoid signed
-+ * overflow when the string ends where the MSB has changed.
-+ */
-+ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */
- }
-
- #endif /* !HAVE_STRLCPY */
-diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
-index 7ad3573..7040f1f 100644
---- a/openbsd-compat/strnlen.c
-+++ b/openbsd-compat/strnlen.c
-@@ -23,6 +23,7 @@
- #include <sys/types.h>
-
- #include <string.h>
-+#include <stdint.h>
-
- size_t
- strnlen(const char *str, size_t maxlen)
-@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
-
- for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
- ;
--
-- return (size_t)(cp - str);
-+ /*
-+ * Cast pointers to unsigned type before calculation, to avoid signed
-+ * overflow when the string ends where the MSB has changed.
-+ */
-+ return (size_t)((uintptr_t)cp - (uintptr_t)str);
- }
- #endif
---
-2.17.1
-
diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
index 4a08c0bd66..4f20616295 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
@@ -22,7 +22,6 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://sshdgenkeys.service \
file://volatiles.99_sshd \
file://run-ptest \
- file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
file://sshd_check_keys \
file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \
--
2.45.2
^ permalink raw reply related [flat|nested] 15+ messages in thread* [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream 2024-07-16 14:16 [OE-core][PATCH v5 1/3] openssh: drop rejected patch fixed in 8.6p1 release Jose Quaresma @ 2024-07-16 14:16 ` Jose Quaresma 2024-07-17 6:37 ` Khem Raj 2024-07-16 14:16 ` [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 Jose Quaresma 1 sibling, 1 reply; 15+ messages in thread From: Jose Quaresma @ 2024-07-16 14:16 UTC (permalink / raw) To: openembedded-core; +Cc: Jose Quaresma Still side effects of the XZ backdoor. The systemd sd-notify patch was rejected [1] upstream and was chosen a standalone implementation that does not depend on libsystemd [2]. Racional [1]: License incompatibility and library bloatedness were the reasons. Given recent events we're never going to take a dependency on libsystemd, though we might implement the notification protocol ourselves if it isn't too much work. [1] https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 [2] https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> --- v4: - split update of Upstream-Status in new patches in the serie v5: - use the upstream solution ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ ...tional-support-for-systemd-sd_notify.patch | 96 -------- .../openssh/openssh/sshd.service | 2 +- .../openssh/openssh/sshd@.service | 1 + .../openssh/openssh_9.7p1.bb | 4 +- 5 files changed, 228 insertions(+), 100 deletions(-) create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch delete mode 100644 meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch new file mode 100644 index 0000000000..4925c969fe --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch @@ -0,0 +1,225 @@ +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Wed, 3 Apr 2024 14:40:32 +1100 +Subject: [PATCH] notify systemd on listen and reload + +Standalone implementation that does not depend on libsystemd. +With assistance from Luca Boccassi, and feedback/testing from Colin +Watson. bz2641 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c] + +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> +--- + configure.ac | 1 + + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- + openbsd-compat/port-linux.h | 5 ++ + platform.c | 11 +++++ + platform.h | 1 + + sshd.c | 2 + + 6 files changed, 115 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 82e8bb7c1..854f92b5b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) + AC_DEFINE([USE_BTMP]) + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) + inet6_default_4in6=yes + case `uname -r` in + 1.*|2.0.*) +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 0457e28d0..df7290246 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -21,16 +21,23 @@ + + #include "includes.h" + +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ ++ defined(SYSTEMD_NOTIFY) ++#include <sys/socket.h> ++#include <sys/un.h> ++ + #include <errno.h> ++#include <inttypes.h> + #include <stdarg.h> + #include <string.h> + #include <stdio.h> + #include <stdlib.h> ++#include <time.h> + + #include "log.h" + #include "xmalloc.h" + #include "port-linux.h" ++#include "misc.h" + + #ifdef WITH_SELINUX + #include <selinux/selinux.h> +@@ -310,4 +317,90 @@ oom_adjust_restore(void) + return; + } + #endif /* LINUX_OOM_ADJUST */ +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ ++ ++#ifdef SYSTEMD_NOTIFY ++ ++static void ssh_systemd_notify(const char *, ...) ++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); ++ ++static void ++ssh_systemd_notify(const char *fmt, ...) ++{ ++ char *s = NULL; ++ const char *path; ++ struct stat sb; ++ struct sockaddr_un addr; ++ int fd = -1; ++ va_list ap; ++ ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) ++ return; ++ ++ va_start(ap, fmt); ++ xvasprintf(&s, fmt, ap); ++ va_end(ap); ++ ++ /* Only AF_UNIX is supported, with path or abstract sockets */ ++ if (path[0] != '/' && path[0] != '@') { ++ error_f("socket \"%s\" is not compatible with AF_UNIX", path); ++ goto out; ++ } ++ ++ if (path[0] == '/' && stat(path, &sb) != 0) { ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); ++ goto out; ++ } ++ ++ memset(&addr, 0, sizeof(addr)); ++ addr.sun_family = AF_UNIX; ++ if (strlcpy(addr.sun_path, path, ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { ++ error_f("socket path \"%s\" too long", path); ++ goto out; ++ } ++ /* Support for abstract socket */ ++ if (addr.sun_path[0] == '@') ++ addr.sun_path[0] = 0; ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { ++ error_f("socket \"%s\": %s", path, strerror(errno)); ++ goto out; ++ } ++ if (connect(fd, &addr, sizeof(addr)) != 0) { ++ error_f("socket \"%s\" connect: %s", path, strerror(errno)); ++ goto out; ++ } ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { ++ error_f("socket \"%s\" write: %s", path, strerror(errno)); ++ goto out; ++ } ++ debug_f("socket \"%s\" notified %s", path, s); ++ out: ++ if (fd != -1) ++ close(fd); ++ free(s); ++} ++ ++void ++ssh_systemd_notify_ready(void) ++{ ++ ssh_systemd_notify("READY=1"); ++} ++ ++void ++ssh_systemd_notify_reload(void) ++{ ++ struct timespec now; ++ ++ monotime_ts(&now); ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { ++ error_f("monotime returned negative value"); ++ ssh_systemd_notify("RELOADING=1"); ++ } else { ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", ++ ((uint64_t)now.tv_sec * 1000000ULL) + ++ ((uint64_t)now.tv_nsec / 1000ULL)); ++ } ++} ++#endif /* SYSTEMD_NOTIFY */ ++ ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index 3c22a854d..14064f87d 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); + void oom_adjust_setup(void); + #endif + ++#ifdef SYSTEMD_NOTIFY ++void ssh_systemd_notify_ready(void); ++void ssh_systemd_notify_reload(void); ++#endif ++ + #endif /* ! _PORT_LINUX_H */ +diff --git a/platform.c b/platform.c +index 4fe8744ee..9cf818153 100644 +--- a/platform.c ++++ b/platform.c +@@ -44,6 +44,14 @@ platform_pre_listen(void) + #endif + } + ++void ++platform_post_listen(void) ++{ ++#ifdef SYSTEMD_NOTIFY ++ ssh_systemd_notify_ready(); ++#endif ++} ++ + void + platform_pre_fork(void) + { +@@ -55,6 +63,9 @@ platform_pre_fork(void) + void + platform_pre_restart(void) + { ++#ifdef SYSTEMD_NOTIFY ++ ssh_systemd_notify_reload(); ++#endif + #ifdef LINUX_OOM_ADJUST + oom_adjust_restore(); + #endif +diff --git a/platform.h b/platform.h +index 7fef8c983..5dec23276 100644 +--- a/platform.h ++++ b/platform.h +@@ -21,6 +21,7 @@ + void platform_pre_listen(void); + void platform_pre_fork(void); + void platform_pre_restart(void); ++void platform_post_listen(void); + void platform_post_fork_parent(pid_t child_pid); + void platform_post_fork_child(void); + int platform_privileged_uidswap(void); +diff --git a/sshd.c b/sshd.c +index b4f2b9742..865331b46 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2077,6 +2077,8 @@ main(int ac, char **av) + ssh_signal(SIGTERM, sigterm_handler); + ssh_signal(SIGQUIT, sigterm_handler); + ++ platform_post_listen(); ++ + /* + * Write out the pid file after the sigterm handler + * is setup and the listen sockets are bound +-- +2.45.2 + diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch deleted file mode 100644 index f079d936a4..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch +++ /dev/null @@ -1,96 +0,0 @@ -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 -From: Matt Jolly <Matt.Jolly@footclan.ninja> -Date: Thu, 2 Feb 2023 21:05:40 +1100 -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` - -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> -patch based on Jakub Jelen's <jjelen@redhat.com> original patch - -Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56] - -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> ---- - configure.ac | 24 ++++++++++++++++++++++++ - sshd.c | 13 +++++++++++++ - 2 files changed, 37 insertions(+) - -diff --git a/configure.ac b/configure.ac -index 82e8bb7..d1145d3 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) - AC_SUBST([K5LIBS]) - AC_SUBST([CHANNELLIBS]) - -+# Check whether user wants systemd support -+SYSTEMD_MSG="no" -+AC_ARG_WITH(systemd, -+ [ --with-systemd Enable systemd support], -+ [ if test "x$withval" != "xno" ; then -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) -+ if test "$PKGCONFIG" != "no"; then -+ AC_MSG_CHECKING([for libsystemd]) -+ if $PKGCONFIG --exists libsystemd; then -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" -+ AC_MSG_RESULT([yes]) -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) -+ SYSTEMD_MSG="yes" -+ else -+ AC_MSG_RESULT([no]) -+ fi -+ fi -+ fi ] -+) -+ - # Looking for programs, paths and files - - PRIVSEP_PATH=/var/empty -@@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG" - echo " Solaris process contract support: $SPC_MSG" - echo " Solaris project support: $SP_MSG" - echo " Solaris privilege support: $SPP_MSG" -+echo " systemd support: $SYSTEMD_MSG" - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" - echo " BSD Auth support: $BSD_AUTH_MSG" -diff --git a/sshd.c b/sshd.c -index b4f2b97..6820a41 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -88,6 +88,10 @@ - #include <prot.h> - #endif - -+#ifdef HAVE_SYSTEMD -+#include <systemd/sd-daemon.h> -+#endif -+ - #include "xmalloc.h" - #include "ssh.h" - #include "ssh2.h" -@@ -308,6 +312,10 @@ static void - sighup_restart(void) - { - logit("Received SIGHUP; restarting."); -+#ifdef HAVE_SYSTEMD -+ /* Signal systemd that we are reloading */ -+ sd_notify(0, "RELOADING=1"); -+#endif - if (options.pid_file != NULL) - unlink(options.pid_file); - platform_pre_restart(); -@@ -2093,6 +2101,11 @@ main(int ac, char **av) - } - } - -+#ifdef HAVE_SYSTEMD -+ /* Signal systemd that we are ready to accept connections */ -+ sd_notify(0, "READY=1"); -+#endif -+ - /* Accept a connection and return in a forked child */ - server_accept_loop(&sock_in, &sock_out, - &newsock, config_s); diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service index 3e570ab1e5..c71fff1cc1 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd.service +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service @@ -5,11 +5,11 @@ After=sshdgenkeys.service After=nss-user-lookup.target [Service] +Type=notify-reload Environment="SSHD_OPTS=" EnvironmentFile=-/etc/default/ssh ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartSec=42s diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service index 9d9965e624..dcfec8f054 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon After=sshdgenkeys.service [Service] +Type=notify-reload Environment="SSHD_OPTS=" EnvironmentFile=-/etc/default/ssh ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb index 4f20616295..4680d12be5 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb @@ -24,7 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://run-ptest \ file://sshd_check_keys \ file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ - file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ + file://0001-notify-systemd-on-listen-and-reload.patch \ file://CVE-2024-6387.patch \ " SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}" inherit autotools-brokensep ptest pkgconfig -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" # systemd-sshd-socket-mode means installing sshd.socket # and systemd-sshd-service-mode corresponding to sshd.service @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ --sysconfdir=${sysconfdir}/ssh \ --with-xauth=${bindir}/xauth \ --disable-strip \ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \ " # musl doesn't implement wtmp/utmp and logwtmp -- 2.45.2 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream 2024-07-16 14:16 ` [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream Jose Quaresma @ 2024-07-17 6:37 ` Khem Raj 2024-07-17 8:46 ` Jose Quaresma 0 siblings, 1 reply; 15+ messages in thread From: Khem Raj @ 2024-07-17 6:37 UTC (permalink / raw) To: quaresma.jose; +Cc: openembedded-core, Jose Quaresma actually I narrowed down my problem of disconnection to this patch in the series. Earlier I thought it might be related to the openssh upgrade patch but reverting that still causes the problem but this patch when reverted, the problem is gone. On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via lists.openembedded.org <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > Still side effects of the XZ backdoor. The systemd sd-notify patch > was rejected [1] upstream and was chosen a standalone implementation > that does not depend on libsystemd [2]. > > Racional [1]: > > License incompatibility and library bloatedness were the reasons. > Given recent events we're never going to take a dependency on libsystemd, > though we might implement the notification protocol ourselves if it isn't too much work. > > [1] https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 > [2] https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > > v4: > - split update of Upstream-Status in new patches in the serie > > v5: > - use the upstream solution > > ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ > ...tional-support-for-systemd-sd_notify.patch | 96 -------- > .../openssh/openssh/sshd.service | 2 +- > .../openssh/openssh/sshd@.service | 1 + > .../openssh/openssh_9.7p1.bb | 4 +- > 5 files changed, 228 insertions(+), 100 deletions(-) > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > new file mode 100644 > index 0000000000..4925c969fe > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > @@ -0,0 +1,225 @@ > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > +From: Damien Miller <djm@mindrot.org> > +Date: Wed, 3 Apr 2024 14:40:32 +1100 > +Subject: [PATCH] notify systemd on listen and reload > + > +Standalone implementation that does not depend on libsystemd. > +With assistance from Luca Boccassi, and feedback/testing from Colin > +Watson. bz2641 > + > +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c] > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > +--- > + configure.ac | 1 + > + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > + openbsd-compat/port-linux.h | 5 ++ > + platform.c | 11 +++++ > + platform.h | 1 + > + sshd.c | 2 + > + 6 files changed, 115 insertions(+), 2 deletions(-) > + > +diff --git a/configure.ac b/configure.ac > +index 82e8bb7c1..854f92b5b 100644 > +--- a/configure.ac > ++++ b/configure.ac > +@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) > + AC_DEFINE([USE_BTMP]) > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) > + inet6_default_4in6=yes > + case `uname -r` in > + 1.*|2.0.*) > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > +index 0457e28d0..df7290246 100644 > +--- a/openbsd-compat/port-linux.c > ++++ b/openbsd-compat/port-linux.c > +@@ -21,16 +21,23 @@ > + > + #include "includes.h" > + > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > ++ defined(SYSTEMD_NOTIFY) > ++#include <sys/socket.h> > ++#include <sys/un.h> > ++ > + #include <errno.h> > ++#include <inttypes.h> > + #include <stdarg.h> > + #include <string.h> > + #include <stdio.h> > + #include <stdlib.h> > ++#include <time.h> > + > + #include "log.h" > + #include "xmalloc.h" > + #include "port-linux.h" > ++#include "misc.h" > + > + #ifdef WITH_SELINUX > + #include <selinux/selinux.h> > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) > + return; > + } > + #endif /* LINUX_OOM_ADJUST */ > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > ++ > ++#ifdef SYSTEMD_NOTIFY > ++ > ++static void ssh_systemd_notify(const char *, ...) > ++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); > ++ > ++static void > ++ssh_systemd_notify(const char *fmt, ...) > ++{ > ++ char *s = NULL; > ++ const char *path; > ++ struct stat sb; > ++ struct sockaddr_un addr; > ++ int fd = -1; > ++ va_list ap; > ++ > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > ++ return; > ++ > ++ va_start(ap, fmt); > ++ xvasprintf(&s, fmt, ap); > ++ va_end(ap); > ++ > ++ /* Only AF_UNIX is supported, with path or abstract sockets */ > ++ if (path[0] != '/' && path[0] != '@') { > ++ error_f("socket \"%s\" is not compatible with AF_UNIX", path); > ++ goto out; > ++ } > ++ > ++ if (path[0] == '/' && stat(path, &sb) != 0) { > ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ > ++ memset(&addr, 0, sizeof(addr)); > ++ addr.sun_family = AF_UNIX; > ++ if (strlcpy(addr.sun_path, path, > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > ++ error_f("socket path \"%s\" too long", path); > ++ goto out; > ++ } > ++ /* Support for abstract socket */ > ++ if (addr.sun_path[0] == '@') > ++ addr.sun_path[0] = 0; > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > ++ error_f("socket \"%s\": %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { > ++ error_f("socket \"%s\" connect: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > ++ error_f("socket \"%s\" write: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ debug_f("socket \"%s\" notified %s", path, s); > ++ out: > ++ if (fd != -1) > ++ close(fd); > ++ free(s); > ++} > ++ > ++void > ++ssh_systemd_notify_ready(void) > ++{ > ++ ssh_systemd_notify("READY=1"); > ++} > ++ > ++void > ++ssh_systemd_notify_reload(void) > ++{ > ++ struct timespec now; > ++ > ++ monotime_ts(&now); > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { > ++ error_f("monotime returned negative value"); > ++ ssh_systemd_notify("RELOADING=1"); > ++ } else { > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > ++ ((uint64_t)now.tv_sec * 1000000ULL) + > ++ ((uint64_t)now.tv_nsec / 1000ULL)); > ++ } > ++} > ++#endif /* SYSTEMD_NOTIFY */ > ++ > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > +index 3c22a854d..14064f87d 100644 > +--- a/openbsd-compat/port-linux.h > ++++ b/openbsd-compat/port-linux.h > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > + void oom_adjust_setup(void); > + #endif > + > ++#ifdef SYSTEMD_NOTIFY > ++void ssh_systemd_notify_ready(void); > ++void ssh_systemd_notify_reload(void); > ++#endif > ++ > + #endif /* ! _PORT_LINUX_H */ > +diff --git a/platform.c b/platform.c > +index 4fe8744ee..9cf818153 100644 > +--- a/platform.c > ++++ b/platform.c > +@@ -44,6 +44,14 @@ platform_pre_listen(void) > + #endif > + } > + > ++void > ++platform_post_listen(void) > ++{ > ++#ifdef SYSTEMD_NOTIFY > ++ ssh_systemd_notify_ready(); > ++#endif > ++} > ++ > + void > + platform_pre_fork(void) > + { > +@@ -55,6 +63,9 @@ platform_pre_fork(void) > + void > + platform_pre_restart(void) > + { > ++#ifdef SYSTEMD_NOTIFY > ++ ssh_systemd_notify_reload(); > ++#endif > + #ifdef LINUX_OOM_ADJUST > + oom_adjust_restore(); > + #endif > +diff --git a/platform.h b/platform.h > +index 7fef8c983..5dec23276 100644 > +--- a/platform.h > ++++ b/platform.h > +@@ -21,6 +21,7 @@ > + void platform_pre_listen(void); > + void platform_pre_fork(void); > + void platform_pre_restart(void); > ++void platform_post_listen(void); > + void platform_post_fork_parent(pid_t child_pid); > + void platform_post_fork_child(void); > + int platform_privileged_uidswap(void); > +diff --git a/sshd.c b/sshd.c > +index b4f2b9742..865331b46 100644 > +--- a/sshd.c > ++++ b/sshd.c > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) > + ssh_signal(SIGTERM, sigterm_handler); > + ssh_signal(SIGQUIT, sigterm_handler); > + > ++ platform_post_listen(); > ++ > + /* > + * Write out the pid file after the sigterm handler > + * is setup and the listen sockets are bound > +-- > +2.45.2 > + > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > deleted file mode 100644 > index f079d936a4..0000000000 > --- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > +++ /dev/null > @@ -1,96 +0,0 @@ > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 > -From: Matt Jolly <Matt.Jolly@footclan.ninja> > -Date: Thu, 2 Feb 2023 21:05:40 +1100 > -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` > - > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> > -patch based on Jakub Jelen's <jjelen@redhat.com> original patch > - > -Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56] > - > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> > ---- > - configure.ac | 24 ++++++++++++++++++++++++ > - sshd.c | 13 +++++++++++++ > - 2 files changed, 37 insertions(+) > - > -diff --git a/configure.ac b/configure.ac > -index 82e8bb7..d1145d3 100644 > ---- a/configure.ac > -+++ b/configure.ac > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) > - AC_SUBST([K5LIBS]) > - AC_SUBST([CHANNELLIBS]) > - > -+# Check whether user wants systemd support > -+SYSTEMD_MSG="no" > -+AC_ARG_WITH(systemd, > -+ [ --with-systemd Enable systemd support], > -+ [ if test "x$withval" != "xno" ; then > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > -+ if test "$PKGCONFIG" != "no"; then > -+ AC_MSG_CHECKING([for libsystemd]) > -+ if $PKGCONFIG --exists libsystemd; then > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > -+ AC_MSG_RESULT([yes]) > -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) > -+ SYSTEMD_MSG="yes" > -+ else > -+ AC_MSG_RESULT([no]) > -+ fi > -+ fi > -+ fi ] > -+) > -+ > - # Looking for programs, paths and files > - > - PRIVSEP_PATH=/var/empty > -@@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG" > - echo " Solaris process contract support: $SPC_MSG" > - echo " Solaris project support: $SP_MSG" > - echo " Solaris privilege support: $SPP_MSG" > -+echo " systemd support: $SYSTEMD_MSG" > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > - echo " BSD Auth support: $BSD_AUTH_MSG" > -diff --git a/sshd.c b/sshd.c > -index b4f2b97..6820a41 100644 > ---- a/sshd.c > -+++ b/sshd.c > -@@ -88,6 +88,10 @@ > - #include <prot.h> > - #endif > - > -+#ifdef HAVE_SYSTEMD > -+#include <systemd/sd-daemon.h> > -+#endif > -+ > - #include "xmalloc.h" > - #include "ssh.h" > - #include "ssh2.h" > -@@ -308,6 +312,10 @@ static void > - sighup_restart(void) > - { > - logit("Received SIGHUP; restarting."); > -+#ifdef HAVE_SYSTEMD > -+ /* Signal systemd that we are reloading */ > -+ sd_notify(0, "RELOADING=1"); > -+#endif > - if (options.pid_file != NULL) > - unlink(options.pid_file); > - platform_pre_restart(); > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) > - } > - } > - > -+#ifdef HAVE_SYSTEMD > -+ /* Signal systemd that we are ready to accept connections */ > -+ sd_notify(0, "READY=1"); > -+#endif > -+ > - /* Accept a connection and return in a forked child */ > - server_accept_loop(&sock_in, &sock_out, > - &newsock, config_s); > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service > index 3e570ab1e5..c71fff1cc1 100644 > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service > @@ -5,11 +5,11 @@ After=sshdgenkeys.service > After=nss-user-lookup.target > > [Service] > +Type=notify-reload > Environment="SSHD_OPTS=" > EnvironmentFile=-/etc/default/ssh > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > KillMode=process > Restart=on-failure > RestartSec=42s > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service > index 9d9965e624..dcfec8f054 100644 > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon > After=sshdgenkeys.service > > [Service] > +Type=notify-reload > Environment="SSHD_OPTS=" > EnvironmentFile=-/etc/default/ssh > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > index 4f20616295..4680d12be5 100644 > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > @@ -24,7 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://run-ptest \ > file://sshd_check_keys \ > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > - file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > + file://0001-notify-systemd-on-listen-and-reload.patch \ > file://CVE-2024-6387.patch \ > " > SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" > SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}" > > inherit autotools-brokensep ptest pkgconfig > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" > > # systemd-sshd-socket-mode means installing sshd.socket > # and systemd-sshd-service-mode corresponding to sshd.service > @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ > --sysconfdir=${sysconfdir}/ssh \ > --with-xauth=${bindir}/xauth \ > --disable-strip \ > - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \ > " > > # musl doesn't implement wtmp/utmp and logwtmp > -- > 2.45.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#202116): https://lists.openembedded.org/g/openembedded-core/message/202116 > Mute This Topic: https://lists.openembedded.org/mt/107252588/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream 2024-07-17 6:37 ` Khem Raj @ 2024-07-17 8:46 ` Jose Quaresma 2024-07-17 9:24 ` ChenQi 0 siblings, 1 reply; 15+ messages in thread From: Jose Quaresma @ 2024-07-17 8:46 UTC (permalink / raw) To: Khem Raj; +Cc: openembedded-core, Jose Quaresma [-- Attachment #1: Type: text/plain, Size: 18751 bytes --] Khem Raj <raj.khem@gmail.com> escreveu (quarta, 17/07/2024 à(s) 07:38): > actually I narrowed down my problem of disconnection to this patch in > the series. Earlier I thought it might be related to the openssh > upgrade patch > but reverting that still causes the problem but this patch when > reverted, the problem is gone. > I will jump on this today and try to find the root cause. The ptest goes well in my local tests but I didn't do anything with testimage. I'll see if the testimage picks up something. Thanks for the feedback. Jose > > On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via > lists.openembedded.org > <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > > > Still side effects of the XZ backdoor. The systemd sd-notify patch > > was rejected [1] upstream and was chosen a standalone implementation > > that does not depend on libsystemd [2]. > > > > Racional [1]: > > > > License incompatibility and library bloatedness were the reasons. > > Given recent events we're never going to take a dependency on libsystemd, > > though we might implement the notification protocol ourselves if it > isn't too much work. > > > > [1] > https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 > > [2] > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > > > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > > > v4: > > - split update of Upstream-Status in new patches in the serie > > > > v5: > > - use the upstream solution > > > > ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ > > ...tional-support-for-systemd-sd_notify.patch | 96 -------- > > .../openssh/openssh/sshd.service | 2 +- > > .../openssh/openssh/sshd@.service | 1 + > > .../openssh/openssh_9.7p1.bb | 4 +- > > 5 files changed, 228 insertions(+), 100 deletions(-) > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > delete mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > new file mode 100644 > > index 0000000000..4925c969fe > > --- /dev/null > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > @@ -0,0 +1,225 @@ > > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > > +From: Damien Miller <djm@mindrot.org> > > +Date: Wed, 3 Apr 2024 14:40:32 +1100 > > +Subject: [PATCH] notify systemd on listen and reload > > + > > +Standalone implementation that does not depend on libsystemd. > > +With assistance from Luca Boccassi, and feedback/testing from Colin > > +Watson. bz2641 > > + > > +Upstream-Status: Backport [ > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > ] > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > +--- > > + configure.ac | 1 + > > + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > > + openbsd-compat/port-linux.h | 5 ++ > > + platform.c | 11 +++++ > > + platform.h | 1 + > > + sshd.c | 2 + > > + 6 files changed, 115 insertions(+), 2 deletions(-) > > + > > +diff --git a/configure.ac b/configure.ac > > +index 82e8bb7c1..854f92b5b 100644 > > +--- a/configure.ac > > ++++ b/configure.ac > > +@@ -915,6 +915,7 @@ int main(void) { if > (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login > attempts]) > > + AC_DEFINE([USE_BTMP]) > > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory > killer]) > > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on > start/reload]) > > + inet6_default_4in6=yes > > + case `uname -r` in > > + 1.*|2.0.*) > > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > > +index 0457e28d0..df7290246 100644 > > +--- a/openbsd-compat/port-linux.c > > ++++ b/openbsd-compat/port-linux.c > > +@@ -21,16 +21,23 @@ > > + > > + #include "includes.h" > > + > > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > > ++ defined(SYSTEMD_NOTIFY) > > ++#include <sys/socket.h> > > ++#include <sys/un.h> > > ++ > > + #include <errno.h> > > ++#include <inttypes.h> > > + #include <stdarg.h> > > + #include <string.h> > > + #include <stdio.h> > > + #include <stdlib.h> > > ++#include <time.h> > > + > > + #include "log.h" > > + #include "xmalloc.h" > > + #include "port-linux.h" > > ++#include "misc.h" > > + > > + #ifdef WITH_SELINUX > > + #include <selinux/selinux.h> > > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) > > + return; > > + } > > + #endif /* LINUX_OOM_ADJUST */ > > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > > ++ > > ++#ifdef SYSTEMD_NOTIFY > > ++ > > ++static void ssh_systemd_notify(const char *, ...) > > ++ __attribute__((__format__ (printf, 1, 2))) > __attribute__((__nonnull__ (1))); > > ++ > > ++static void > > ++ssh_systemd_notify(const char *fmt, ...) > > ++{ > > ++ char *s = NULL; > > ++ const char *path; > > ++ struct stat sb; > > ++ struct sockaddr_un addr; > > ++ int fd = -1; > > ++ va_list ap; > > ++ > > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == > 0) > > ++ return; > > ++ > > ++ va_start(ap, fmt); > > ++ xvasprintf(&s, fmt, ap); > > ++ va_end(ap); > > ++ > > ++ /* Only AF_UNIX is supported, with path or abstract sockets */ > > ++ if (path[0] != '/' && path[0] != '@') { > > ++ error_f("socket \"%s\" is not compatible with AF_UNIX", > path); > > ++ goto out; > > ++ } > > ++ > > ++ if (path[0] == '/' && stat(path, &sb) != 0) { > > ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > > ++ goto out; > > ++ } > > ++ > > ++ memset(&addr, 0, sizeof(addr)); > > ++ addr.sun_family = AF_UNIX; > > ++ if (strlcpy(addr.sun_path, path, > > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > > ++ error_f("socket path \"%s\" too long", path); > > ++ goto out; > > ++ } > > ++ /* Support for abstract socket */ > > ++ if (addr.sun_path[0] == '@') > > ++ addr.sun_path[0] = 0; > > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > > ++ error_f("socket \"%s\": %s", path, strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { > > ++ error_f("socket \"%s\" connect: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > > ++ error_f("socket \"%s\" write: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ debug_f("socket \"%s\" notified %s", path, s); > > ++ out: > > ++ if (fd != -1) > > ++ close(fd); > > ++ free(s); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_ready(void) > > ++{ > > ++ ssh_systemd_notify("READY=1"); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_reload(void) > > ++{ > > ++ struct timespec now; > > ++ > > ++ monotime_ts(&now); > > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { > > ++ error_f("monotime returned negative value"); > > ++ ssh_systemd_notify("RELOADING=1"); > > ++ } else { > > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > > ++ ((uint64_t)now.tv_sec * 1000000ULL) + > > ++ ((uint64_t)now.tv_nsec / 1000ULL)); > > ++ } > > ++} > > ++#endif /* SYSTEMD_NOTIFY */ > > ++ > > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > > +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > > +index 3c22a854d..14064f87d 100644 > > +--- a/openbsd-compat/port-linux.h > > ++++ b/openbsd-compat/port-linux.h > > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > > + void oom_adjust_setup(void); > > + #endif > > + > > ++#ifdef SYSTEMD_NOTIFY > > ++void ssh_systemd_notify_ready(void); > > ++void ssh_systemd_notify_reload(void); > > ++#endif > > ++ > > + #endif /* ! _PORT_LINUX_H */ > > +diff --git a/platform.c b/platform.c > > +index 4fe8744ee..9cf818153 100644 > > +--- a/platform.c > > ++++ b/platform.c > > +@@ -44,6 +44,14 @@ platform_pre_listen(void) > > + #endif > > + } > > + > > ++void > > ++platform_post_listen(void) > > ++{ > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_ready(); > > ++#endif > > ++} > > ++ > > + void > > + platform_pre_fork(void) > > + { > > +@@ -55,6 +63,9 @@ platform_pre_fork(void) > > + void > > + platform_pre_restart(void) > > + { > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_reload(); > > ++#endif > > + #ifdef LINUX_OOM_ADJUST > > + oom_adjust_restore(); > > + #endif > > +diff --git a/platform.h b/platform.h > > +index 7fef8c983..5dec23276 100644 > > +--- a/platform.h > > ++++ b/platform.h > > +@@ -21,6 +21,7 @@ > > + void platform_pre_listen(void); > > + void platform_pre_fork(void); > > + void platform_pre_restart(void); > > ++void platform_post_listen(void); > > + void platform_post_fork_parent(pid_t child_pid); > > + void platform_post_fork_child(void); > > + int platform_privileged_uidswap(void); > > +diff --git a/sshd.c b/sshd.c > > +index b4f2b9742..865331b46 100644 > > +--- a/sshd.c > > ++++ b/sshd.c > > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) > > + ssh_signal(SIGTERM, sigterm_handler); > > + ssh_signal(SIGQUIT, sigterm_handler); > > + > > ++ platform_post_listen(); > > ++ > > + /* > > + * Write out the pid file after the sigterm handler > > + * is setup and the listen sockets are bound > > +-- > > +2.45.2 > > + > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > deleted file mode 100644 > > index f079d936a4..0000000000 > > --- > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > +++ /dev/null > > @@ -1,96 +0,0 @@ > > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 > > -From: Matt Jolly <Matt.Jolly@footclan.ninja> > > -Date: Thu, 2 Feb 2023 21:05:40 +1100 > > -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` > > - > > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> > > -patch based on Jakub Jelen's <jjelen@redhat.com> original patch > > - > > -Upstream-Status: Submitted [ > https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56 > ] > > - > > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> > > ---- > > - configure.ac | 24 ++++++++++++++++++++++++ > > - sshd.c | 13 +++++++++++++ > > - 2 files changed, 37 insertions(+) > > - > > -diff --git a/configure.ac b/configure.ac > > -index 82e8bb7..d1145d3 100644 > > ---- a/configure.ac > > -+++ b/configure.ac > > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) > > - AC_SUBST([K5LIBS]) > > - AC_SUBST([CHANNELLIBS]) > > - > > -+# Check whether user wants systemd support > > -+SYSTEMD_MSG="no" > > -+AC_ARG_WITH(systemd, > > -+ [ --with-systemd Enable systemd support], > > -+ [ if test "x$withval" != "xno" ; then > > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > > -+ if test "$PKGCONFIG" != "no"; then > > -+ AC_MSG_CHECKING([for libsystemd]) > > -+ if $PKGCONFIG --exists libsystemd; then > > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags > libsystemd` > > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs > libsystemd` > > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > > -+ AC_MSG_RESULT([yes]) > > -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if > you want systemd support.]) > > -+ SYSTEMD_MSG="yes" > > -+ else > > -+ AC_MSG_RESULT([no]) > > -+ fi > > -+ fi > > -+ fi ] > > -+) > > -+ > > - # Looking for programs, paths and files > > - > > - PRIVSEP_PATH=/var/empty > > -@@ -5688,6 +5711,7 @@ echo " libldns support: > $LDNS_MSG" > > - echo " Solaris process contract support: $SPC_MSG" > > - echo " Solaris project support: $SP_MSG" > > - echo " Solaris privilege support: $SPP_MSG" > > -+echo " systemd support: $SYSTEMD_MSG" > > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > > - echo " BSD Auth support: $BSD_AUTH_MSG" > > -diff --git a/sshd.c b/sshd.c > > -index b4f2b97..6820a41 100644 > > ---- a/sshd.c > > -+++ b/sshd.c > > -@@ -88,6 +88,10 @@ > > - #include <prot.h> > > - #endif > > - > > -+#ifdef HAVE_SYSTEMD > > -+#include <systemd/sd-daemon.h> > > -+#endif > > -+ > > - #include "xmalloc.h" > > - #include "ssh.h" > > - #include "ssh2.h" > > -@@ -308,6 +312,10 @@ static void > > - sighup_restart(void) > > - { > > - logit("Received SIGHUP; restarting."); > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are reloading */ > > -+ sd_notify(0, "RELOADING=1"); > > -+#endif > > - if (options.pid_file != NULL) > > - unlink(options.pid_file); > > - platform_pre_restart(); > > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) > > - } > > - } > > - > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are ready to accept > connections */ > > -+ sd_notify(0, "READY=1"); > > -+#endif > > -+ > > - /* Accept a connection and return in a forked child */ > > - server_accept_loop(&sock_in, &sock_out, > > - &newsock, config_s); > > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service > b/meta/recipes-connectivity/openssh/openssh/sshd.service > > index 3e570ab1e5..c71fff1cc1 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service > > @@ -5,11 +5,11 @@ After=sshdgenkeys.service > > After=nss-user-lookup.target > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd > > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS > > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > > KillMode=process > > Restart=on-failure > > RestartSec=42s > > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service > b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > index 9d9965e624..dcfec8f054 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon > > After=sshdgenkeys.service > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > > index 4f20616295..4680d12be5 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > > @@ -24,7 +24,7 @@ SRC_URI = " > http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > > file://run-ptest \ > > file://sshd_check_keys \ > > > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > > - > file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > > + file://0001-notify-systemd-on-listen-and-reload.patch \ > > file://CVE-2024-6387.patch \ > > " > > SRC_URI[sha256sum] = > "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" > > SYSTEMD_SERVICE:${PN}-sshd = > "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', > '', d)} > ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', > '', d)}" > > > > inherit autotools-brokensep ptest pkgconfig > > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > 'systemd', '', d)}" > > > > # systemd-sshd-socket-mode means installing sshd.socket > > # and systemd-sshd-service-mode corresponding to sshd.service > > @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ > > --sysconfdir=${sysconfdir}/ssh \ > > --with-xauth=${bindir}/xauth \ > > --disable-strip \ > > - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > '--with-systemd', '--without-systemd', d)} \ > > " > > > > # musl doesn't implement wtmp/utmp and logwtmp > > -- > > 2.45.2 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#202116): > https://lists.openembedded.org/g/openembedded-core/message/202116 > > Mute This Topic: https://lists.openembedded.org/mt/107252588/1997914 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > raj.khem@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > -- Best regards, José Quaresma [-- Attachment #2: Type: text/html, Size: 25975 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream 2024-07-17 8:46 ` Jose Quaresma @ 2024-07-17 9:24 ` ChenQi 2024-07-17 10:52 ` Jose Quaresma 0 siblings, 1 reply; 15+ messages in thread From: ChenQi @ 2024-07-17 9:24 UTC (permalink / raw) To: Jose Quaresma, Khem Raj; +Cc: openembedded-core, Jose Quaresma [-- Attachment #1: Type: text/plain, Size: 25888 bytes --] I think the problem might be related to the "+Type=notify-reload" change in sshd@.service. It's in inetd mode so the upstream change about SYSTEMD_NOTIFY should have nothing to do with it. I also doubt if the following line should be removed from sshd.service. -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID Regards, Qi On 7/17/24 16:46, Jose Quaresma wrote: > > Khem Raj <raj.khem@gmail.com> escreveu (quarta, 17/07/2024 à(s) 07:38): > > actually I narrowed down my problem of disconnection to this patch in > the series. Earlier I thought it might be related to the openssh > upgrade patch > but reverting that still causes the problem but this patch when > reverted, the problem is gone. > > > I will jump on this today and try to find the root cause. > The ptest goes well in my local tests but I didn't do anything with > testimage. > I'll see if the testimage picks up something. > > Thanks for the feedback. > > Jose > > > On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via > lists.openembedded.org > <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BUuo8VXD$> > <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > > > Still side effects of the XZ backdoor. The systemd sd-notify patch > > was rejected [1] upstream and was chosen a standalone implementation > > that does not depend on libsystemd [2]. > > > > Racional [1]: > > > > License incompatibility and library bloatedness were the reasons. > > Given recent events we're never going to take a dependency on > libsystemd, > > though we might implement the notification protocol ourselves if > it isn't too much work. > > > > [1] > https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 > <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/pull/375*issuecomment-2027749729__;Iw!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BXB1d9mL$> > > [2] > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> > > > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > > > v4: > > - split update of Upstream-Status in new patches in the serie > > > > v5: > > - use the upstream solution > > > > ...-notify-systemd-on-listen-and-reload.patch | 225 > ++++++++++++++++++ > > ...tional-support-for-systemd-sd_notify.patch | 96 -------- > > .../openssh/openssh/sshd.service | 2 +- > > .../openssh/openssh/sshd@.service | 1 + > > .../openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > | 4 +- > > 5 files changed, 228 insertions(+), 100 deletions(-) > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > delete mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > new file mode 100644 > > index 0000000000..4925c969fe > > --- /dev/null > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > @@ -0,0 +1,225 @@ > > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 > 00:00:00 2001 > > +From: Damien Miller <djm@mindrot.org> > > +Date: Wed, 3 Apr 2024 14:40:32 +1100 > > +Subject: [PATCH] notify systemd on listen and reload > > + > > +Standalone implementation that does not depend on libsystemd. > > +With assistance from Luca Boccassi, and feedback/testing from Colin > > +Watson. bz2641 > > + > > +Upstream-Status: Backport > [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$>] > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > +--- > > + configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > | 1 + > > + openbsd-compat/port-linux.c | 97 > ++++++++++++++++++++++++++++++++++++- > > + openbsd-compat/port-linux.h | 5 ++ > > + platform.c | 11 +++++ > > + platform.h | 1 + > > + sshd.c | 2 + > > + 6 files changed, 115 insertions(+), 2 deletions(-) > > + > > +diff --git a/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > b/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > +index 82e8bb7c1..854f92b5b 100644 > > +--- a/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > ++++ b/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > +@@ -915,6 +915,7 @@ int main(void) { if > (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad > login attempts]) > > + AC_DEFINE([USE_BTMP]) > > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux > out-of-memory killer]) > > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify > systemd on start/reload]) > > + inet6_default_4in6=yes > > + case `uname -r` in > > + 1.*|2.0.*) > > +diff --git a/openbsd-compat/port-linux.c > b/openbsd-compat/port-linux.c > > +index 0457e28d0..df7290246 100644 > > +--- a/openbsd-compat/port-linux.c > > ++++ b/openbsd-compat/port-linux.c > > +@@ -21,16 +21,23 @@ > > + > > + #include "includes.h" > > + > > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > > ++ defined(SYSTEMD_NOTIFY) > > ++#include <sys/socket.h> > > ++#include <sys/un.h> > > ++ > > + #include <errno.h> > > ++#include <inttypes.h> > > + #include <stdarg.h> > > + #include <string.h> > > + #include <stdio.h> > > + #include <stdlib.h> > > ++#include <time.h> > > + > > + #include "log.h" > > + #include "xmalloc.h" > > + #include "port-linux.h" > > ++#include "misc.h" > > + > > + #ifdef WITH_SELINUX > > + #include <selinux/selinux.h> > > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) > > + return; > > + } > > + #endif /* LINUX_OOM_ADJUST */ > > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > > ++ > > ++#ifdef SYSTEMD_NOTIFY > > ++ > > ++static void ssh_systemd_notify(const char *, ...) > > ++ __attribute__((__format__ (printf, 1, 2))) > __attribute__((__nonnull__ (1))); > > ++ > > ++static void > > ++ssh_systemd_notify(const char *fmt, ...) > > ++{ > > ++ char *s = NULL; > > ++ const char *path; > > ++ struct stat sb; > > ++ struct sockaddr_un addr; > > ++ int fd = -1; > > ++ va_list ap; > > ++ > > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || > strlen(path) == 0) > > ++ return; > > ++ > > ++ va_start(ap, fmt); > > ++ xvasprintf(&s, fmt, ap); > > ++ va_end(ap); > > ++ > > ++ /* Only AF_UNIX is supported, with path or abstract > sockets */ > > ++ if (path[0] != '/' && path[0] != '@') { > > ++ error_f("socket \"%s\" is not compatible with > AF_UNIX", path); > > ++ goto out; > > ++ } > > ++ > > ++ if (path[0] == '/' && stat(path, &sb) != 0) { > > ++ error_f("socket \"%s\" stat: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ > > ++ memset(&addr, 0, sizeof(addr)); > > ++ addr.sun_family = AF_UNIX; > > ++ if (strlcpy(addr.sun_path, path, > > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > > ++ error_f("socket path \"%s\" too long", path); > > ++ goto out; > > ++ } > > ++ /* Support for abstract socket */ > > ++ if (addr.sun_path[0] == '@') > > ++ addr.sun_path[0] = 0; > > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > > ++ error_f("socket \"%s\": %s", path, strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { > > ++ error_f("socket \"%s\" connect: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > > ++ error_f("socket \"%s\" write: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ debug_f("socket \"%s\" notified %s", path, s); > > ++ out: > > ++ if (fd != -1) > > ++ close(fd); > > ++ free(s); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_ready(void) > > ++{ > > ++ ssh_systemd_notify("READY=1"); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_reload(void) > > ++{ > > ++ struct timespec now; > > ++ > > ++ monotime_ts(&now); > > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { > > ++ error_f("monotime returned negative value"); > > ++ ssh_systemd_notify("RELOADING=1"); > > ++ } else { > > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > > ++ ((uint64_t)now.tv_sec * 1000000ULL) + > > ++ ((uint64_t)now.tv_nsec / 1000ULL)); > > ++ } > > ++} > > ++#endif /* SYSTEMD_NOTIFY */ > > ++ > > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > > +diff --git a/openbsd-compat/port-linux.h > b/openbsd-compat/port-linux.h > > +index 3c22a854d..14064f87d 100644 > > +--- a/openbsd-compat/port-linux.h > > ++++ b/openbsd-compat/port-linux.h > > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > > + void oom_adjust_setup(void); > > + #endif > > + > > ++#ifdef SYSTEMD_NOTIFY > > ++void ssh_systemd_notify_ready(void); > > ++void ssh_systemd_notify_reload(void); > > ++#endif > > ++ > > + #endif /* ! _PORT_LINUX_H */ > > +diff --git a/platform.c b/platform.c > > +index 4fe8744ee..9cf818153 100644 > > +--- a/platform.c > > ++++ b/platform.c > > +@@ -44,6 +44,14 @@ platform_pre_listen(void) > > + #endif > > + } > > + > > ++void > > ++platform_post_listen(void) > > ++{ > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_ready(); > > ++#endif > > ++} > > ++ > > + void > > + platform_pre_fork(void) > > + { > > +@@ -55,6 +63,9 @@ platform_pre_fork(void) > > + void > > + platform_pre_restart(void) > > + { > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_reload(); > > ++#endif > > + #ifdef LINUX_OOM_ADJUST > > + oom_adjust_restore(); > > + #endif > > +diff --git a/platform.h b/platform.h > > +index 7fef8c983..5dec23276 100644 > > +--- a/platform.h > > ++++ b/platform.h > > +@@ -21,6 +21,7 @@ > > + void platform_pre_listen(void); > > + void platform_pre_fork(void); > > + void platform_pre_restart(void); > > ++void platform_post_listen(void); > > + void platform_post_fork_parent(pid_t child_pid); > > + void platform_post_fork_child(void); > > + int platform_privileged_uidswap(void); > > +diff --git a/sshd.c b/sshd.c > > +index b4f2b9742..865331b46 100644 > > +--- a/sshd.c > > ++++ b/sshd.c > > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) > > + ssh_signal(SIGTERM, sigterm_handler); > > + ssh_signal(SIGQUIT, sigterm_handler); > > + > > ++ platform_post_listen(); > > ++ > > + /* > > + * Write out the pid file after the sigterm handler > > + * is setup and the listen sockets are bound > > +-- > > +2.45.2 > > + > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > deleted file mode 100644 > > index f079d936a4..0000000000 > > --- > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > +++ /dev/null > > @@ -1,96 +0,0 @@ > > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 > 00:00:00 2001 > > -From: Matt Jolly <Matt.Jolly@footclan.ninja> > > -Date: Thu, 2 Feb 2023 21:05:40 +1100 > > -Subject: [PATCH] systemd: Add optional support for systemd > `sd_notify` > > - > > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> > > -patch based on Jakub Jelen's <jjelen@redhat.com> original patch > > - > > -Upstream-Status: Submitted > [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56 > <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfwiLKAT$>] > > - > > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> > > ---- > > - configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > | 24 ++++++++++++++++++++++++ > > - sshd.c | 13 +++++++++++++ > > - 2 files changed, 37 insertions(+) > > - > > -diff --git a/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > b/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -index 82e8bb7..d1145d3 100644 > > ---- a/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -+++ b/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) > > - AC_SUBST([K5LIBS]) > > - AC_SUBST([CHANNELLIBS]) > > - > > -+# Check whether user wants systemd support > > -+SYSTEMD_MSG="no" > > -+AC_ARG_WITH(systemd, > > -+ [ --with-systemd Enable systemd support], > > -+ [ if test "x$withval" != "xno" ; then > > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > > -+ if test "$PKGCONFIG" != "no"; then > > -+ AC_MSG_CHECKING([for libsystemd]) > > -+ if $PKGCONFIG --exists libsystemd; then > > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` > > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` > > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > > -+ AC_MSG_RESULT([yes]) > > -+ AC_DEFINE(HAVE_SYSTEMD, 1, > [Define if you want systemd support.]) > > -+ SYSTEMD_MSG="yes" > > -+ else > > -+ AC_MSG_RESULT([no]) > > -+ fi > > -+ fi > > -+ fi ] > > -+) > > -+ > > - # Looking for programs, paths and files > > - > > - PRIVSEP_PATH=/var/empty > > -@@ -5688,6 +5711,7 @@ echo " libldns support: > $LDNS_MSG" > > - echo " Solaris process contract support: $SPC_MSG" > > - echo " Solaris project support: $SP_MSG" > > - echo " Solaris privilege support: $SPP_MSG" > > -+echo " systemd support: $SYSTEMD_MSG" > > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > > - echo " BSD Auth support: $BSD_AUTH_MSG" > > -diff --git a/sshd.c b/sshd.c > > -index b4f2b97..6820a41 100644 > > ---- a/sshd.c > > -+++ b/sshd.c > > -@@ -88,6 +88,10 @@ > > - #include <prot.h> > > - #endif > > - > > -+#ifdef HAVE_SYSTEMD > > -+#include <systemd/sd-daemon.h> > > -+#endif > > -+ > > - #include "xmalloc.h" > > - #include "ssh.h" > > - #include "ssh2.h" > > -@@ -308,6 +312,10 @@ static void > > - sighup_restart(void) > > - { > > - logit("Received SIGHUP; restarting."); > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are reloading */ > > -+ sd_notify(0, "RELOADING=1"); > > -+#endif > > - if (options.pid_file != NULL) > > - unlink(options.pid_file); > > - platform_pre_restart(); > > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) > > - } > > - } > > - > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are ready to accept > connections */ > > -+ sd_notify(0, "READY=1"); > > -+#endif > > -+ > > - /* Accept a connection and return in a forked > child */ > > - server_accept_loop(&sock_in, &sock_out, > > - &newsock, config_s); > > diff --git > a/meta/recipes-connectivity/openssh/openssh/sshd.service > b/meta/recipes-connectivity/openssh/openssh/sshd.service > > index 3e570ab1e5..c71fff1cc1 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service > > @@ -5,11 +5,11 @@ After=sshdgenkeys.service > > After=nss-user-lookup.target > <https://urldefense.com/v3/__http://nss-user-lookup.target__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfffE4_Q$> > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd > > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS > > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > > KillMode=process > > Restart=on-failure > > RestartSec=42s > > diff --git > a/meta/recipes-connectivity/openssh/openssh/sshd@.service > b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > index 9d9965e624..dcfec8f054 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon > > After=sshdgenkeys.service > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > index 4f20616295..4680d12be5 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > @@ -24,7 +24,7 @@ SRC_URI = > "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > <https://urldefense.com/v3/__http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$*7BPV*7D.tar__;JSU!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZvn3QuC$> > > file://run-ptest \ > > file://sshd_check_keys \ > > > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > \ > > - > file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > > + file://0001-notify-systemd-on-listen-and-reload.patch \ > > file://CVE-2024-6387.patch \ > > " > > SRC_URI[sha256sum] = > "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" > > SYSTEMD_SERVICE:${PN}-sshd = > "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', > '', d)} > ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', > '', d)}" > > > > inherit autotools-brokensep ptest pkgconfig > > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > 'systemd', '', d)}" > > > > # systemd-sshd-socket-mode means installing sshd.socket > > # and systemd-sshd-service-mode corresponding to sshd.service > > @@ -78,7 +77,6 @@ EXTRA_OECONF = > "'LOGIN_PROGRAM=${base_bindir}/login' \ > > --sysconfdir=${sysconfdir}/ssh \ > > --with-xauth=${bindir}/xauth \ > > --disable-strip \ > > - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > '--with-systemd', '--without-systemd', d)} \ > > " > > > > # musl doesn't implement wtmp/utmp and logwtmp > > -- > > 2.45.2 > > > > > > > > > > > > -- > Best regards, > > José Quaresma > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#202144):https://lists.openembedded.org/g/openembedded-core/message/202144 > Mute This Topic:https://lists.openembedded.org/mt/107252588/7304865 > Group Owner:openembedded-core+owner@lists.openembedded.org > Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [Qi.Chen@eng.windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- > [-- Attachment #2: Type: text/html, Size: 42870 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream 2024-07-17 9:24 ` ChenQi @ 2024-07-17 10:52 ` Jose Quaresma 2024-07-18 3:34 ` Chen, Qi 0 siblings, 1 reply; 15+ messages in thread From: Jose Quaresma @ 2024-07-17 10:52 UTC (permalink / raw) To: ChenQi; +Cc: Khem Raj, openembedded-core, Jose Quaresma [-- Attachment #1: Type: text/plain, Size: 24345 bytes --] ChenQi <Qi.Chen@windriver.com> escreveu (quarta, 17/07/2024 à(s) 10:25): > I think the problem might be related to the "+Type=notify-reload" change > in sshd@.service. It's in inetd mode so the upstream change about > SYSTEMD_NOTIFY should have nothing to do with it. > I also doubt if the following line should be removed from sshd.service. > > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > > Make sense. Maybe the service changes in the patch need to be conditional on whether or not we are using systemd. I'm going to try this path a little. but I am now facing some issues with testimage without the overall openssh patch series. Jose > Regards, > Qi > > On 7/17/24 16:46, Jose Quaresma wrote: > > > Khem Raj <raj.khem@gmail.com> escreveu (quarta, 17/07/2024 à(s) 07:38): > >> actually I narrowed down my problem of disconnection to this patch in >> the series. Earlier I thought it might be related to the openssh >> upgrade patch >> but reverting that still causes the problem but this patch when >> reverted, the problem is gone. >> > > I will jump on this today and try to find the root cause. > The ptest goes well in my local tests but I didn't do anything with > testimage. > I'll see if the testimage picks up something. > > Thanks for the feedback. > > Jose > > >> >> On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via >> lists.openembedded.org >> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BUuo8VXD$> >> <quaresma.jose=gmail.com@lists.openembedded.org> wrote: >> > >> > Still side effects of the XZ backdoor. The systemd sd-notify patch >> > was rejected [1] upstream and was chosen a standalone implementation >> > that does not depend on libsystemd [2]. >> > >> > Racional [1]: >> > >> > License incompatibility and library bloatedness were the reasons. >> > Given recent events we're never going to take a dependency on >> libsystemd, >> > though we might implement the notification protocol ourselves if it >> isn't too much work. >> > >> > [1] >> https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 >> <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/pull/375*issuecomment-2027749729__;Iw!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BXB1d9mL$> >> > [2] >> https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c >> <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> >> > >> > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> >> > --- >> > >> > v4: >> > - split update of Upstream-Status in new patches in the serie >> > >> > v5: >> > - use the upstream solution >> > >> > ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ >> > ...tional-support-for-systemd-sd_notify.patch | 96 -------- >> > .../openssh/openssh/sshd.service | 2 +- >> > .../openssh/openssh/sshd@.service | 1 + >> > .../openssh/openssh_9.7p1.bb >> <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> >> | 4 +- >> > 5 files changed, 228 insertions(+), 100 deletions(-) >> > create mode 100644 >> meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch >> > delete mode 100644 >> meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch >> > >> > diff --git >> a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch >> b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch >> > new file mode 100644 >> > index 0000000000..4925c969fe >> > --- /dev/null >> > +++ >> b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch >> > @@ -0,0 +1,225 @@ >> > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 >> > +From: Damien Miller <djm@mindrot.org> >> > +Date: Wed, 3 Apr 2024 14:40:32 +1100 >> > +Subject: [PATCH] notify systemd on listen and reload >> > + >> > +Standalone implementation that does not depend on libsystemd. >> > +With assistance from Luca Boccassi, and feedback/testing from Colin >> > +Watson. bz2641 >> > + >> > +Upstream-Status: Backport [ >> https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c >> <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> >> ] >> > + >> > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> >> > +--- >> > + configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> | 1 + >> > + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- >> > + openbsd-compat/port-linux.h | 5 ++ >> > + platform.c | 11 +++++ >> > + platform.h | 1 + >> > + sshd.c | 2 + >> > + 6 files changed, 115 insertions(+), 2 deletions(-) >> > + >> > +diff --git a/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> b/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > +index 82e8bb7c1..854f92b5b 100644 >> > +--- a/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > ++++ b/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > +@@ -915,6 +915,7 @@ int main(void) { if >> (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) >> > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login >> attempts]) >> > + AC_DEFINE([USE_BTMP]) >> > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory >> killer]) >> > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on >> start/reload]) >> > + inet6_default_4in6=yes >> > + case `uname -r` in >> > + 1.*|2.0.*) >> > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c >> > +index 0457e28d0..df7290246 100644 >> > +--- a/openbsd-compat/port-linux.c >> > ++++ b/openbsd-compat/port-linux.c >> > +@@ -21,16 +21,23 @@ >> > + >> > + #include "includes.h" >> > + >> > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) >> > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ >> > ++ defined(SYSTEMD_NOTIFY) >> > ++#include <sys/socket.h> >> > ++#include <sys/un.h> >> > ++ >> > + #include <errno.h> >> > ++#include <inttypes.h> >> > + #include <stdarg.h> >> > + #include <string.h> >> > + #include <stdio.h> >> > + #include <stdlib.h> >> > ++#include <time.h> >> > + >> > + #include "log.h" >> > + #include "xmalloc.h" >> > + #include "port-linux.h" >> > ++#include "misc.h" >> > + >> > + #ifdef WITH_SELINUX >> > + #include <selinux/selinux.h> >> > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) >> > + return; >> > + } >> > + #endif /* LINUX_OOM_ADJUST */ >> > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ >> > ++ >> > ++#ifdef SYSTEMD_NOTIFY >> > ++ >> > ++static void ssh_systemd_notify(const char *, ...) >> > ++ __attribute__((__format__ (printf, 1, 2))) >> __attribute__((__nonnull__ (1))); >> > ++ >> > ++static void >> > ++ssh_systemd_notify(const char *fmt, ...) >> > ++{ >> > ++ char *s = NULL; >> > ++ const char *path; >> > ++ struct stat sb; >> > ++ struct sockaddr_un addr; >> > ++ int fd = -1; >> > ++ va_list ap; >> > ++ >> > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == >> 0) >> > ++ return; >> > ++ >> > ++ va_start(ap, fmt); >> > ++ xvasprintf(&s, fmt, ap); >> > ++ va_end(ap); >> > ++ >> > ++ /* Only AF_UNIX is supported, with path or abstract sockets */ >> > ++ if (path[0] != '/' && path[0] != '@') { >> > ++ error_f("socket \"%s\" is not compatible with AF_UNIX", >> path); >> > ++ goto out; >> > ++ } >> > ++ >> > ++ if (path[0] == '/' && stat(path, &sb) != 0) { >> > ++ error_f("socket \"%s\" stat: %s", path, >> strerror(errno)); >> > ++ goto out; >> > ++ } >> > ++ >> > ++ memset(&addr, 0, sizeof(addr)); >> > ++ addr.sun_family = AF_UNIX; >> > ++ if (strlcpy(addr.sun_path, path, >> > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { >> > ++ error_f("socket path \"%s\" too long", path); >> > ++ goto out; >> > ++ } >> > ++ /* Support for abstract socket */ >> > ++ if (addr.sun_path[0] == '@') >> > ++ addr.sun_path[0] = 0; >> > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { >> > ++ error_f("socket \"%s\": %s", path, strerror(errno)); >> > ++ goto out; >> > ++ } >> > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { >> > ++ error_f("socket \"%s\" connect: %s", path, >> strerror(errno)); >> > ++ goto out; >> > ++ } >> > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { >> > ++ error_f("socket \"%s\" write: %s", path, >> strerror(errno)); >> > ++ goto out; >> > ++ } >> > ++ debug_f("socket \"%s\" notified %s", path, s); >> > ++ out: >> > ++ if (fd != -1) >> > ++ close(fd); >> > ++ free(s); >> > ++} >> > ++ >> > ++void >> > ++ssh_systemd_notify_ready(void) >> > ++{ >> > ++ ssh_systemd_notify("READY=1"); >> > ++} >> > ++ >> > ++void >> > ++ssh_systemd_notify_reload(void) >> > ++{ >> > ++ struct timespec now; >> > ++ >> > ++ monotime_ts(&now); >> > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { >> > ++ error_f("monotime returned negative value"); >> > ++ ssh_systemd_notify("RELOADING=1"); >> > ++ } else { >> > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", >> > ++ ((uint64_t)now.tv_sec * 1000000ULL) + >> > ++ ((uint64_t)now.tv_nsec / 1000ULL)); >> > ++ } >> > ++} >> > ++#endif /* SYSTEMD_NOTIFY */ >> > ++ >> > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ >> > +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h >> > +index 3c22a854d..14064f87d 100644 >> > +--- a/openbsd-compat/port-linux.h >> > ++++ b/openbsd-compat/port-linux.h >> > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); >> > + void oom_adjust_setup(void); >> > + #endif >> > + >> > ++#ifdef SYSTEMD_NOTIFY >> > ++void ssh_systemd_notify_ready(void); >> > ++void ssh_systemd_notify_reload(void); >> > ++#endif >> > ++ >> > + #endif /* ! _PORT_LINUX_H */ >> > +diff --git a/platform.c b/platform.c >> > +index 4fe8744ee..9cf818153 100644 >> > +--- a/platform.c >> > ++++ b/platform.c >> > +@@ -44,6 +44,14 @@ platform_pre_listen(void) >> > + #endif >> > + } >> > + >> > ++void >> > ++platform_post_listen(void) >> > ++{ >> > ++#ifdef SYSTEMD_NOTIFY >> > ++ ssh_systemd_notify_ready(); >> > ++#endif >> > ++} >> > ++ >> > + void >> > + platform_pre_fork(void) >> > + { >> > +@@ -55,6 +63,9 @@ platform_pre_fork(void) >> > + void >> > + platform_pre_restart(void) >> > + { >> > ++#ifdef SYSTEMD_NOTIFY >> > ++ ssh_systemd_notify_reload(); >> > ++#endif >> > + #ifdef LINUX_OOM_ADJUST >> > + oom_adjust_restore(); >> > + #endif >> > +diff --git a/platform.h b/platform.h >> > +index 7fef8c983..5dec23276 100644 >> > +--- a/platform.h >> > ++++ b/platform.h >> > +@@ -21,6 +21,7 @@ >> > + void platform_pre_listen(void); >> > + void platform_pre_fork(void); >> > + void platform_pre_restart(void); >> > ++void platform_post_listen(void); >> > + void platform_post_fork_parent(pid_t child_pid); >> > + void platform_post_fork_child(void); >> > + int platform_privileged_uidswap(void); >> > +diff --git a/sshd.c b/sshd.c >> > +index b4f2b9742..865331b46 100644 >> > +--- a/sshd.c >> > ++++ b/sshd.c >> > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) >> > + ssh_signal(SIGTERM, sigterm_handler); >> > + ssh_signal(SIGQUIT, sigterm_handler); >> > + >> > ++ platform_post_listen(); >> > ++ >> > + /* >> > + * Write out the pid file after the sigterm handler >> > + * is setup and the listen sockets are bound >> > +-- >> > +2.45.2 >> > + >> > diff --git >> a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch >> b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch >> > deleted file mode 100644 >> > index f079d936a4..0000000000 >> > --- >> a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch >> > +++ /dev/null >> > @@ -1,96 +0,0 @@ >> > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 >> > -From: Matt Jolly <Matt.Jolly@footclan.ninja> >> <Matt.Jolly@footclan.ninja> >> > -Date: Thu, 2 Feb 2023 21:05:40 +1100 >> > -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` >> > - >> > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> >> > -patch based on Jakub Jelen's <jjelen@redhat.com> original patch >> > - >> > -Upstream-Status: Submitted [ >> https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56 >> <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfwiLKAT$> >> ] >> > - >> > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> >> > ---- >> > - configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> | 24 ++++++++++++++++++++++++ >> > - sshd.c | 13 +++++++++++++ >> > - 2 files changed, 37 insertions(+) >> > - >> > -diff --git a/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> b/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > -index 82e8bb7..d1145d3 100644 >> > ---- a/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > -+++ b/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) >> > - AC_SUBST([K5LIBS]) >> > - AC_SUBST([CHANNELLIBS]) >> > - >> > -+# Check whether user wants systemd support >> > -+SYSTEMD_MSG="no" >> > -+AC_ARG_WITH(systemd, >> > -+ [ --with-systemd Enable systemd support], >> > -+ [ if test "x$withval" != "xno" ; then >> > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) >> > -+ if test "$PKGCONFIG" != "no"; then >> > -+ AC_MSG_CHECKING([for libsystemd]) >> > -+ if $PKGCONFIG --exists libsystemd; then >> > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags >> libsystemd` >> > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs >> libsystemd` >> > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" >> > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" >> > -+ AC_MSG_RESULT([yes]) >> > -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if >> you want systemd support.]) >> > -+ SYSTEMD_MSG="yes" >> > -+ else >> > -+ AC_MSG_RESULT([no]) >> > -+ fi >> > -+ fi >> > -+ fi ] >> > -+) >> > -+ >> > - # Looking for programs, paths and files >> > - >> > - PRIVSEP_PATH=/var/empty >> > -@@ -5688,6 +5711,7 @@ echo " libldns support: >> $LDNS_MSG" >> > - echo " Solaris process contract support: $SPC_MSG" >> > - echo " Solaris project support: $SP_MSG" >> > - echo " Solaris privilege support: $SPP_MSG" >> > -+echo " systemd support: $SYSTEMD_MSG" >> > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" >> > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" >> > - echo " BSD Auth support: $BSD_AUTH_MSG" >> > -diff --git a/sshd.c b/sshd.c >> > -index b4f2b97..6820a41 100644 >> > ---- a/sshd.c >> > -+++ b/sshd.c >> > -@@ -88,6 +88,10 @@ >> > - #include <prot.h> >> > - #endif >> > - >> > -+#ifdef HAVE_SYSTEMD >> > -+#include <systemd/sd-daemon.h> >> > -+#endif >> > -+ >> > - #include "xmalloc.h" >> > - #include "ssh.h" >> > - #include "ssh2.h" >> > -@@ -308,6 +312,10 @@ static void >> > - sighup_restart(void) >> > - { >> > - logit("Received SIGHUP; restarting."); >> > -+#ifdef HAVE_SYSTEMD >> > -+ /* Signal systemd that we are reloading */ >> > -+ sd_notify(0, "RELOADING=1"); >> > -+#endif >> > - if (options.pid_file != NULL) >> > - unlink(options.pid_file); >> > - platform_pre_restart(); >> > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) >> > - } >> > - } >> > - >> > -+#ifdef HAVE_SYSTEMD >> > -+ /* Signal systemd that we are ready to accept >> connections */ >> > -+ sd_notify(0, "READY=1"); >> > -+#endif >> > -+ >> > - /* Accept a connection and return in a forked child */ >> > - server_accept_loop(&sock_in, &sock_out, >> > - &newsock, config_s); >> > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service >> b/meta/recipes-connectivity/openssh/openssh/sshd.service >> > index 3e570ab1e5..c71fff1cc1 100644 >> > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service >> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service >> > @@ -5,11 +5,11 @@ After=sshdgenkeys.service >> > After=nss-user-lookup.target >> <https://urldefense.com/v3/__http://nss-user-lookup.target__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfffE4_Q$> >> > >> > [Service] >> > +Type=notify-reload >> > Environment="SSHD_OPTS=" >> > EnvironmentFile=-/etc/default/ssh >> > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd >> > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS >> > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID >> > KillMode=process >> > Restart=on-failure >> > RestartSec=42s >> > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service >> b/meta/recipes-connectivity/openssh/openssh/sshd@.service >> > index 9d9965e624..dcfec8f054 100644 >> > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service >> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service >> > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon >> > After=sshdgenkeys.service >> > >> > [Service] >> > +Type=notify-reload >> > Environment="SSHD_OPTS=" >> > EnvironmentFile=-/etc/default/ssh >> > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS >> > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb >> <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> >> b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb >> <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> >> > index 4f20616295..4680d12be5 100644 >> > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb >> <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> >> > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb >> <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> >> > @@ -24,7 +24,7 @@ SRC_URI = " >> http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar >> <https://urldefense.com/v3/__http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$*7BPV*7D.tar__;JSU!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZvn3QuC$> >> > file://run-ptest \ >> > file://sshd_check_keys \ >> > >> file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ >> > - >> file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ >> > + file://0001-notify-systemd-on-listen-and-reload.patch \ >> > file://CVE-2024-6387.patch \ >> > " >> > SRC_URI[sha256sum] = >> "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" >> > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" >> > SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', >> '', d)} >> ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', >> '', d)}" >> <$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket','',d)%7D$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service','',d)%7D> >> > >> > inherit autotools-brokensep ptest pkgconfig >> > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', >> 'systemd', '', d)}" >> <$%7B@bb.utils.contains('DISTRO_FEATURES','systemd','systemd','',d)%7D> >> > >> > # systemd-sshd-socket-mode means installing sshd.socket >> > # and systemd-sshd-service-mode corresponding to sshd.service >> > @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ >> > --sysconfdir=${sysconfdir}/ssh \ >> > --with-xauth=${bindir}/xauth \ >> > --disable-strip \ >> > - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', >> '--with-systemd', '--without-systemd', d)} \ >> > " >> > >> > # musl doesn't implement wtmp/utmp and logwtmp >> > -- >> > 2.45.2 >> > >> > >> > >> > >> > > > -- > Best regards, > > José Quaresma > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#202144): https://lists.openembedded.org/g/openembedded-core/message/202144 > Mute This Topic: https://lists.openembedded.org/mt/107252588/7304865 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Qi.Chen@eng.windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- > > > > -- Best regards, José Quaresma [-- Attachment #2: Type: text/html, Size: 38678 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* RE: [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream 2024-07-17 10:52 ` Jose Quaresma @ 2024-07-18 3:34 ` Chen, Qi 2024-07-18 9:16 ` Jose Quaresma 0 siblings, 1 reply; 15+ messages in thread From: Chen, Qi @ 2024-07-18 3:34 UTC (permalink / raw) To: Jose Quaresma Cc: Khem Raj, openembedded-core@lists.openembedded.org, Jose Quaresma [-- Attachment #1: Type: text/plain, Size: 23834 bytes --] Hi Jose, The changes in the patch have already done an implicit check: if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) return; return; This means if it’s not systemd who starts sshd (notify type starting), then the function ssh_systemd_notify just does nothing. I looked at the changes in the patch and the codes around it, if I understand it correctly, in case of ‘-i’ option, sshd does not notify systemd. So the ssd@.service<mailto:ssd@.service> should not use the notify type. Regards, Qi From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Jose Quaresma Sent: Wednesday, July 17, 2024 6:53 PM To: Chen, Qi <Qi.Chen@windriver.com> Cc: Khem Raj <raj.khem@gmail.com>; openembedded-core@lists.openembedded.org; Jose Quaresma <jose.quaresma@foundries.io> Subject: Re: [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream ChenQi <Qi.Chen@windriver.com<mailto:Qi.Chen@windriver.com>> escreveu (quarta, 17/07/2024 à(s) 10:25): I think the problem might be related to the "+Type=notify-reload" change in sshd@.service<mailto:sshd@.service>. It's in inetd mode so the upstream change about SYSTEMD_NOTIFY should have nothing to do with it. I also doubt if the following line should be removed from sshd.service. -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID Make sense. Maybe the service changes in the patch need to be conditional on whether or not we are using systemd. I'm going to try this path a little. but I am now facing some issues with testimage without the overall openssh patch series. Jose Regards, Qi On 7/17/24 16:46, Jose Quaresma wrote: Khem Raj <raj.khem@gmail.com<mailto:raj.khem@gmail.com>> escreveu (quarta, 17/07/2024 à(s) 07:38): actually I narrowed down my problem of disconnection to this patch in the series. Earlier I thought it might be related to the openssh upgrade patch but reverting that still causes the problem but this patch when reverted, the problem is gone. I will jump on this today and try to find the root cause. The ptest goes well in my local tests but I didn't do anything with testimage. I'll see if the testimage picks up something. Thanks for the feedback. Jose On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BUuo8VXD$> <quaresma.jose=gmail.com@lists.openembedded.org<mailto:gmail.com@lists.openembedded.org>> wrote: > > Still side effects of the XZ backdoor. The systemd sd-notify patch > was rejected [1] upstream and was chosen a standalone implementation > that does not depend on libsystemd [2]. > > Racional [1]: > > License incompatibility and library bloatedness were the reasons. > Given recent events we're never going to take a dependency on libsystemd, > though we might implement the notification protocol ourselves if it isn't too much work. > > [1] https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729<https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/pull/375*issuecomment-2027749729__;Iw!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BXB1d9mL$> > [2] https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c<https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io<mailto:jose.quaresma@foundries.io>> > --- > > v4: > - split update of Upstream-Status in new patches in the serie > > v5: > - use the upstream solution > > ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ > ...tional-support-for-systemd-sd_notify.patch | 96 -------- > .../openssh/openssh/sshd.service | 2 +- > .../openssh/openssh/sshd@.service<mailto:.../openssh/openssh/sshd@.service> | 1 + > .../openssh/openssh_9.7p1.bb<https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> | 4 +- > 5 files changed, 228 insertions(+), 100 deletions(-) > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > new file mode 100644 > index 0000000000..4925c969fe > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > @@ -0,0 +1,225 @@ > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > +From: Damien Miller <djm@mindrot.org<mailto:djm@mindrot.org>> > +Date: Wed, 3 Apr 2024 14:40:32 +1100 > +Subject: [PATCH] notify systemd on listen and reload > + > +Standalone implementation that does not depend on libsystemd. > +With assistance from Luca Boccassi, and feedback/testing from Colin > +Watson. bz2641 > + > +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c<https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$>] > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io<mailto:jose.quaresma@foundries.io>> > +--- > + configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> | 1 + > + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > + openbsd-compat/port-linux.h | 5 ++ > + platform.c | 11 +++++ > + platform.h | 1 + > + sshd.c | 2 + > + 6 files changed, 115 insertions(+), 2 deletions(-) > + > +diff --git a/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> b/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > +index 82e8bb7c1..854f92b5b 100644 > +--- a/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > ++++ b/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > +@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) > + AC_DEFINE([USE_BTMP]) > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) > + inet6_default_4in6=yes > + case `uname -r` in > + 1.*|2.0.*) > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > +index 0457e28d0..df7290246 100644 > +--- a/openbsd-compat/port-linux.c > ++++ b/openbsd-compat/port-linux.c > +@@ -21,16 +21,23 @@ > + > + #include "includes.h" > + > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > ++ defined(SYSTEMD_NOTIFY) > ++#include <sys/socket.h> > ++#include <sys/un.h> > ++ > + #include <errno.h> > ++#include <inttypes.h> > + #include <stdarg.h> > + #include <string.h> > + #include <stdio.h> > + #include <stdlib.h> > ++#include <time.h> > + > + #include "log.h" > + #include "xmalloc.h" > + #include "port-linux.h" > ++#include "misc.h" > + > + #ifdef WITH_SELINUX > + #include <selinux/selinux.h> > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) > + return; > + } > + #endif /* LINUX_OOM_ADJUST */ > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > ++ > ++#ifdef SYSTEMD_NOTIFY > ++ > ++static void ssh_systemd_notify(const char *, ...) > ++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); > ++ > ++static void > ++ssh_systemd_notify(const char *fmt, ...) > ++{ > ++ char *s = NULL; > ++ const char *path; > ++ struct stat sb; > ++ struct sockaddr_un addr; > ++ int fd = -1; > ++ va_list ap; > ++ > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > ++ return; > ++ > ++ va_start(ap, fmt); > ++ xvasprintf(&s, fmt, ap); > ++ va_end(ap); > ++ > ++ /* Only AF_UNIX is supported, with path or abstract sockets */ > ++ if (path[0] != '/' && path[0] != '@') { > ++ error_f("socket \"%s\" is not compatible with AF_UNIX", path); > ++ goto out; > ++ } > ++ > ++ if (path[0] == '/' && stat(path, &sb) != 0) { > ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ > ++ memset(&addr, 0, sizeof(addr)); > ++ addr.sun_family = AF_UNIX; > ++ if (strlcpy(addr.sun_path, path, > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > ++ error_f("socket path \"%s\" too long", path); > ++ goto out; > ++ } > ++ /* Support for abstract socket */ > ++ if (addr.sun_path[0] == '@') > ++ addr.sun_path[0] = 0; > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > ++ error_f("socket \"%s\": %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { > ++ error_f("socket \"%s\" connect: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > ++ error_f("socket \"%s\" write: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ debug_f("socket \"%s\" notified %s", path, s); > ++ out: > ++ if (fd != -1) > ++ close(fd); > ++ free(s); > ++} > ++ > ++void > ++ssh_systemd_notify_ready(void) > ++{ > ++ ssh_systemd_notify("READY=1"); > ++} > ++ > ++void > ++ssh_systemd_notify_reload(void) > ++{ > ++ struct timespec now; > ++ > ++ monotime_ts(&now); > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { > ++ error_f("monotime returned negative value"); > ++ ssh_systemd_notify("RELOADING=1"); > ++ } else { > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > ++ ((uint64_t)now.tv_sec * 1000000ULL) + > ++ ((uint64_t)now.tv_nsec / 1000ULL)); > ++ } > ++} > ++#endif /* SYSTEMD_NOTIFY */ > ++ > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > +index 3c22a854d..14064f87d 100644 > +--- a/openbsd-compat/port-linux.h > ++++ b/openbsd-compat/port-linux.h > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > + void oom_adjust_setup(void); > + #endif > + > ++#ifdef SYSTEMD_NOTIFY > ++void ssh_systemd_notify_ready(void); > ++void ssh_systemd_notify_reload(void); > ++#endif > ++ > + #endif /* ! _PORT_LINUX_H */ > +diff --git a/platform.c b/platform.c > +index 4fe8744ee..9cf818153 100644 > +--- a/platform.c > ++++ b/platform.c > +@@ -44,6 +44,14 @@ platform_pre_listen(void) > + #endif > + } > + > ++void > ++platform_post_listen(void) > ++{ > ++#ifdef SYSTEMD_NOTIFY > ++ ssh_systemd_notify_ready(); > ++#endif > ++} > ++ > + void > + platform_pre_fork(void) > + { > +@@ -55,6 +63,9 @@ platform_pre_fork(void) > + void > + platform_pre_restart(void) > + { > ++#ifdef SYSTEMD_NOTIFY > ++ ssh_systemd_notify_reload(); > ++#endif > + #ifdef LINUX_OOM_ADJUST > + oom_adjust_restore(); > + #endif > +diff --git a/platform.h b/platform.h > +index 7fef8c983..5dec23276 100644 > +--- a/platform.h > ++++ b/platform.h > +@@ -21,6 +21,7 @@ > + void platform_pre_listen(void); > + void platform_pre_fork(void); > + void platform_pre_restart(void); > ++void platform_post_listen(void); > + void platform_post_fork_parent(pid_t child_pid); > + void platform_post_fork_child(void); > + int platform_privileged_uidswap(void); > +diff --git a/sshd.c b/sshd.c > +index b4f2b9742..865331b46 100644 > +--- a/sshd.c > ++++ b/sshd.c > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) > + ssh_signal(SIGTERM, sigterm_handler); > + ssh_signal(SIGQUIT, sigterm_handler); > + > ++ platform_post_listen(); > ++ > + /* > + * Write out the pid file after the sigterm handler > + * is setup and the listen sockets are bound > +-- > +2.45.2 > + > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > deleted file mode 100644 > index f079d936a4..0000000000 > --- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > +++ /dev/null > @@ -1,96 +0,0 @@ > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 > -From: Matt Jolly <Matt.Jolly@footclan.ninja><mailto:Matt.Jolly@footclan.ninja> > -Date: Thu, 2 Feb 2023 21:05:40 +1100 > -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` > - > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org<mailto:expeditioneer@gentoo.org>> > -patch based on Jakub Jelen's <jjelen@redhat.com<mailto:jjelen@redhat.com>> original patch > - > -Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56<https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfwiLKAT$>] > - > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com<mailto:xiangyu.chen@windriver.com>> > ---- > - configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> | 24 ++++++++++++++++++++++++ > - sshd.c | 13 +++++++++++++ > - 2 files changed, 37 insertions(+) > - > -diff --git a/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> b/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > -index 82e8bb7..d1145d3 100644 > ---- a/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > -+++ b/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) > - AC_SUBST([K5LIBS]) > - AC_SUBST([CHANNELLIBS]) > - > -+# Check whether user wants systemd support > -+SYSTEMD_MSG="no" > -+AC_ARG_WITH(systemd, > -+ [ --with-systemd Enable systemd support], > -+ [ if test "x$withval" != "xno" ; then > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > -+ if test "$PKGCONFIG" != "no"; then > -+ AC_MSG_CHECKING([for libsystemd]) > -+ if $PKGCONFIG --exists libsystemd; then > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > -+ AC_MSG_RESULT([yes]) > -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) > -+ SYSTEMD_MSG="yes" > -+ else > -+ AC_MSG_RESULT([no]) > -+ fi > -+ fi > -+ fi ] > -+) > -+ > - # Looking for programs, paths and files > - > - PRIVSEP_PATH=/var/empty > -@@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG" > - echo " Solaris process contract support: $SPC_MSG" > - echo " Solaris project support: $SP_MSG" > - echo " Solaris privilege support: $SPP_MSG" > -+echo " systemd support: $SYSTEMD_MSG" > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > - echo " BSD Auth support: $BSD_AUTH_MSG" > -diff --git a/sshd.c b/sshd.c > -index b4f2b97..6820a41 100644 > ---- a/sshd.c > -+++ b/sshd.c > -@@ -88,6 +88,10 @@ > - #include <prot.h> > - #endif > - > -+#ifdef HAVE_SYSTEMD > -+#include <systemd/sd-daemon.h> > -+#endif > -+ > - #include "xmalloc.h" > - #include "ssh.h" > - #include "ssh2.h" > -@@ -308,6 +312,10 @@ static void > - sighup_restart(void) > - { > - logit("Received SIGHUP; restarting."); > -+#ifdef HAVE_SYSTEMD > -+ /* Signal systemd that we are reloading */ > -+ sd_notify(0, "RELOADING=1"); > -+#endif > - if (options.pid_file != NULL) > - unlink(options.pid_file); > - platform_pre_restart(); > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) > - } > - } > - > -+#ifdef HAVE_SYSTEMD > -+ /* Signal systemd that we are ready to accept connections */ > -+ sd_notify(0, "READY=1"); > -+#endif > -+ > - /* Accept a connection and return in a forked child */ > - server_accept_loop(&sock_in, &sock_out, > - &newsock, config_s); > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service > index 3e570ab1e5..c71fff1cc1 100644 > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service > @@ -5,11 +5,11 @@ After=sshdgenkeys.service > After=nss-user-lookup.target<https://urldefense.com/v3/__http:/nss-user-lookup.target__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfffE4_Q$> > > [Service] > +Type=notify-reload > Environment="SSHD_OPTS=" > EnvironmentFile=-/etc/default/ssh > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > KillMode=process > Restart=on-failure > RestartSec=42s > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service<mailto:a/meta/recipes-connectivity/openssh/openssh/sshd@.service> b/meta/recipes-connectivity/openssh/openssh/sshd@.service<mailto:b/meta/recipes-connectivity/openssh/openssh/sshd@.service> > index 9d9965e624..dcfec8f054 100644 > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service<mailto:a/meta/recipes-connectivity/openssh/openssh/sshd@.service> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service<mailto:b/meta/recipes-connectivity/openssh/openssh/sshd@.service> > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon > After=sshdgenkeys.service > > [Service] > +Type=notify-reload > Environment="SSHD_OPTS=" > EnvironmentFile=-/etc/default/ssh > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb<https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb<https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > index 4f20616295..4680d12be5 100644 > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb<https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb<https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > @@ -24,7 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar<https://urldefense.com/v3/__http:/ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$*7BPV*7D.tar__;JSU!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZvn3QuC$> > file://run-ptest \ > file://sshd_check_keys \ > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > - file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > + file://0001-notify-systemd-on-listen-and-reload.patch \ > file://CVE-2024-6387.patch \ > " > SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" > SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"<mailto:$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket','',d)%7D$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service','',d)%7D> > > inherit autotools-brokensep ptest pkgconfig > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"<mailto:$%7B@bb.utils.contains('DISTRO_FEATURES','systemd','systemd','',d)%7D> > > # systemd-sshd-socket-mode means installing sshd.socket > # and systemd-sshd-service-mode corresponding to sshd.service > @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ > --sysconfdir=${sysconfdir}/ssh \ > --with-xauth=${bindir}/xauth \ > --disable-strip \ > - ${@bb.utils.contains('DISTRO_FEATURES<mailto:$%7b@bb.utils.contains('DISTRO_FEATURES>', 'systemd', '--with-systemd', '--without-systemd', d)} \ > " > > # musl doesn't implement wtmp/utmp and logwtmp > -- > 2.45.2 > > > > -- Best regards, José Quaresma -- Best regards, José Quaresma [-- Attachment #2: Type: text/html, Size: 40634 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream 2024-07-18 3:34 ` Chen, Qi @ 2024-07-18 9:16 ` Jose Quaresma 0 siblings, 0 replies; 15+ messages in thread From: Jose Quaresma @ 2024-07-18 9:16 UTC (permalink / raw) To: Chen, Qi Cc: Khem Raj, openembedded-core@lists.openembedded.org, Jose Quaresma [-- Attachment #1: Type: text/plain, Size: 25263 bytes --] Hi Qi, Chen, Qi <Qi.Chen@windriver.com> escreveu (quinta, 18/07/2024 à(s) 04:34): > Hi Jose, > > > > The changes in the patch have already done an implicit check: > > > > if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > > return; > > > > return; > > This means if it’s not systemd who starts sshd (notify type starting), > then the function ssh_systemd_notify just does nothing. > The SYSTEMD_NOTIFY is always enabled in linux regardless of which init system is in use. I have finished the tests with sysvinit and everything looks good. Can't the timeout Khem mention. I am now building it with the systemd init manager to test. > > > I looked at the changes in the patch and the codes around it, if I > understand it correctly, in case of ‘-i’ option, sshd does not notify > systemd. So the ssd@.service should not use the notify type. > I had also seen this detail in the service, I will test it with both services sshd.service and sshd@.service to see the difference. The sshd.service runs in the foreground with '-D' and without the '-i'. I wonder if it wouldn't be better to do the same in both (with -D) and thus notify the systemd in both? Jose > > > Regards, > > Qi > > > > *From:* openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> *On Behalf Of *Jose Quaresma > *Sent:* Wednesday, July 17, 2024 6:53 PM > *To:* Chen, Qi <Qi.Chen@windriver.com> > *Cc:* Khem Raj <raj.khem@gmail.com>; > openembedded-core@lists.openembedded.org; Jose Quaresma < > jose.quaresma@foundries.io> > *Subject:* Re: [OE-core][PATCH v5 2/3] openssh: systemd notification was > implemented upstream > > > > > > > > ChenQi <Qi.Chen@windriver.com> escreveu (quarta, 17/07/2024 à(s) 10:25): > > I think the problem might be related to the "+Type=notify-reload" change > in sshd@.service. It's in inetd mode so the upstream change about > SYSTEMD_NOTIFY should have nothing to do with it. > > I also doubt if the following line should be removed from sshd.service. > > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > > Make sense. > Maybe the service changes in the patch need to be conditional on whether > or not we are using systemd. > > I'm going to try this path a little. > > > > but I am now facing some issues with testimage without the overall openssh > patch series. > > > > Jose > > > > Regards, > > Qi > > > > On 7/17/24 16:46, Jose Quaresma wrote: > > > > Khem Raj <raj.khem@gmail.com> escreveu (quarta, 17/07/2024 à(s) 07:38): > > actually I narrowed down my problem of disconnection to this patch in > the series. Earlier I thought it might be related to the openssh > upgrade patch > but reverting that still causes the problem but this patch when > reverted, the problem is gone. > > > > I will jump on this today and try to find the root cause. > > The ptest goes well in my local tests but I didn't do anything with > testimage. > I'll see if the testimage picks up something. > > > > Thanks for the feedback. > > > > Jose > > > > > On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via > lists.openembedded.org > <https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BUuo8VXD$> > <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > > > Still side effects of the XZ backdoor. The systemd sd-notify patch > > was rejected [1] upstream and was chosen a standalone implementation > > that does not depend on libsystemd [2]. > > > > Racional [1]: > > > > License incompatibility and library bloatedness were the reasons. > > Given recent events we're never going to take a dependency on libsystemd, > > though we might implement the notification protocol ourselves if it > isn't too much work. > > > > [1] > https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 > <https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/pull/375*issuecomment-2027749729__;Iw!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BXB1d9mL$> > > [2] > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > <https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> > > > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > > > v4: > > - split update of Upstream-Status in new patches in the serie > > > > v5: > > - use the upstream solution > > > > ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ > > ...tional-support-for-systemd-sd_notify.patch | 96 -------- > > .../openssh/openssh/sshd.service | 2 +- > > .../openssh/openssh/sshd@.service | 1 + > > .../openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > | 4 +- > > 5 files changed, 228 insertions(+), 100 deletions(-) > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > delete mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > new file mode 100644 > > index 0000000000..4925c969fe > > --- /dev/null > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > @@ -0,0 +1,225 @@ > > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > > +From: Damien Miller <djm@mindrot.org> > > +Date: Wed, 3 Apr 2024 14:40:32 +1100 > > +Subject: [PATCH] notify systemd on listen and reload > > + > > +Standalone implementation that does not depend on libsystemd. > > +With assistance from Luca Boccassi, and feedback/testing from Colin > > +Watson. bz2641 > > + > > +Upstream-Status: Backport [ > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > <https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> > ] > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > +--- > > + configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > | 1 + > > + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > > + openbsd-compat/port-linux.h | 5 ++ > > + platform.c | 11 +++++ > > + platform.h | 1 + > > + sshd.c | 2 + > > + 6 files changed, 115 insertions(+), 2 deletions(-) > > + > > +diff --git a/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > b/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > +index 82e8bb7c1..854f92b5b 100644 > > +--- a/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > ++++ b/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > +@@ -915,6 +915,7 @@ int main(void) { if > (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login > attempts]) > > + AC_DEFINE([USE_BTMP]) > > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory > killer]) > > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on > start/reload]) > > + inet6_default_4in6=yes > > + case `uname -r` in > > + 1.*|2.0.*) > > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > > +index 0457e28d0..df7290246 100644 > > +--- a/openbsd-compat/port-linux.c > > ++++ b/openbsd-compat/port-linux.c > > +@@ -21,16 +21,23 @@ > > + > > + #include "includes.h" > > + > > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > > ++ defined(SYSTEMD_NOTIFY) > > ++#include <sys/socket.h> > > ++#include <sys/un.h> > > ++ > > + #include <errno.h> > > ++#include <inttypes.h> > > + #include <stdarg.h> > > + #include <string.h> > > + #include <stdio.h> > > + #include <stdlib.h> > > ++#include <time.h> > > + > > + #include "log.h" > > + #include "xmalloc.h" > > + #include "port-linux.h" > > ++#include "misc.h" > > + > > + #ifdef WITH_SELINUX > > + #include <selinux/selinux.h> > > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) > > + return; > > + } > > + #endif /* LINUX_OOM_ADJUST */ > > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > > ++ > > ++#ifdef SYSTEMD_NOTIFY > > ++ > > ++static void ssh_systemd_notify(const char *, ...) > > ++ __attribute__((__format__ (printf, 1, 2))) > __attribute__((__nonnull__ (1))); > > ++ > > ++static void > > ++ssh_systemd_notify(const char *fmt, ...) > > ++{ > > ++ char *s = NULL; > > ++ const char *path; > > ++ struct stat sb; > > ++ struct sockaddr_un addr; > > ++ int fd = -1; > > ++ va_list ap; > > ++ > > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == > 0) > > ++ return; > > ++ > > ++ va_start(ap, fmt); > > ++ xvasprintf(&s, fmt, ap); > > ++ va_end(ap); > > ++ > > ++ /* Only AF_UNIX is supported, with path or abstract sockets */ > > ++ if (path[0] != '/' && path[0] != '@') { > > ++ error_f("socket \"%s\" is not compatible with AF_UNIX", > path); > > ++ goto out; > > ++ } > > ++ > > ++ if (path[0] == '/' && stat(path, &sb) != 0) { > > ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > > ++ goto out; > > ++ } > > ++ > > ++ memset(&addr, 0, sizeof(addr)); > > ++ addr.sun_family = AF_UNIX; > > ++ if (strlcpy(addr.sun_path, path, > > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > > ++ error_f("socket path \"%s\" too long", path); > > ++ goto out; > > ++ } > > ++ /* Support for abstract socket */ > > ++ if (addr.sun_path[0] == '@') > > ++ addr.sun_path[0] = 0; > > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > > ++ error_f("socket \"%s\": %s", path, strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { > > ++ error_f("socket \"%s\" connect: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > > ++ error_f("socket \"%s\" write: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ debug_f("socket \"%s\" notified %s", path, s); > > ++ out: > > ++ if (fd != -1) > > ++ close(fd); > > ++ free(s); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_ready(void) > > ++{ > > ++ ssh_systemd_notify("READY=1"); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_reload(void) > > ++{ > > ++ struct timespec now; > > ++ > > ++ monotime_ts(&now); > > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { > > ++ error_f("monotime returned negative value"); > > ++ ssh_systemd_notify("RELOADING=1"); > > ++ } else { > > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > > ++ ((uint64_t)now.tv_sec * 1000000ULL) + > > ++ ((uint64_t)now.tv_nsec / 1000ULL)); > > ++ } > > ++} > > ++#endif /* SYSTEMD_NOTIFY */ > > ++ > > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > > +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > > +index 3c22a854d..14064f87d 100644 > > +--- a/openbsd-compat/port-linux.h > > ++++ b/openbsd-compat/port-linux.h > > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > > + void oom_adjust_setup(void); > > + #endif > > + > > ++#ifdef SYSTEMD_NOTIFY > > ++void ssh_systemd_notify_ready(void); > > ++void ssh_systemd_notify_reload(void); > > ++#endif > > ++ > > + #endif /* ! _PORT_LINUX_H */ > > +diff --git a/platform.c b/platform.c > > +index 4fe8744ee..9cf818153 100644 > > +--- a/platform.c > > ++++ b/platform.c > > +@@ -44,6 +44,14 @@ platform_pre_listen(void) > > + #endif > > + } > > + > > ++void > > ++platform_post_listen(void) > > ++{ > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_ready(); > > ++#endif > > ++} > > ++ > > + void > > + platform_pre_fork(void) > > + { > > +@@ -55,6 +63,9 @@ platform_pre_fork(void) > > + void > > + platform_pre_restart(void) > > + { > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_reload(); > > ++#endif > > + #ifdef LINUX_OOM_ADJUST > > + oom_adjust_restore(); > > + #endif > > +diff --git a/platform.h b/platform.h > > +index 7fef8c983..5dec23276 100644 > > +--- a/platform.h > > ++++ b/platform.h > > +@@ -21,6 +21,7 @@ > > + void platform_pre_listen(void); > > + void platform_pre_fork(void); > > + void platform_pre_restart(void); > > ++void platform_post_listen(void); > > + void platform_post_fork_parent(pid_t child_pid); > > + void platform_post_fork_child(void); > > + int platform_privileged_uidswap(void); > > +diff --git a/sshd.c b/sshd.c > > +index b4f2b9742..865331b46 100644 > > +--- a/sshd.c > > ++++ b/sshd.c > > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) > > + ssh_signal(SIGTERM, sigterm_handler); > > + ssh_signal(SIGQUIT, sigterm_handler); > > + > > ++ platform_post_listen(); > > ++ > > + /* > > + * Write out the pid file after the sigterm handler > > + * is setup and the listen sockets are bound > > +-- > > +2.45.2 > > + > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > deleted file mode 100644 > > index f079d936a4..0000000000 > > --- > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > +++ /dev/null > > @@ -1,96 +0,0 @@ > > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 > > -From: Matt Jolly <Matt.Jolly@footclan.ninja> > <Matt.Jolly@footclan.ninja> > > -Date: Thu, 2 Feb 2023 21:05:40 +1100 > > -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` > > - > > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> > > -patch based on Jakub Jelen's <jjelen@redhat.com> original patch > > - > > -Upstream-Status: Submitted [ > https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56 > <https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfwiLKAT$> > ] > > - > > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> > > ---- > > - configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > | 24 ++++++++++++++++++++++++ > > - sshd.c | 13 +++++++++++++ > > - 2 files changed, 37 insertions(+) > > - > > -diff --git a/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > b/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -index 82e8bb7..d1145d3 100644 > > ---- a/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -+++ b/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) > > - AC_SUBST([K5LIBS]) > > - AC_SUBST([CHANNELLIBS]) > > - > > -+# Check whether user wants systemd support > > -+SYSTEMD_MSG="no" > > -+AC_ARG_WITH(systemd, > > -+ [ --with-systemd Enable systemd support], > > -+ [ if test "x$withval" != "xno" ; then > > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > > -+ if test "$PKGCONFIG" != "no"; then > > -+ AC_MSG_CHECKING([for libsystemd]) > > -+ if $PKGCONFIG --exists libsystemd; then > > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags > libsystemd` > > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs > libsystemd` > > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > > -+ AC_MSG_RESULT([yes]) > > -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if > you want systemd support.]) > > -+ SYSTEMD_MSG="yes" > > -+ else > > -+ AC_MSG_RESULT([no]) > > -+ fi > > -+ fi > > -+ fi ] > > -+) > > -+ > > - # Looking for programs, paths and files > > - > > - PRIVSEP_PATH=/var/empty > > -@@ -5688,6 +5711,7 @@ echo " libldns support: > $LDNS_MSG" > > - echo " Solaris process contract support: $SPC_MSG" > > - echo " Solaris project support: $SP_MSG" > > - echo " Solaris privilege support: $SPP_MSG" > > -+echo " systemd support: $SYSTEMD_MSG" > > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > > - echo " BSD Auth support: $BSD_AUTH_MSG" > > -diff --git a/sshd.c b/sshd.c > > -index b4f2b97..6820a41 100644 > > ---- a/sshd.c > > -+++ b/sshd.c > > -@@ -88,6 +88,10 @@ > > - #include <prot.h> > > - #endif > > - > > -+#ifdef HAVE_SYSTEMD > > -+#include <systemd/sd-daemon.h> > > -+#endif > > -+ > > - #include "xmalloc.h" > > - #include "ssh.h" > > - #include "ssh2.h" > > -@@ -308,6 +312,10 @@ static void > > - sighup_restart(void) > > - { > > - logit("Received SIGHUP; restarting."); > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are reloading */ > > -+ sd_notify(0, "RELOADING=1"); > > -+#endif > > - if (options.pid_file != NULL) > > - unlink(options.pid_file); > > - platform_pre_restart(); > > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) > > - } > > - } > > - > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are ready to accept > connections */ > > -+ sd_notify(0, "READY=1"); > > -+#endif > > -+ > > - /* Accept a connection and return in a forked child */ > > - server_accept_loop(&sock_in, &sock_out, > > - &newsock, config_s); > > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service > b/meta/recipes-connectivity/openssh/openssh/sshd.service > > index 3e570ab1e5..c71fff1cc1 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service > > @@ -5,11 +5,11 @@ After=sshdgenkeys.service > > After=nss-user-lookup.target > <https://urldefense.com/v3/__http:/nss-user-lookup.target__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfffE4_Q$> > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd > > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS > > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > > KillMode=process > > Restart=on-failure > > RestartSec=42s > > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service > b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > index 9d9965e624..dcfec8f054 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon > > After=sshdgenkeys.service > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > index 4f20616295..4680d12be5 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > @@ -24,7 +24,7 @@ SRC_URI = " > http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > <https://urldefense.com/v3/__http:/ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$*7BPV*7D.tar__;JSU!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZvn3QuC$> > > file://run-ptest \ > > file://sshd_check_keys \ > > > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > > - > file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > > + file://0001-notify-systemd-on-listen-and-reload.patch \ > > file://CVE-2024-6387.patch \ > > " > > SRC_URI[sha256sum] = > "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" > > SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', > '', d)} > ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', > '', d)}" > <$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket','',d)%7D$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service','',d)%7D> > > > > inherit autotools-brokensep ptest pkgconfig > > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > 'systemd', '', d)}" > <$%7B@bb.utils.contains('DISTRO_FEATURES','systemd','systemd','',d)%7D> > > > > # systemd-sshd-socket-mode means installing sshd.socket > > # and systemd-sshd-service-mode corresponding to sshd.service > > @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ > > --sysconfdir=${sysconfdir}/ssh \ > > --with-xauth=${bindir}/xauth \ > > --disable-strip \ > > - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > '--with-systemd', '--without-systemd', d)} \ > > " > > > > # musl doesn't implement wtmp/utmp and logwtmp > > -- > > 2.45.2 > > > > > > > > > > > > > -- > > Best regards, > > > José Quaresma > > > > > > > > > > > > > -- > > Best regards, > > > José Quaresma > -- Best regards, José Quaresma [-- Attachment #2: Type: text/html, Size: 38165 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 2024-07-16 14:16 [OE-core][PATCH v5 1/3] openssh: drop rejected patch fixed in 8.6p1 release Jose Quaresma 2024-07-16 14:16 ` [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream Jose Quaresma @ 2024-07-16 14:16 ` Jose Quaresma 2024-07-16 14:37 ` Patchtest results for " patchtest ` (3 more replies) 1 sibling, 4 replies; 15+ messages in thread From: Jose Quaresma @ 2024-07-16 14:16 UTC (permalink / raw) To: openembedded-core; +Cc: Jose Quaresma - drop the CVE-2024-6387 - drop the backported systemd notify - backported fix for musl build - submited fix for ptest regression - sshd now had the sshd-session Release notes at https://www.openssh.com/txt/release-9.8 Security ======== This release contains fixes for two security problems, one critical and one minor. 1) Race condition in sshd(8) A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon. Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation. OpenBSD is not vulnerable. We thank the Qualys Security Advisory Team for discovering, reporting and demonstrating exploitability of this problem, and for providing detailed feedback on additional mitigation measures. 2) Logic error in ssh(1) ObscureKeystrokeTiming In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an OpenSSH server version 9.5 or later, a logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective - a passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because both fake and real keystroke packets were being sent unconditionally. This bug was found by Philippos Giavridis and also independently by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the University of Cambridge Computer Lab. Worse, the unconditional sending of both fake and real keystroke packets broke another long-standing timing attack mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for traffic received on TTYs in echo-off mode, such as when entering a password into su(8) or sudo(8). This bug rendered these fake keystroke echoes ineffective and could allow a passive observer of a SSH session to once again detect when echo was off and obtain fairly limited timing information about keystrokes in this situation (20ms granularity by default). This additional implication of the bug was identified by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and we thank them for their detailed analysis. This bug does not affect connections when ObscureKeystrokeTiming was disabled or sessions where no TTY was requested. Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. This release disables DSA by default at compile time. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to- implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. This release, and its deactivation of DSA by default at compile-time, marks the second step in our timeline to finally deprecate DSA. The final step of removing DSA support entirely is planned for the first OpenSSH release of 2025. DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" in Makefile.inc. To enable DSA support in portable OpenSSH, pass the "--enable-dsa-keys" option to configure. Potentially-incompatible changes -------------------------------- * all: as mentioned above, the DSA signature algorithm is now disabled at compile time. * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 * (portable OpenSSH only) Automatically-generated files, such as configure, config.h.in, etc will now be checked in to the portable OpenSSH git release branch (e.g. V_9_8). This should ensure that the contents of the signed release branch exactly match the contents of the signed release tarball. Changes since OpenSSH 9.7 ========================= This release contains mostly bugfixes. New features ------------ * sshd(8): as described above, sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. sshd(8) will now identify situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit bugs in sshd). When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client's address. If this time is above a minimum configurable threshold, then all connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range) until the penalty expire. Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. Address ranges may be fully exempted from penalties, e.g. to guarantee access from a set of trusted management addresses, using the new sshd_config(5) PerSourcePenaltyExemptList option. We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself. This option is enabled by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Bugfixes -------- * misc: fix a number of inaccuracies in the PROTOCOL.* documentation files. GHPR430 GHPR487 * all: switch to strtonum(3) for more robust integer parsing in most places. * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() * ssh-keysign(8): stricter validation of messaging socket fd GHPR492 * sftp(1): flush stdout after writing "sftp>" prompt when not using editline. GHPR480 * sftp-server(8): fix home-directory extension implementation, it previously always returned the current user's home directory contrary to the spec. GHPR477 * ssh-keyscan(1): do not close stdin to prevent error messages when stdin is read multiple times. E.g. echo localhost | ssh-keyscan -f - -f - * regression tests: fix rekey test that was testing the same KEX algorithm repeatedly instead of testing all of them. bz3692 * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive documentation, especially around what is supported vs available. bz3701. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * build: fix OpenSSL ED25519 support detection. An incorrect function signature in configure.ac previously prevented enabling the recently added support for ED25519 private keys in PEM PKCS8 format. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 * build: improve detection of the -fzero-call-used-regs compiler flag. bz3673. * build: relax OpenSSL version check to accept all OpenSSL 3.x versions. * sshd(8): add support for notifying systemd on server listen and reload, using a standalone implementation that doesn't depend on libsystemd. bz2641 Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> --- v2: - fix musl build - fix sshd-session packing on openssh-sshd - rebase on top of the CVE-2024-6387 fix sent v3: - fix the ptest fail - update upstream status of the systemd sd-notify patch v4: - split update of Upstream-Status in new patches in the serie - submit the the ptest fix upstream v5: - backport upstream fix for musl build - drop the backported systemd notify ...ast-to-sockaddr-in-systemd-interface.patch | 30 +++ ...-notify-systemd-on-listen-and-reload.patch | 225 ------------------ ...h-log-input-and-output-files-on-erro.patch | 8 +- ...c-use-the-absolute-path-in-the-SSH-e.patch | 35 +++ .../openssh/openssh/CVE-2024-6387.patch | 27 --- .../openssh/openssh/run-ptest | 1 + .../{openssh_9.7p1.bb => openssh_9.8p1.bb} | 8 +- 7 files changed, 73 insertions(+), 261 deletions(-) create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch delete mode 100644 meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch delete mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch rename meta/recipes-connectivity/openssh/{openssh_9.7p1.bb => openssh_9.8p1.bb} (96%) diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch new file mode 100644 index 0000000000..c41642ae10 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch @@ -0,0 +1,30 @@ +From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Sun, 7 Jul 2024 18:46:19 +1000 +Subject: [PATCH] Cast to sockaddr * in systemd interface. + +Fixes build with musl libx. bz#3707. + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8] + +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> +--- + openbsd-compat/port-linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 4c024c6d2..8adfec5a7 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) + error_f("socket \"%s\": %s", path, strerror(errno)); + goto out; + } +- if (connect(fd, &addr, sizeof(addr)) != 0) { ++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { + error_f("socket \"%s\" connect: %s", path, strerror(errno)); + goto out; + } +-- +2.45.2 + diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch deleted file mode 100644 index 4925c969fe..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch +++ /dev/null @@ -1,225 +0,0 @@ -From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 -From: Damien Miller <djm@mindrot.org> -Date: Wed, 3 Apr 2024 14:40:32 +1100 -Subject: [PATCH] notify systemd on listen and reload - -Standalone implementation that does not depend on libsystemd. -With assistance from Luca Boccassi, and feedback/testing from Colin -Watson. bz2641 - -Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c] - -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> ---- - configure.ac | 1 + - openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- - openbsd-compat/port-linux.h | 5 ++ - platform.c | 11 +++++ - platform.h | 1 + - sshd.c | 2 + - 6 files changed, 115 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 82e8bb7c1..854f92b5b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) - AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) - AC_DEFINE([USE_BTMP]) - AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) -+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) - inet6_default_4in6=yes - case `uname -r` in - 1.*|2.0.*) -diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c -index 0457e28d0..df7290246 100644 ---- a/openbsd-compat/port-linux.c -+++ b/openbsd-compat/port-linux.c -@@ -21,16 +21,23 @@ - - #include "includes.h" - --#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) -+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ -+ defined(SYSTEMD_NOTIFY) -+#include <sys/socket.h> -+#include <sys/un.h> -+ - #include <errno.h> -+#include <inttypes.h> - #include <stdarg.h> - #include <string.h> - #include <stdio.h> - #include <stdlib.h> -+#include <time.h> - - #include "log.h" - #include "xmalloc.h" - #include "port-linux.h" -+#include "misc.h" - - #ifdef WITH_SELINUX - #include <selinux/selinux.h> -@@ -310,4 +317,90 @@ oom_adjust_restore(void) - return; - } - #endif /* LINUX_OOM_ADJUST */ --#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ -+ -+#ifdef SYSTEMD_NOTIFY -+ -+static void ssh_systemd_notify(const char *, ...) -+ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); -+ -+static void -+ssh_systemd_notify(const char *fmt, ...) -+{ -+ char *s = NULL; -+ const char *path; -+ struct stat sb; -+ struct sockaddr_un addr; -+ int fd = -1; -+ va_list ap; -+ -+ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) -+ return; -+ -+ va_start(ap, fmt); -+ xvasprintf(&s, fmt, ap); -+ va_end(ap); -+ -+ /* Only AF_UNIX is supported, with path or abstract sockets */ -+ if (path[0] != '/' && path[0] != '@') { -+ error_f("socket \"%s\" is not compatible with AF_UNIX", path); -+ goto out; -+ } -+ -+ if (path[0] == '/' && stat(path, &sb) != 0) { -+ error_f("socket \"%s\" stat: %s", path, strerror(errno)); -+ goto out; -+ } -+ -+ memset(&addr, 0, sizeof(addr)); -+ addr.sun_family = AF_UNIX; -+ if (strlcpy(addr.sun_path, path, -+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { -+ error_f("socket path \"%s\" too long", path); -+ goto out; -+ } -+ /* Support for abstract socket */ -+ if (addr.sun_path[0] == '@') -+ addr.sun_path[0] = 0; -+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { -+ error_f("socket \"%s\": %s", path, strerror(errno)); -+ goto out; -+ } -+ if (connect(fd, &addr, sizeof(addr)) != 0) { -+ error_f("socket \"%s\" connect: %s", path, strerror(errno)); -+ goto out; -+ } -+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { -+ error_f("socket \"%s\" write: %s", path, strerror(errno)); -+ goto out; -+ } -+ debug_f("socket \"%s\" notified %s", path, s); -+ out: -+ if (fd != -1) -+ close(fd); -+ free(s); -+} -+ -+void -+ssh_systemd_notify_ready(void) -+{ -+ ssh_systemd_notify("READY=1"); -+} -+ -+void -+ssh_systemd_notify_reload(void) -+{ -+ struct timespec now; -+ -+ monotime_ts(&now); -+ if (now.tv_sec < 0 || now.tv_nsec < 0) { -+ error_f("monotime returned negative value"); -+ ssh_systemd_notify("RELOADING=1"); -+ } else { -+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", -+ ((uint64_t)now.tv_sec * 1000000ULL) + -+ ((uint64_t)now.tv_nsec / 1000ULL)); -+ } -+} -+#endif /* SYSTEMD_NOTIFY */ -+ -+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ -diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h -index 3c22a854d..14064f87d 100644 ---- a/openbsd-compat/port-linux.h -+++ b/openbsd-compat/port-linux.h -@@ -30,4 +30,9 @@ void oom_adjust_restore(void); - void oom_adjust_setup(void); - #endif - -+#ifdef SYSTEMD_NOTIFY -+void ssh_systemd_notify_ready(void); -+void ssh_systemd_notify_reload(void); -+#endif -+ - #endif /* ! _PORT_LINUX_H */ -diff --git a/platform.c b/platform.c -index 4fe8744ee..9cf818153 100644 ---- a/platform.c -+++ b/platform.c -@@ -44,6 +44,14 @@ platform_pre_listen(void) - #endif - } - -+void -+platform_post_listen(void) -+{ -+#ifdef SYSTEMD_NOTIFY -+ ssh_systemd_notify_ready(); -+#endif -+} -+ - void - platform_pre_fork(void) - { -@@ -55,6 +63,9 @@ platform_pre_fork(void) - void - platform_pre_restart(void) - { -+#ifdef SYSTEMD_NOTIFY -+ ssh_systemd_notify_reload(); -+#endif - #ifdef LINUX_OOM_ADJUST - oom_adjust_restore(); - #endif -diff --git a/platform.h b/platform.h -index 7fef8c983..5dec23276 100644 ---- a/platform.h -+++ b/platform.h -@@ -21,6 +21,7 @@ - void platform_pre_listen(void); - void platform_pre_fork(void); - void platform_pre_restart(void); -+void platform_post_listen(void); - void platform_post_fork_parent(pid_t child_pid); - void platform_post_fork_child(void); - int platform_privileged_uidswap(void); -diff --git a/sshd.c b/sshd.c -index b4f2b9742..865331b46 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -2077,6 +2077,8 @@ main(int ac, char **av) - ssh_signal(SIGTERM, sigterm_handler); - ssh_signal(SIGQUIT, sigterm_handler); - -+ platform_post_listen(); -+ - /* - * Write out the pid file after the sigterm handler - * is setup and the listen sockets are bound --- -2.45.2 - diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch index 8763f30f4b..f424288e37 100644 --- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch @@ -1,4 +1,4 @@ -From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 +From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001 From: Mikko Rapeli <mikko.rapeli@linaro.org> Date: Mon, 11 Sep 2023 09:55:21 +0100 Subject: [PATCH] regress/banner.sh: log input and output files on error @@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437] Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> --- regress/banner.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/regress/banner.sh b/regress/banner.sh -index a84feb5a..de84957a 100644 +index a84feb5..de84957 100644 --- a/regress/banner.sh +++ b/regress/banner.sh @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do @@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644 done trace "test suppress banner (-q)" --- -2.34.1 - diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch new file mode 100644 index 0000000000..b90cd2e69d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch @@ -0,0 +1,35 @@ +From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001 +From: Jose Quaresma <jose.quaresma@foundries.io> +Date: Mon, 15 Jul 2024 18:43:08 +0100 +Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env + +The SSHAGENT_BIN was changed in [1] to SSH_BIN but +the last one don't use the absolute path and consequently +the function increase_datafile_size can loops forever +if the binary not found. + +[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818 + +Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510] + +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> +--- + regress/test-exec.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index 7afc2807..175f554b 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then + fi + + # Path to sshd must be absolute for rexec ++case "$SSH" in ++/*) ;; ++*) SSH=`which $SSH` ;; ++esac ++ + case "$SSHD" in + /*) ;; + *) SSHD=`which $SSHD` ;; diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch deleted file mode 100644 index 3e7c707100..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch +++ /dev/null @@ -1,27 +0,0 @@ -Description: fix signal handler race condition -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 - -CVE: CVE-2024-6387 - -Upstream-Status: Backport -https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc - -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> - ---- a/log.c -+++ b/log.c -@@ -452,12 +452,14 @@ void - sshsigdie(const char *file, const char *func, int line, int showfunc, - LogLevel level, const char *suffix, const char *fmt, ...) - { -+#if 0 - va_list args; - - va_start(args, fmt); - sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, - suffix, fmt, args); - va_end(args); -+#endif - _exit(1); - } - diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest index b2244d725a..c9100f9f37 100755 --- a/meta/recipes-connectivity/openssh/openssh/run-ptest +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest @@ -1,5 +1,6 @@ #!/bin/sh +export TEST_SSH_SSH=ssh export TEST_SHELL=sh export SKIP_UNIT=1 diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb similarity index 96% rename from meta/recipes-connectivity/openssh/openssh_9.7p1.bb rename to meta/recipes-connectivity/openssh/openssh_9.8p1.bb index 4680d12be5..9554b4783f 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb @@ -23,11 +23,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://volatiles.99_sshd \ file://run-ptest \ file://sshd_check_keys \ + file://0001-Cast-to-sockaddr-in-systemd-interface.patch \ file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ - file://0001-notify-systemd-on-listen-and-reload.patch \ - file://CVE-2024-6387.patch \ + file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \ " -SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" +SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3" CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." @@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1" PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" FILES:${PN}-scp = "${bindir}/scp.${BPN}" FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" -FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" +FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" FILES:${PN}-sftp = "${bindir}/sftp" -- 2.45.2 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Patchtest results for [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 2024-07-16 14:16 ` [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 Jose Quaresma @ 2024-07-16 14:37 ` patchtest 2024-07-17 2:04 ` Khem Raj ` (2 subsequent siblings) 3 siblings, 0 replies; 15+ messages in thread From: patchtest @ 2024-07-16 14:37 UTC (permalink / raw) To: Jose Quaresma; +Cc: openembedded-core [-- Attachment #1: Type: text/plain, Size: 2929 bytes --] Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/v5-3-3-openssh-upgrade-9.7p1---9.8p1.patch FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file. Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX" (test_patch.TestPatch.test_cve_tag_format) PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore) PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence) PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence) PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format) PASS: test author valid (test_mbox.TestMbox.test_author_valid) PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence) PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned) PASS: test max line length (test_metadata.TestMetadata.test_max_line_length) PASS: test mbox format (test_mbox.TestMbox.test_mbox_format) PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade) PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format) PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length) PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list) SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint) SKIP: pretest src uri left files: Patch cannot be merged (test_metadata.TestMetadata.pretest_src_uri_left_files) SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format) SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence) SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence) SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint) SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head) SKIP: test src uri left files: Patch cannot be merged (test_metadata.TestMetadata.test_src_uri_left_files) SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence) --- Please address the issues identified and submit a new revision of the patch, or alternatively, reply to this email with an explanation of why the patch should be accepted. If you believe these results are due to an error in patchtest, please submit a bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category under 'Yocto Project Subprojects'). For more information on specific failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank you! ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 2024-07-16 14:16 ` [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 Jose Quaresma 2024-07-16 14:37 ` Patchtest results for " patchtest @ 2024-07-17 2:04 ` Khem Raj 2024-07-17 7:57 ` Alexandre Belloni 2024-07-17 7:59 ` Alexandre Belloni 3 siblings, 0 replies; 15+ messages in thread From: Khem Raj @ 2024-07-17 2:04 UTC (permalink / raw) To: quaresma.jose; +Cc: openembedded-core, Jose Quaresma My ssh connections are dropping after being connected for a minute or so same target worked fine from the same host before. I do have ServerAliveInterval 30 TCPKeepAlive yes Sometimes folks would suggest the first solution, but it seems to not have any effect anymore. On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via lists.openembedded.org <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > - drop the CVE-2024-6387 > - drop the backported systemd notify > - backported fix for musl build > - submited fix for ptest regression > - sshd now had the sshd-session > > Release notes at https://www.openssh.com/txt/release-9.8 > > Security > ======== > > This release contains fixes for two security problems, one critical > and one minor. > > 1) Race condition in sshd(8) > > A critical vulnerability in sshd(8) was present in Portable OpenSSH > versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary > code execution with root privileges. > > Successful exploitation has been demonstrated on 32-bit Linux/glibc > systems with ASLR. Under lab conditions, the attack requires on > average 6-8 hours of continuous connections up to the maximum the > server will accept. Exploitation on 64-bit systems is believed to be > possible but has not been demonstrated at this time. It's likely that > these attacks will be improved upon. > > Exploitation on non-glibc systems is conceivable but has not been > examined. Systems that lack ASLR or users of downstream Linux > distributions that have modified OpenSSH to disable per-connection > ASLR re-randomisation (yes - this is a thing, no - we don't > understand why) may potentially have an easier path to exploitation. > OpenBSD is not vulnerable. > > We thank the Qualys Security Advisory Team for discovering, reporting > and demonstrating exploitability of this problem, and for providing > detailed feedback on additional mitigation measures. > > 2) Logic error in ssh(1) ObscureKeystrokeTiming > > In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an > OpenSSH server version 9.5 or later, a logic error in the ssh(1) > ObscureKeystrokeTiming feature (on by default) rendered this feature > ineffective - a passive observer could still detect which network > packets contained real keystrokes when the countermeasure was active > because both fake and real keystroke packets were being sent > unconditionally. > > This bug was found by Philippos Giavridis and also independently by > Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the > University of Cambridge Computer Lab. > > Worse, the unconditional sending of both fake and real keystroke > packets broke another long-standing timing attack mitigation. Since > OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for > traffic received on TTYs in echo-off mode, such as when entering a > password into su(8) or sudo(8). This bug rendered these fake > keystroke echoes ineffective and could allow a passive observer of > a SSH session to once again detect when echo was off and obtain > fairly limited timing information about keystrokes in this situation > (20ms granularity by default). > > This additional implication of the bug was identified by Jacky Wei > En Kung, Daniel Hugenroth and Alastair Beresford and we thank them > for their detailed analysis. > > This bug does not affect connections when ObscureKeystrokeTiming > was disabled or sessions where no TTY was requested. > > Future deprecation notice > ========================= > > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025. This release disables DSA by default at compile time. > > DSA, as specified in the SSHv2 protocol, is inherently weak - being > limited to a 160 bit private key and use of the SHA1 digest. Its > estimated security level is only 80 bits symmetric equivalent. > > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs, mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA > in OpenSSH to be justified and hope that removing it from OpenSSH > can accelerate its wider deprecation in supporting cryptography > libraries. > > This release, and its deactivation of DSA by default at compile-time, > marks the second step in our timeline to finally deprecate DSA. The > final step of removing DSA support entirely is planned for the first > OpenSSH release of 2025. > > DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" > in Makefile.inc. To enable DSA support in portable OpenSSH, pass > the "--enable-dsa-keys" option to configure. > > Potentially-incompatible changes > -------------------------------- > > * all: as mentioned above, the DSA signature algorithm is now > disabled at compile time. > > * sshd(8): the server will now block client addresses that > repeatedly fail authentication, repeatedly connect without ever > completing authentication or that crash the server. See the > discussion of PerSourcePenalties below for more information. > Operators of servers that accept connections from many users, or > servers that accept connections from addresses behind NAT or > proxies may need to consider these settings. > > * sshd(8): the server has been split into a listener binary, sshd(8), > and a per-session binary "sshd-session". This allows for a much > smaller listener binary, as it no longer needs to support the SSH > protocol. As part of this work, support for disabling privilege > separation (which previously required code changes to disable) and > disabling re-execution of sshd(8) has been removed. Further > separation of sshd-session into additional, minimal binaries is > planned for the future. > > * sshd(8): several log messages have changed. In particular, some > log messages will be tagged with as originating from a process > named "sshd-session" rather than "sshd". > > * ssh-keyscan(1): this tool previously emitted comment lines > containing the hostname and SSH protocol banner to standard error. > This release now emits them to standard output, but adds a new > "-q" flag to silence them altogether. > > * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] > as the PAM service name. A new "PAMServiceName" sshd_config(5) > directive allows selecting the service name at runtime. This > defaults to "sshd". bz2101 > > * (portable OpenSSH only) Automatically-generated files, such as > configure, config.h.in, etc will now be checked in to the portable > OpenSSH git release branch (e.g. V_9_8). This should ensure that > the contents of the signed release branch exactly match the > contents of the signed release tarball. > > Changes since OpenSSH 9.7 > ========================= > > This release contains mostly bugfixes. > > New features > ------------ > > * sshd(8): as described above, sshd(8) will now penalise client > addresses that, for various reasons, do not successfully complete > authentication. This feature is controlled by a new sshd_config(5) > PerSourcePenalties option and is on by default. > > sshd(8) will now identify situations where the session did not > authenticate as expected. These conditions include when the client > repeatedly attempted authentication unsucessfully (possibly > indicating an attack against one or more accounts, e.g. password > guessing), or when client behaviour caused sshd to crash (possibly > indicating attempts to exploit bugs in sshd). > > When such a condition is observed, sshd will record a penalty of > some duration (e.g. 30 seconds) against the client's address. If > this time is above a minimum configurable threshold, then all > connections from the client address will be refused (along with any > others in the same PerSourceNetBlockSize CIDR range) until the > penalty expire. > > Repeated offenses by the same client address will accrue greater > penalties, up to a configurable maximum. Address ranges may be > fully exempted from penalties, e.g. to guarantee access from a set > of trusted management addresses, using the new sshd_config(5) > PerSourcePenaltyExemptList option. > > We hope these options will make it significantly more difficult for > attackers to find accounts with weak/guessable passwords or exploit > bugs in sshd(8) itself. This option is enabled by default. > > * ssh(8): allow the HostkeyAlgorithms directive to disable the > implicit fallback from certificate host key to plain host keys. > > Bugfixes > -------- > > * misc: fix a number of inaccuracies in the PROTOCOL.* > documentation files. GHPR430 GHPR487 > > * all: switch to strtonum(3) for more robust integer parsing in most > places. > > * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() > > * ssh-keysign(8): stricter validation of messaging socket fd GHPR492 > > * sftp(1): flush stdout after writing "sftp>" prompt when not using > editline. GHPR480 > > * sftp-server(8): fix home-directory extension implementation, it > previously always returned the current user's home directory > contrary to the spec. GHPR477 > > * ssh-keyscan(1): do not close stdin to prevent error messages when > stdin is read multiple times. E.g. > echo localhost | ssh-keyscan -f - -f - > > * regression tests: fix rekey test that was testing the same KEX > algorithm repeatedly instead of testing all of them. bz3692 > > * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive > documentation, especially around what is supported vs available. > bz3701. > > Portability > ----------- > > * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules > unconditionally. The previous behaviour was to expose it only when > particular authentication methods were in use. > > * build: fix OpenSSL ED25519 support detection. An incorrect function > signature in configure.ac previously prevented enabling the recently > added support for ED25519 private keys in PEM PKCS8 format. > > * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY > environment variable to enable SSH_ASKPASS, similarly to the X11 > DISPLAY environment variable. GHPR479 > > * build: improve detection of the -fzero-call-used-regs compiler > flag. bz3673. > > * build: relax OpenSSL version check to accept all OpenSSL 3.x > versions. > > * sshd(8): add support for notifying systemd on server listen and > reload, using a standalone implementation that doesn't depend on > libsystemd. bz2641 > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > > v2: > - fix musl build > - fix sshd-session packing on openssh-sshd > - rebase on top of the CVE-2024-6387 fix sent > > v3: > - fix the ptest fail > - update upstream status of the systemd sd-notify patch > > v4: > - split update of Upstream-Status in new patches in the serie > - submit the the ptest fix upstream > > v5: > - backport upstream fix for musl build > - drop the backported systemd notify > > ...ast-to-sockaddr-in-systemd-interface.patch | 30 +++ > ...-notify-systemd-on-listen-and-reload.patch | 225 ------------------ > ...h-log-input-and-output-files-on-erro.patch | 8 +- > ...c-use-the-absolute-path-in-the-SSH-e.patch | 35 +++ > .../openssh/openssh/CVE-2024-6387.patch | 27 --- > .../openssh/openssh/run-ptest | 1 + > .../{openssh_9.7p1.bb => openssh_9.8p1.bb} | 8 +- > 7 files changed, 73 insertions(+), 261 deletions(-) > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > rename meta/recipes-connectivity/openssh/{openssh_9.7p1.bb => openssh_9.8p1.bb} (96%) > > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > new file mode 100644 > index 0000000000..c41642ae10 > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > @@ -0,0 +1,30 @@ > +From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001 > +From: Darren Tucker <dtucker@dtucker.net> > +Date: Sun, 7 Jul 2024 18:46:19 +1000 > +Subject: [PATCH] Cast to sockaddr * in systemd interface. > + > +Fixes build with musl libx. bz#3707. > + > +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8] > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > +--- > + openbsd-compat/port-linux.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > +index 4c024c6d2..8adfec5a7 100644 > +--- a/openbsd-compat/port-linux.c > ++++ b/openbsd-compat/port-linux.c > +@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) > + error_f("socket \"%s\": %s", path, strerror(errno)); > + goto out; > + } > +- if (connect(fd, &addr, sizeof(addr)) != 0) { > ++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { > + error_f("socket \"%s\" connect: %s", path, strerror(errno)); > + goto out; > + } > +-- > +2.45.2 > + > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > deleted file mode 100644 > index 4925c969fe..0000000000 > --- a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > +++ /dev/null > @@ -1,225 +0,0 @@ > -From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > -From: Damien Miller <djm@mindrot.org> > -Date: Wed, 3 Apr 2024 14:40:32 +1100 > -Subject: [PATCH] notify systemd on listen and reload > - > -Standalone implementation that does not depend on libsystemd. > -With assistance from Luca Boccassi, and feedback/testing from Colin > -Watson. bz2641 > - > -Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c] > - > -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > ---- > - configure.ac | 1 + > - openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > - openbsd-compat/port-linux.h | 5 ++ > - platform.c | 11 +++++ > - platform.h | 1 + > - sshd.c | 2 + > - 6 files changed, 115 insertions(+), 2 deletions(-) > - > -diff --git a/configure.ac b/configure.ac > -index 82e8bb7c1..854f92b5b 100644 > ---- a/configure.ac > -+++ b/configure.ac > -@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > - AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) > - AC_DEFINE([USE_BTMP]) > - AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) > -+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) > - inet6_default_4in6=yes > - case `uname -r` in > - 1.*|2.0.*) > -diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > -index 0457e28d0..df7290246 100644 > ---- a/openbsd-compat/port-linux.c > -+++ b/openbsd-compat/port-linux.c > -@@ -21,16 +21,23 @@ > - > - #include "includes.h" > - > --#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > -+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > -+ defined(SYSTEMD_NOTIFY) > -+#include <sys/socket.h> > -+#include <sys/un.h> > -+ > - #include <errno.h> > -+#include <inttypes.h> > - #include <stdarg.h> > - #include <string.h> > - #include <stdio.h> > - #include <stdlib.h> > -+#include <time.h> > - > - #include "log.h" > - #include "xmalloc.h" > - #include "port-linux.h" > -+#include "misc.h" > - > - #ifdef WITH_SELINUX > - #include <selinux/selinux.h> > -@@ -310,4 +317,90 @@ oom_adjust_restore(void) > - return; > - } > - #endif /* LINUX_OOM_ADJUST */ > --#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > -+ > -+#ifdef SYSTEMD_NOTIFY > -+ > -+static void ssh_systemd_notify(const char *, ...) > -+ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); > -+ > -+static void > -+ssh_systemd_notify(const char *fmt, ...) > -+{ > -+ char *s = NULL; > -+ const char *path; > -+ struct stat sb; > -+ struct sockaddr_un addr; > -+ int fd = -1; > -+ va_list ap; > -+ > -+ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > -+ return; > -+ > -+ va_start(ap, fmt); > -+ xvasprintf(&s, fmt, ap); > -+ va_end(ap); > -+ > -+ /* Only AF_UNIX is supported, with path or abstract sockets */ > -+ if (path[0] != '/' && path[0] != '@') { > -+ error_f("socket \"%s\" is not compatible with AF_UNIX", path); > -+ goto out; > -+ } > -+ > -+ if (path[0] == '/' && stat(path, &sb) != 0) { > -+ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ > -+ memset(&addr, 0, sizeof(addr)); > -+ addr.sun_family = AF_UNIX; > -+ if (strlcpy(addr.sun_path, path, > -+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > -+ error_f("socket path \"%s\" too long", path); > -+ goto out; > -+ } > -+ /* Support for abstract socket */ > -+ if (addr.sun_path[0] == '@') > -+ addr.sun_path[0] = 0; > -+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > -+ error_f("socket \"%s\": %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ if (connect(fd, &addr, sizeof(addr)) != 0) { > -+ error_f("socket \"%s\" connect: %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > -+ error_f("socket \"%s\" write: %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ debug_f("socket \"%s\" notified %s", path, s); > -+ out: > -+ if (fd != -1) > -+ close(fd); > -+ free(s); > -+} > -+ > -+void > -+ssh_systemd_notify_ready(void) > -+{ > -+ ssh_systemd_notify("READY=1"); > -+} > -+ > -+void > -+ssh_systemd_notify_reload(void) > -+{ > -+ struct timespec now; > -+ > -+ monotime_ts(&now); > -+ if (now.tv_sec < 0 || now.tv_nsec < 0) { > -+ error_f("monotime returned negative value"); > -+ ssh_systemd_notify("RELOADING=1"); > -+ } else { > -+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > -+ ((uint64_t)now.tv_sec * 1000000ULL) + > -+ ((uint64_t)now.tv_nsec / 1000ULL)); > -+ } > -+} > -+#endif /* SYSTEMD_NOTIFY */ > -+ > -+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > -diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > -index 3c22a854d..14064f87d 100644 > ---- a/openbsd-compat/port-linux.h > -+++ b/openbsd-compat/port-linux.h > -@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > - void oom_adjust_setup(void); > - #endif > - > -+#ifdef SYSTEMD_NOTIFY > -+void ssh_systemd_notify_ready(void); > -+void ssh_systemd_notify_reload(void); > -+#endif > -+ > - #endif /* ! _PORT_LINUX_H */ > -diff --git a/platform.c b/platform.c > -index 4fe8744ee..9cf818153 100644 > ---- a/platform.c > -+++ b/platform.c > -@@ -44,6 +44,14 @@ platform_pre_listen(void) > - #endif > - } > - > -+void > -+platform_post_listen(void) > -+{ > -+#ifdef SYSTEMD_NOTIFY > -+ ssh_systemd_notify_ready(); > -+#endif > -+} > -+ > - void > - platform_pre_fork(void) > - { > -@@ -55,6 +63,9 @@ platform_pre_fork(void) > - void > - platform_pre_restart(void) > - { > -+#ifdef SYSTEMD_NOTIFY > -+ ssh_systemd_notify_reload(); > -+#endif > - #ifdef LINUX_OOM_ADJUST > - oom_adjust_restore(); > - #endif > -diff --git a/platform.h b/platform.h > -index 7fef8c983..5dec23276 100644 > ---- a/platform.h > -+++ b/platform.h > -@@ -21,6 +21,7 @@ > - void platform_pre_listen(void); > - void platform_pre_fork(void); > - void platform_pre_restart(void); > -+void platform_post_listen(void); > - void platform_post_fork_parent(pid_t child_pid); > - void platform_post_fork_child(void); > - int platform_privileged_uidswap(void); > -diff --git a/sshd.c b/sshd.c > -index b4f2b9742..865331b46 100644 > ---- a/sshd.c > -+++ b/sshd.c > -@@ -2077,6 +2077,8 @@ main(int ac, char **av) > - ssh_signal(SIGTERM, sigterm_handler); > - ssh_signal(SIGQUIT, sigterm_handler); > - > -+ platform_post_listen(); > -+ > - /* > - * Write out the pid file after the sigterm handler > - * is setup and the listen sockets are bound > --- > -2.45.2 > - > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > index 8763f30f4b..f424288e37 100644 > --- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > @@ -1,4 +1,4 @@ > -From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 > +From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001 > From: Mikko Rapeli <mikko.rapeli@linaro.org> > Date: Mon, 11 Sep 2023 09:55:21 +0100 > Subject: [PATCH] regress/banner.sh: log input and output files on error > @@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 > Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437] > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > regress/banner.sh | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/regress/banner.sh b/regress/banner.sh > -index a84feb5a..de84957a 100644 > +index a84feb5..de84957 100644 > --- a/regress/banner.sh > +++ b/regress/banner.sh > @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do > @@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644 > done > > trace "test suppress banner (-q)" > --- > -2.34.1 > - > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > new file mode 100644 > index 0000000000..b90cd2e69d > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > @@ -0,0 +1,35 @@ > +From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001 > +From: Jose Quaresma <jose.quaresma@foundries.io> > +Date: Mon, 15 Jul 2024 18:43:08 +0100 > +Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env > + > +The SSHAGENT_BIN was changed in [1] to SSH_BIN but > +the last one don't use the absolute path and consequently > +the function increase_datafile_size can loops forever > +if the binary not found. > + > +[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818 > + > +Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510] > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > +--- > + regress/test-exec.sh | 5 +++++ > + 1 file changed, 5 insertions(+) > + > +diff --git a/regress/test-exec.sh b/regress/test-exec.sh > +index 7afc2807..175f554b 100644 > +--- a/regress/test-exec.sh > ++++ b/regress/test-exec.sh > +@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then > + fi > + > + # Path to sshd must be absolute for rexec > ++case "$SSH" in > ++/*) ;; > ++*) SSH=`which $SSH` ;; > ++esac > ++ > + case "$SSHD" in > + /*) ;; > + *) SSHD=`which $SSHD` ;; > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > deleted file mode 100644 > index 3e7c707100..0000000000 > --- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > +++ /dev/null > @@ -1,27 +0,0 @@ > -Description: fix signal handler race condition > -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 > - > -CVE: CVE-2024-6387 > - > -Upstream-Status: Backport > -https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc > - > -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > - > ---- a/log.c > -+++ b/log.c > -@@ -452,12 +452,14 @@ void > - sshsigdie(const char *file, const char *func, int line, int showfunc, > - LogLevel level, const char *suffix, const char *fmt, ...) > - { > -+#if 0 > - va_list args; > - > - va_start(args, fmt); > - sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > - suffix, fmt, args); > - va_end(args); > -+#endif > - _exit(1); > - } > - > diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest > index b2244d725a..c9100f9f37 100755 > --- a/meta/recipes-connectivity/openssh/openssh/run-ptest > +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest > @@ -1,5 +1,6 @@ > #!/bin/sh > > +export TEST_SSH_SSH=ssh > export TEST_SHELL=sh > export SKIP_UNIT=1 > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb > similarity index 96% > rename from meta/recipes-connectivity/openssh/openssh_9.7p1.bb > rename to meta/recipes-connectivity/openssh/openssh_9.8p1.bb > index 4680d12be5..9554b4783f 100644 > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb > @@ -23,11 +23,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://volatiles.99_sshd \ > file://run-ptest \ > file://sshd_check_keys \ > + file://0001-Cast-to-sockaddr-in-systemd-interface.patch \ > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > - file://0001-notify-systemd-on-listen-and-reload.patch \ > - file://CVE-2024-6387.patch \ > + file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \ > " > -SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > +SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3" > > CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." > > @@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1" > PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" > FILES:${PN}-scp = "${bindir}/scp.${BPN}" > FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" > -FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" > +FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" > FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" > FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" > FILES:${PN}-sftp = "${bindir}/sftp" > -- > 2.45.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#202117): https://lists.openembedded.org/g/openembedded-core/message/202117 > Mute This Topic: https://lists.openembedded.org/mt/107252589/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 2024-07-16 14:16 ` [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 Jose Quaresma 2024-07-16 14:37 ` Patchtest results for " patchtest 2024-07-17 2:04 ` Khem Raj @ 2024-07-17 7:57 ` Alexandre Belloni 2024-07-17 8:51 ` Jose Quaresma 2024-07-17 7:59 ` Alexandre Belloni 3 siblings, 1 reply; 15+ messages in thread From: Alexandre Belloni @ 2024-07-17 7:57 UTC (permalink / raw) To: Jose Quaresma; +Cc: openembedded-core, Jose Quaresma Hello, https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6812/steps/13/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/6636/steps/12/logs/stdio This causes libssh2 ptest failures: https://autobuilder.yocto.io/pub/non-release/20240716-73/testresults/qemux86-64-ptest/libssh2.log START: ptest-runner 2024-07-16T23:20 PASS: mansyntax.sh PASS: test_simple FAIL: test_sshd.test DURATION: 14 On 16/07/2024 15:16:39+0100, Jose Quaresma wrote: > - drop the CVE-2024-6387 > - drop the backported systemd notify > - backported fix for musl build > - submited fix for ptest regression > - sshd now had the sshd-session > > Release notes at https://www.openssh.com/txt/release-9.8 > > Security > ======== > > This release contains fixes for two security problems, one critical > and one minor. > > 1) Race condition in sshd(8) > > A critical vulnerability in sshd(8) was present in Portable OpenSSH > versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary > code execution with root privileges. > > Successful exploitation has been demonstrated on 32-bit Linux/glibc > systems with ASLR. Under lab conditions, the attack requires on > average 6-8 hours of continuous connections up to the maximum the > server will accept. Exploitation on 64-bit systems is believed to be > possible but has not been demonstrated at this time. It's likely that > these attacks will be improved upon. > > Exploitation on non-glibc systems is conceivable but has not been > examined. Systems that lack ASLR or users of downstream Linux > distributions that have modified OpenSSH to disable per-connection > ASLR re-randomisation (yes - this is a thing, no - we don't > understand why) may potentially have an easier path to exploitation. > OpenBSD is not vulnerable. > > We thank the Qualys Security Advisory Team for discovering, reporting > and demonstrating exploitability of this problem, and for providing > detailed feedback on additional mitigation measures. > > 2) Logic error in ssh(1) ObscureKeystrokeTiming > > In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an > OpenSSH server version 9.5 or later, a logic error in the ssh(1) > ObscureKeystrokeTiming feature (on by default) rendered this feature > ineffective - a passive observer could still detect which network > packets contained real keystrokes when the countermeasure was active > because both fake and real keystroke packets were being sent > unconditionally. > > This bug was found by Philippos Giavridis and also independently by > Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the > University of Cambridge Computer Lab. > > Worse, the unconditional sending of both fake and real keystroke > packets broke another long-standing timing attack mitigation. Since > OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for > traffic received on TTYs in echo-off mode, such as when entering a > password into su(8) or sudo(8). This bug rendered these fake > keystroke echoes ineffective and could allow a passive observer of > a SSH session to once again detect when echo was off and obtain > fairly limited timing information about keystrokes in this situation > (20ms granularity by default). > > This additional implication of the bug was identified by Jacky Wei > En Kung, Daniel Hugenroth and Alastair Beresford and we thank them > for their detailed analysis. > > This bug does not affect connections when ObscureKeystrokeTiming > was disabled or sessions where no TTY was requested. > > Future deprecation notice > ========================= > > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025. This release disables DSA by default at compile time. > > DSA, as specified in the SSHv2 protocol, is inherently weak - being > limited to a 160 bit private key and use of the SHA1 digest. Its > estimated security level is only 80 bits symmetric equivalent. > > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs, mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA > in OpenSSH to be justified and hope that removing it from OpenSSH > can accelerate its wider deprecation in supporting cryptography > libraries. > > This release, and its deactivation of DSA by default at compile-time, > marks the second step in our timeline to finally deprecate DSA. The > final step of removing DSA support entirely is planned for the first > OpenSSH release of 2025. > > DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" > in Makefile.inc. To enable DSA support in portable OpenSSH, pass > the "--enable-dsa-keys" option to configure. > > Potentially-incompatible changes > -------------------------------- > > * all: as mentioned above, the DSA signature algorithm is now > disabled at compile time. > > * sshd(8): the server will now block client addresses that > repeatedly fail authentication, repeatedly connect without ever > completing authentication or that crash the server. See the > discussion of PerSourcePenalties below for more information. > Operators of servers that accept connections from many users, or > servers that accept connections from addresses behind NAT or > proxies may need to consider these settings. > > * sshd(8): the server has been split into a listener binary, sshd(8), > and a per-session binary "sshd-session". This allows for a much > smaller listener binary, as it no longer needs to support the SSH > protocol. As part of this work, support for disabling privilege > separation (which previously required code changes to disable) and > disabling re-execution of sshd(8) has been removed. Further > separation of sshd-session into additional, minimal binaries is > planned for the future. > > * sshd(8): several log messages have changed. In particular, some > log messages will be tagged with as originating from a process > named "sshd-session" rather than "sshd". > > * ssh-keyscan(1): this tool previously emitted comment lines > containing the hostname and SSH protocol banner to standard error. > This release now emits them to standard output, but adds a new > "-q" flag to silence them altogether. > > * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] > as the PAM service name. A new "PAMServiceName" sshd_config(5) > directive allows selecting the service name at runtime. This > defaults to "sshd". bz2101 > > * (portable OpenSSH only) Automatically-generated files, such as > configure, config.h.in, etc will now be checked in to the portable > OpenSSH git release branch (e.g. V_9_8). This should ensure that > the contents of the signed release branch exactly match the > contents of the signed release tarball. > > Changes since OpenSSH 9.7 > ========================= > > This release contains mostly bugfixes. > > New features > ------------ > > * sshd(8): as described above, sshd(8) will now penalise client > addresses that, for various reasons, do not successfully complete > authentication. This feature is controlled by a new sshd_config(5) > PerSourcePenalties option and is on by default. > > sshd(8) will now identify situations where the session did not > authenticate as expected. These conditions include when the client > repeatedly attempted authentication unsucessfully (possibly > indicating an attack against one or more accounts, e.g. password > guessing), or when client behaviour caused sshd to crash (possibly > indicating attempts to exploit bugs in sshd). > > When such a condition is observed, sshd will record a penalty of > some duration (e.g. 30 seconds) against the client's address. If > this time is above a minimum configurable threshold, then all > connections from the client address will be refused (along with any > others in the same PerSourceNetBlockSize CIDR range) until the > penalty expire. > > Repeated offenses by the same client address will accrue greater > penalties, up to a configurable maximum. Address ranges may be > fully exempted from penalties, e.g. to guarantee access from a set > of trusted management addresses, using the new sshd_config(5) > PerSourcePenaltyExemptList option. > > We hope these options will make it significantly more difficult for > attackers to find accounts with weak/guessable passwords or exploit > bugs in sshd(8) itself. This option is enabled by default. > > * ssh(8): allow the HostkeyAlgorithms directive to disable the > implicit fallback from certificate host key to plain host keys. > > Bugfixes > -------- > > * misc: fix a number of inaccuracies in the PROTOCOL.* > documentation files. GHPR430 GHPR487 > > * all: switch to strtonum(3) for more robust integer parsing in most > places. > > * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() > > * ssh-keysign(8): stricter validation of messaging socket fd GHPR492 > > * sftp(1): flush stdout after writing "sftp>" prompt when not using > editline. GHPR480 > > * sftp-server(8): fix home-directory extension implementation, it > previously always returned the current user's home directory > contrary to the spec. GHPR477 > > * ssh-keyscan(1): do not close stdin to prevent error messages when > stdin is read multiple times. E.g. > echo localhost | ssh-keyscan -f - -f - > > * regression tests: fix rekey test that was testing the same KEX > algorithm repeatedly instead of testing all of them. bz3692 > > * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive > documentation, especially around what is supported vs available. > bz3701. > > Portability > ----------- > > * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules > unconditionally. The previous behaviour was to expose it only when > particular authentication methods were in use. > > * build: fix OpenSSL ED25519 support detection. An incorrect function > signature in configure.ac previously prevented enabling the recently > added support for ED25519 private keys in PEM PKCS8 format. > > * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY > environment variable to enable SSH_ASKPASS, similarly to the X11 > DISPLAY environment variable. GHPR479 > > * build: improve detection of the -fzero-call-used-regs compiler > flag. bz3673. > > * build: relax OpenSSL version check to accept all OpenSSL 3.x > versions. > > * sshd(8): add support for notifying systemd on server listen and > reload, using a standalone implementation that doesn't depend on > libsystemd. bz2641 > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > > v2: > - fix musl build > - fix sshd-session packing on openssh-sshd > - rebase on top of the CVE-2024-6387 fix sent > > v3: > - fix the ptest fail > - update upstream status of the systemd sd-notify patch > > v4: > - split update of Upstream-Status in new patches in the serie > - submit the the ptest fix upstream > > v5: > - backport upstream fix for musl build > - drop the backported systemd notify > > ...ast-to-sockaddr-in-systemd-interface.patch | 30 +++ > ...-notify-systemd-on-listen-and-reload.patch | 225 ------------------ > ...h-log-input-and-output-files-on-erro.patch | 8 +- > ...c-use-the-absolute-path-in-the-SSH-e.patch | 35 +++ > .../openssh/openssh/CVE-2024-6387.patch | 27 --- > .../openssh/openssh/run-ptest | 1 + > .../{openssh_9.7p1.bb => openssh_9.8p1.bb} | 8 +- > 7 files changed, 73 insertions(+), 261 deletions(-) > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > rename meta/recipes-connectivity/openssh/{openssh_9.7p1.bb => openssh_9.8p1.bb} (96%) > > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > new file mode 100644 > index 0000000000..c41642ae10 > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > @@ -0,0 +1,30 @@ > +From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001 > +From: Darren Tucker <dtucker@dtucker.net> > +Date: Sun, 7 Jul 2024 18:46:19 +1000 > +Subject: [PATCH] Cast to sockaddr * in systemd interface. > + > +Fixes build with musl libx. bz#3707. > + > +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8] > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > +--- > + openbsd-compat/port-linux.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > +index 4c024c6d2..8adfec5a7 100644 > +--- a/openbsd-compat/port-linux.c > ++++ b/openbsd-compat/port-linux.c > +@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) > + error_f("socket \"%s\": %s", path, strerror(errno)); > + goto out; > + } > +- if (connect(fd, &addr, sizeof(addr)) != 0) { > ++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { > + error_f("socket \"%s\" connect: %s", path, strerror(errno)); > + goto out; > + } > +-- > +2.45.2 > + > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > deleted file mode 100644 > index 4925c969fe..0000000000 > --- a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > +++ /dev/null > @@ -1,225 +0,0 @@ > -From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > -From: Damien Miller <djm@mindrot.org> > -Date: Wed, 3 Apr 2024 14:40:32 +1100 > -Subject: [PATCH] notify systemd on listen and reload > - > -Standalone implementation that does not depend on libsystemd. > -With assistance from Luca Boccassi, and feedback/testing from Colin > -Watson. bz2641 > - > -Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c] > - > -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > ---- > - configure.ac | 1 + > - openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > - openbsd-compat/port-linux.h | 5 ++ > - platform.c | 11 +++++ > - platform.h | 1 + > - sshd.c | 2 + > - 6 files changed, 115 insertions(+), 2 deletions(-) > - > -diff --git a/configure.ac b/configure.ac > -index 82e8bb7c1..854f92b5b 100644 > ---- a/configure.ac > -+++ b/configure.ac > -@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > - AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) > - AC_DEFINE([USE_BTMP]) > - AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) > -+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) > - inet6_default_4in6=yes > - case `uname -r` in > - 1.*|2.0.*) > -diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > -index 0457e28d0..df7290246 100644 > ---- a/openbsd-compat/port-linux.c > -+++ b/openbsd-compat/port-linux.c > -@@ -21,16 +21,23 @@ > - > - #include "includes.h" > - > --#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > -+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > -+ defined(SYSTEMD_NOTIFY) > -+#include <sys/socket.h> > -+#include <sys/un.h> > -+ > - #include <errno.h> > -+#include <inttypes.h> > - #include <stdarg.h> > - #include <string.h> > - #include <stdio.h> > - #include <stdlib.h> > -+#include <time.h> > - > - #include "log.h" > - #include "xmalloc.h" > - #include "port-linux.h" > -+#include "misc.h" > - > - #ifdef WITH_SELINUX > - #include <selinux/selinux.h> > -@@ -310,4 +317,90 @@ oom_adjust_restore(void) > - return; > - } > - #endif /* LINUX_OOM_ADJUST */ > --#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > -+ > -+#ifdef SYSTEMD_NOTIFY > -+ > -+static void ssh_systemd_notify(const char *, ...) > -+ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); > -+ > -+static void > -+ssh_systemd_notify(const char *fmt, ...) > -+{ > -+ char *s = NULL; > -+ const char *path; > -+ struct stat sb; > -+ struct sockaddr_un addr; > -+ int fd = -1; > -+ va_list ap; > -+ > -+ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > -+ return; > -+ > -+ va_start(ap, fmt); > -+ xvasprintf(&s, fmt, ap); > -+ va_end(ap); > -+ > -+ /* Only AF_UNIX is supported, with path or abstract sockets */ > -+ if (path[0] != '/' && path[0] != '@') { > -+ error_f("socket \"%s\" is not compatible with AF_UNIX", path); > -+ goto out; > -+ } > -+ > -+ if (path[0] == '/' && stat(path, &sb) != 0) { > -+ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ > -+ memset(&addr, 0, sizeof(addr)); > -+ addr.sun_family = AF_UNIX; > -+ if (strlcpy(addr.sun_path, path, > -+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > -+ error_f("socket path \"%s\" too long", path); > -+ goto out; > -+ } > -+ /* Support for abstract socket */ > -+ if (addr.sun_path[0] == '@') > -+ addr.sun_path[0] = 0; > -+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > -+ error_f("socket \"%s\": %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ if (connect(fd, &addr, sizeof(addr)) != 0) { > -+ error_f("socket \"%s\" connect: %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > -+ error_f("socket \"%s\" write: %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ debug_f("socket \"%s\" notified %s", path, s); > -+ out: > -+ if (fd != -1) > -+ close(fd); > -+ free(s); > -+} > -+ > -+void > -+ssh_systemd_notify_ready(void) > -+{ > -+ ssh_systemd_notify("READY=1"); > -+} > -+ > -+void > -+ssh_systemd_notify_reload(void) > -+{ > -+ struct timespec now; > -+ > -+ monotime_ts(&now); > -+ if (now.tv_sec < 0 || now.tv_nsec < 0) { > -+ error_f("monotime returned negative value"); > -+ ssh_systemd_notify("RELOADING=1"); > -+ } else { > -+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > -+ ((uint64_t)now.tv_sec * 1000000ULL) + > -+ ((uint64_t)now.tv_nsec / 1000ULL)); > -+ } > -+} > -+#endif /* SYSTEMD_NOTIFY */ > -+ > -+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > -diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > -index 3c22a854d..14064f87d 100644 > ---- a/openbsd-compat/port-linux.h > -+++ b/openbsd-compat/port-linux.h > -@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > - void oom_adjust_setup(void); > - #endif > - > -+#ifdef SYSTEMD_NOTIFY > -+void ssh_systemd_notify_ready(void); > -+void ssh_systemd_notify_reload(void); > -+#endif > -+ > - #endif /* ! _PORT_LINUX_H */ > -diff --git a/platform.c b/platform.c > -index 4fe8744ee..9cf818153 100644 > ---- a/platform.c > -+++ b/platform.c > -@@ -44,6 +44,14 @@ platform_pre_listen(void) > - #endif > - } > - > -+void > -+platform_post_listen(void) > -+{ > -+#ifdef SYSTEMD_NOTIFY > -+ ssh_systemd_notify_ready(); > -+#endif > -+} > -+ > - void > - platform_pre_fork(void) > - { > -@@ -55,6 +63,9 @@ platform_pre_fork(void) > - void > - platform_pre_restart(void) > - { > -+#ifdef SYSTEMD_NOTIFY > -+ ssh_systemd_notify_reload(); > -+#endif > - #ifdef LINUX_OOM_ADJUST > - oom_adjust_restore(); > - #endif > -diff --git a/platform.h b/platform.h > -index 7fef8c983..5dec23276 100644 > ---- a/platform.h > -+++ b/platform.h > -@@ -21,6 +21,7 @@ > - void platform_pre_listen(void); > - void platform_pre_fork(void); > - void platform_pre_restart(void); > -+void platform_post_listen(void); > - void platform_post_fork_parent(pid_t child_pid); > - void platform_post_fork_child(void); > - int platform_privileged_uidswap(void); > -diff --git a/sshd.c b/sshd.c > -index b4f2b9742..865331b46 100644 > ---- a/sshd.c > -+++ b/sshd.c > -@@ -2077,6 +2077,8 @@ main(int ac, char **av) > - ssh_signal(SIGTERM, sigterm_handler); > - ssh_signal(SIGQUIT, sigterm_handler); > - > -+ platform_post_listen(); > -+ > - /* > - * Write out the pid file after the sigterm handler > - * is setup and the listen sockets are bound > --- > -2.45.2 > - > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > index 8763f30f4b..f424288e37 100644 > --- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > @@ -1,4 +1,4 @@ > -From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 > +From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001 > From: Mikko Rapeli <mikko.rapeli@linaro.org> > Date: Mon, 11 Sep 2023 09:55:21 +0100 > Subject: [PATCH] regress/banner.sh: log input and output files on error > @@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 > Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437] > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > regress/banner.sh | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/regress/banner.sh b/regress/banner.sh > -index a84feb5a..de84957a 100644 > +index a84feb5..de84957 100644 > --- a/regress/banner.sh > +++ b/regress/banner.sh > @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do > @@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644 > done > > trace "test suppress banner (-q)" > --- > -2.34.1 > - > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > new file mode 100644 > index 0000000000..b90cd2e69d > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > @@ -0,0 +1,35 @@ > +From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001 > +From: Jose Quaresma <jose.quaresma@foundries.io> > +Date: Mon, 15 Jul 2024 18:43:08 +0100 > +Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env > + > +The SSHAGENT_BIN was changed in [1] to SSH_BIN but > +the last one don't use the absolute path and consequently > +the function increase_datafile_size can loops forever > +if the binary not found. > + > +[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818 > + > +Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510] > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > +--- > + regress/test-exec.sh | 5 +++++ > + 1 file changed, 5 insertions(+) > + > +diff --git a/regress/test-exec.sh b/regress/test-exec.sh > +index 7afc2807..175f554b 100644 > +--- a/regress/test-exec.sh > ++++ b/regress/test-exec.sh > +@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then > + fi > + > + # Path to sshd must be absolute for rexec > ++case "$SSH" in > ++/*) ;; > ++*) SSH=`which $SSH` ;; > ++esac > ++ > + case "$SSHD" in > + /*) ;; > + *) SSHD=`which $SSHD` ;; > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > deleted file mode 100644 > index 3e7c707100..0000000000 > --- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > +++ /dev/null > @@ -1,27 +0,0 @@ > -Description: fix signal handler race condition > -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 > - > -CVE: CVE-2024-6387 > - > -Upstream-Status: Backport > -https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc > - > -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > - > ---- a/log.c > -+++ b/log.c > -@@ -452,12 +452,14 @@ void > - sshsigdie(const char *file, const char *func, int line, int showfunc, > - LogLevel level, const char *suffix, const char *fmt, ...) > - { > -+#if 0 > - va_list args; > - > - va_start(args, fmt); > - sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > - suffix, fmt, args); > - va_end(args); > -+#endif > - _exit(1); > - } > - > diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest > index b2244d725a..c9100f9f37 100755 > --- a/meta/recipes-connectivity/openssh/openssh/run-ptest > +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest > @@ -1,5 +1,6 @@ > #!/bin/sh > > +export TEST_SSH_SSH=ssh > export TEST_SHELL=sh > export SKIP_UNIT=1 > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb > similarity index 96% > rename from meta/recipes-connectivity/openssh/openssh_9.7p1.bb > rename to meta/recipes-connectivity/openssh/openssh_9.8p1.bb > index 4680d12be5..9554b4783f 100644 > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb > @@ -23,11 +23,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://volatiles.99_sshd \ > file://run-ptest \ > file://sshd_check_keys \ > + file://0001-Cast-to-sockaddr-in-systemd-interface.patch \ > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > - file://0001-notify-systemd-on-listen-and-reload.patch \ > - file://CVE-2024-6387.patch \ > + file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \ > " > -SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > +SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3" > > CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." > > @@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1" > PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" > FILES:${PN}-scp = "${bindir}/scp.${BPN}" > FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" > -FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" > +FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" > FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" > FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" > FILES:${PN}-sftp = "${bindir}/sftp" > -- > 2.45.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#202117): https://lists.openembedded.org/g/openembedded-core/message/202117 > Mute This Topic: https://lists.openembedded.org/mt/107252589/3617179 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com] > -=-=-=-=-=-=-=-=-=-=-=- > -- Alexandre Belloni, co-owner and COO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 2024-07-17 7:57 ` Alexandre Belloni @ 2024-07-17 8:51 ` Jose Quaresma 0 siblings, 0 replies; 15+ messages in thread From: Jose Quaresma @ 2024-07-17 8:51 UTC (permalink / raw) To: Alexandre Belloni; +Cc: openembedded-core, Jose Quaresma [-- Attachment #1: Type: text/plain, Size: 31428 bytes --] Alexandre Belloni <alexandre.belloni@bootlin.com> escreveu (quarta, 17/07/2024 à(s) 08:57): > Hello, > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6812/steps/13/logs/stdio > > https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/6636/steps/12/logs/stdio > > This causes libssh2 ptest failures: > > https://autobuilder.yocto.io/pub/non-release/20240716-73/testresults/qemux86-64-ptest/libssh2.log > > START: ptest-runner > 2024-07-16T23:20 > PASS: mansyntax.sh > PASS: test_simple > FAIL: test_sshd.test > DURATION: 14 > I'll have to test libssh2 to see what's happening. Thanks for the feedback. Jose > > > On 16/07/2024 15:16:39+0100, Jose Quaresma wrote: > > - drop the CVE-2024-6387 > > - drop the backported systemd notify > > - backported fix for musl build > > - submited fix for ptest regression > > - sshd now had the sshd-session > > > > Release notes at https://www.openssh.com/txt/release-9.8 > > > > Security > > ======== > > > > This release contains fixes for two security problems, one critical > > and one minor. > > > > 1) Race condition in sshd(8) > > > > A critical vulnerability in sshd(8) was present in Portable OpenSSH > > versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary > > code execution with root privileges. > > > > Successful exploitation has been demonstrated on 32-bit Linux/glibc > > systems with ASLR. Under lab conditions, the attack requires on > > average 6-8 hours of continuous connections up to the maximum the > > server will accept. Exploitation on 64-bit systems is believed to be > > possible but has not been demonstrated at this time. It's likely that > > these attacks will be improved upon. > > > > Exploitation on non-glibc systems is conceivable but has not been > > examined. Systems that lack ASLR or users of downstream Linux > > distributions that have modified OpenSSH to disable per-connection > > ASLR re-randomisation (yes - this is a thing, no - we don't > > understand why) may potentially have an easier path to exploitation. > > OpenBSD is not vulnerable. > > > > We thank the Qualys Security Advisory Team for discovering, reporting > > and demonstrating exploitability of this problem, and for providing > > detailed feedback on additional mitigation measures. > > > > 2) Logic error in ssh(1) ObscureKeystrokeTiming > > > > In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an > > OpenSSH server version 9.5 or later, a logic error in the ssh(1) > > ObscureKeystrokeTiming feature (on by default) rendered this feature > > ineffective - a passive observer could still detect which network > > packets contained real keystrokes when the countermeasure was active > > because both fake and real keystroke packets were being sent > > unconditionally. > > > > This bug was found by Philippos Giavridis and also independently by > > Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the > > University of Cambridge Computer Lab. > > > > Worse, the unconditional sending of both fake and real keystroke > > packets broke another long-standing timing attack mitigation. Since > > OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for > > traffic received on TTYs in echo-off mode, such as when entering a > > password into su(8) or sudo(8). This bug rendered these fake > > keystroke echoes ineffective and could allow a passive observer of > > a SSH session to once again detect when echo was off and obtain > > fairly limited timing information about keystrokes in this situation > > (20ms granularity by default). > > > > This additional implication of the bug was identified by Jacky Wei > > En Kung, Daniel Hugenroth and Alastair Beresford and we thank them > > for their detailed analysis. > > > > This bug does not affect connections when ObscureKeystrokeTiming > > was disabled or sessions where no TTY was requested. > > > > Future deprecation notice > > ========================= > > > > OpenSSH plans to remove support for the DSA signature algorithm in > > early 2025. This release disables DSA by default at compile time. > > > > DSA, as specified in the SSHv2 protocol, is inherently weak - being > > limited to a 160 bit private key and use of the SHA1 digest. Its > > estimated security level is only 80 bits symmetric equivalent. > > > > OpenSSH has disabled DSA keys by default since 2015 but has retained > > run-time optional support for them. DSA was the only mandatory-to- > > implement algorithm in the SSHv2 RFCs, mostly because alternative > > algorithms were encumbered by patents when the SSHv2 protocol was > > specified. > > > > This has not been the case for decades at this point and better > > algorithms are well supported by all actively-maintained SSH > > implementations. We do not consider the costs of maintaining DSA > > in OpenSSH to be justified and hope that removing it from OpenSSH > > can accelerate its wider deprecation in supporting cryptography > > libraries. > > > > This release, and its deactivation of DSA by default at compile-time, > > marks the second step in our timeline to finally deprecate DSA. The > > final step of removing DSA support entirely is planned for the first > > OpenSSH release of 2025. > > > > DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" > > in Makefile.inc. To enable DSA support in portable OpenSSH, pass > > the "--enable-dsa-keys" option to configure. > > > > Potentially-incompatible changes > > -------------------------------- > > > > * all: as mentioned above, the DSA signature algorithm is now > > disabled at compile time. > > > > * sshd(8): the server will now block client addresses that > > repeatedly fail authentication, repeatedly connect without ever > > completing authentication or that crash the server. See the > > discussion of PerSourcePenalties below for more information. > > Operators of servers that accept connections from many users, or > > servers that accept connections from addresses behind NAT or > > proxies may need to consider these settings. > > > > * sshd(8): the server has been split into a listener binary, sshd(8), > > and a per-session binary "sshd-session". This allows for a much > > smaller listener binary, as it no longer needs to support the SSH > > protocol. As part of this work, support for disabling privilege > > separation (which previously required code changes to disable) and > > disabling re-execution of sshd(8) has been removed. Further > > separation of sshd-session into additional, minimal binaries is > > planned for the future. > > > > * sshd(8): several log messages have changed. In particular, some > > log messages will be tagged with as originating from a process > > named "sshd-session" rather than "sshd". > > > > * ssh-keyscan(1): this tool previously emitted comment lines > > containing the hostname and SSH protocol banner to standard error. > > This release now emits them to standard output, but adds a new > > "-q" flag to silence them altogether. > > > > * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] > > as the PAM service name. A new "PAMServiceName" sshd_config(5) > > directive allows selecting the service name at runtime. This > > defaults to "sshd". bz2101 > > > > * (portable OpenSSH only) Automatically-generated files, such as > > configure, config.h.in, etc will now be checked in to the portable > > OpenSSH git release branch (e.g. V_9_8). This should ensure that > > the contents of the signed release branch exactly match the > > contents of the signed release tarball. > > > > Changes since OpenSSH 9.7 > > ========================= > > > > This release contains mostly bugfixes. > > > > New features > > ------------ > > > > * sshd(8): as described above, sshd(8) will now penalise client > > addresses that, for various reasons, do not successfully complete > > authentication. This feature is controlled by a new sshd_config(5) > > PerSourcePenalties option and is on by default. > > > > sshd(8) will now identify situations where the session did not > > authenticate as expected. These conditions include when the client > > repeatedly attempted authentication unsucessfully (possibly > > indicating an attack against one or more accounts, e.g. password > > guessing), or when client behaviour caused sshd to crash (possibly > > indicating attempts to exploit bugs in sshd). > > > > When such a condition is observed, sshd will record a penalty of > > some duration (e.g. 30 seconds) against the client's address. If > > this time is above a minimum configurable threshold, then all > > connections from the client address will be refused (along with any > > others in the same PerSourceNetBlockSize CIDR range) until the > > penalty expire. > > > > Repeated offenses by the same client address will accrue greater > > penalties, up to a configurable maximum. Address ranges may be > > fully exempted from penalties, e.g. to guarantee access from a set > > of trusted management addresses, using the new sshd_config(5) > > PerSourcePenaltyExemptList option. > > > > We hope these options will make it significantly more difficult for > > attackers to find accounts with weak/guessable passwords or exploit > > bugs in sshd(8) itself. This option is enabled by default. > > > > * ssh(8): allow the HostkeyAlgorithms directive to disable the > > implicit fallback from certificate host key to plain host keys. > > > > Bugfixes > > -------- > > > > * misc: fix a number of inaccuracies in the PROTOCOL.* > > documentation files. GHPR430 GHPR487 > > > > * all: switch to strtonum(3) for more robust integer parsing in most > > places. > > > > * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() > > > > * ssh-keysign(8): stricter validation of messaging socket fd GHPR492 > > > > * sftp(1): flush stdout after writing "sftp>" prompt when not using > > editline. GHPR480 > > > > * sftp-server(8): fix home-directory extension implementation, it > > previously always returned the current user's home directory > > contrary to the spec. GHPR477 > > > > * ssh-keyscan(1): do not close stdin to prevent error messages when > > stdin is read multiple times. E.g. > > echo localhost | ssh-keyscan -f - -f - > > > > * regression tests: fix rekey test that was testing the same KEX > > algorithm repeatedly instead of testing all of them. bz3692 > > > > * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive > > documentation, especially around what is supported vs available. > > bz3701. > > > > Portability > > ----------- > > > > * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules > > unconditionally. The previous behaviour was to expose it only when > > particular authentication methods were in use. > > > > * build: fix OpenSSL ED25519 support detection. An incorrect function > > signature in configure.ac previously prevented enabling the recently > > added support for ED25519 private keys in PEM PKCS8 format. > > > > * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY > > environment variable to enable SSH_ASKPASS, similarly to the X11 > > DISPLAY environment variable. GHPR479 > > > > * build: improve detection of the -fzero-call-used-regs compiler > > flag. bz3673. > > > > * build: relax OpenSSL version check to accept all OpenSSL 3.x > > versions. > > > > * sshd(8): add support for notifying systemd on server listen and > > reload, using a standalone implementation that doesn't depend on > > libsystemd. bz2641 > > > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > > > v2: > > - fix musl build > > - fix sshd-session packing on openssh-sshd > > - rebase on top of the CVE-2024-6387 fix sent > > > > v3: > > - fix the ptest fail > > - update upstream status of the systemd sd-notify patch > > > > v4: > > - split update of Upstream-Status in new patches in the serie > > - submit the the ptest fix upstream > > > > v5: > > - backport upstream fix for musl build > > - drop the backported systemd notify > > > > ...ast-to-sockaddr-in-systemd-interface.patch | 30 +++ > > ...-notify-systemd-on-listen-and-reload.patch | 225 ------------------ > > ...h-log-input-and-output-files-on-erro.patch | 8 +- > > ...c-use-the-absolute-path-in-the-SSH-e.patch | 35 +++ > > .../openssh/openssh/CVE-2024-6387.patch | 27 --- > > .../openssh/openssh/run-ptest | 1 + > > .../{openssh_9.7p1.bb => openssh_9.8p1.bb} | 8 +- > > 7 files changed, 73 insertions(+), 261 deletions(-) > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > > delete mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > > delete mode 100644 > meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > > rename meta/recipes-connectivity/openssh/{openssh_9.7p1.bb => > openssh_9.8p1.bb} (96%) > > > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > > new file mode 100644 > > index 0000000000..c41642ae10 > > --- /dev/null > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > > @@ -0,0 +1,30 @@ > > +From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001 > > +From: Darren Tucker <dtucker@dtucker.net> > > +Date: Sun, 7 Jul 2024 18:46:19 +1000 > > +Subject: [PATCH] Cast to sockaddr * in systemd interface. > > + > > +Fixes build with musl libx. bz#3707. > > + > > +Upstream-Status: Backport [ > https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8 > ] > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > +--- > > + openbsd-compat/port-linux.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > > +index 4c024c6d2..8adfec5a7 100644 > > +--- a/openbsd-compat/port-linux.c > > ++++ b/openbsd-compat/port-linux.c > > +@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) > > + error_f("socket \"%s\": %s", path, strerror(errno)); > > + goto out; > > + } > > +- if (connect(fd, &addr, sizeof(addr)) != 0) { > > ++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { > > + error_f("socket \"%s\" connect: %s", path, > strerror(errno)); > > + goto out; > > + } > > +-- > > +2.45.2 > > + > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > deleted file mode 100644 > > index 4925c969fe..0000000000 > > --- > a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > +++ /dev/null > > @@ -1,225 +0,0 @@ > > -From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > > -From: Damien Miller <djm@mindrot.org> > > -Date: Wed, 3 Apr 2024 14:40:32 +1100 > > -Subject: [PATCH] notify systemd on listen and reload > > - > > -Standalone implementation that does not depend on libsystemd. > > -With assistance from Luca Boccassi, and feedback/testing from Colin > > -Watson. bz2641 > > - > > -Upstream-Status: Backport [ > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > ] > > - > > -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > ---- > > - configure.ac | 1 + > > - openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > > - openbsd-compat/port-linux.h | 5 ++ > > - platform.c | 11 +++++ > > - platform.h | 1 + > > - sshd.c | 2 + > > - 6 files changed, 115 insertions(+), 2 deletions(-) > > - > > -diff --git a/configure.ac b/configure.ac > > -index 82e8bb7c1..854f92b5b 100644 > > ---- a/configure.ac > > -+++ b/configure.ac > > -@@ -915,6 +915,7 @@ int main(void) { if > (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > > - AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login > attempts]) > > - AC_DEFINE([USE_BTMP]) > > - AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory > killer]) > > -+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on > start/reload]) > > - inet6_default_4in6=yes > > - case `uname -r` in > > - 1.*|2.0.*) > > -diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > > -index 0457e28d0..df7290246 100644 > > ---- a/openbsd-compat/port-linux.c > > -+++ b/openbsd-compat/port-linux.c > > -@@ -21,16 +21,23 @@ > > - > > - #include "includes.h" > > - > > --#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > > -+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > > -+ defined(SYSTEMD_NOTIFY) > > -+#include <sys/socket.h> > > -+#include <sys/un.h> > > -+ > > - #include <errno.h> > > -+#include <inttypes.h> > > - #include <stdarg.h> > > - #include <string.h> > > - #include <stdio.h> > > - #include <stdlib.h> > > -+#include <time.h> > > - > > - #include "log.h" > > - #include "xmalloc.h" > > - #include "port-linux.h" > > -+#include "misc.h" > > - > > - #ifdef WITH_SELINUX > > - #include <selinux/selinux.h> > > -@@ -310,4 +317,90 @@ oom_adjust_restore(void) > > - return; > > - } > > - #endif /* LINUX_OOM_ADJUST */ > > --#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > > -+ > > -+#ifdef SYSTEMD_NOTIFY > > -+ > > -+static void ssh_systemd_notify(const char *, ...) > > -+ __attribute__((__format__ (printf, 1, 2))) > __attribute__((__nonnull__ (1))); > > -+ > > -+static void > > -+ssh_systemd_notify(const char *fmt, ...) > > -+{ > > -+ char *s = NULL; > > -+ const char *path; > > -+ struct stat sb; > > -+ struct sockaddr_un addr; > > -+ int fd = -1; > > -+ va_list ap; > > -+ > > -+ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > > -+ return; > > -+ > > -+ va_start(ap, fmt); > > -+ xvasprintf(&s, fmt, ap); > > -+ va_end(ap); > > -+ > > -+ /* Only AF_UNIX is supported, with path or abstract sockets */ > > -+ if (path[0] != '/' && path[0] != '@') { > > -+ error_f("socket \"%s\" is not compatible with AF_UNIX", > path); > > -+ goto out; > > -+ } > > -+ > > -+ if (path[0] == '/' && stat(path, &sb) != 0) { > > -+ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > > -+ goto out; > > -+ } > > -+ > > -+ memset(&addr, 0, sizeof(addr)); > > -+ addr.sun_family = AF_UNIX; > > -+ if (strlcpy(addr.sun_path, path, > > -+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > > -+ error_f("socket path \"%s\" too long", path); > > -+ goto out; > > -+ } > > -+ /* Support for abstract socket */ > > -+ if (addr.sun_path[0] == '@') > > -+ addr.sun_path[0] = 0; > > -+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > > -+ error_f("socket \"%s\": %s", path, strerror(errno)); > > -+ goto out; > > -+ } > > -+ if (connect(fd, &addr, sizeof(addr)) != 0) { > > -+ error_f("socket \"%s\" connect: %s", path, > strerror(errno)); > > -+ goto out; > > -+ } > > -+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > > -+ error_f("socket \"%s\" write: %s", path, strerror(errno)); > > -+ goto out; > > -+ } > > -+ debug_f("socket \"%s\" notified %s", path, s); > > -+ out: > > -+ if (fd != -1) > > -+ close(fd); > > -+ free(s); > > -+} > > -+ > > -+void > > -+ssh_systemd_notify_ready(void) > > -+{ > > -+ ssh_systemd_notify("READY=1"); > > -+} > > -+ > > -+void > > -+ssh_systemd_notify_reload(void) > > -+{ > > -+ struct timespec now; > > -+ > > -+ monotime_ts(&now); > > -+ if (now.tv_sec < 0 || now.tv_nsec < 0) { > > -+ error_f("monotime returned negative value"); > > -+ ssh_systemd_notify("RELOADING=1"); > > -+ } else { > > -+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > > -+ ((uint64_t)now.tv_sec * 1000000ULL) + > > -+ ((uint64_t)now.tv_nsec / 1000ULL)); > > -+ } > > -+} > > -+#endif /* SYSTEMD_NOTIFY */ > > -+ > > -+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > > -diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > > -index 3c22a854d..14064f87d 100644 > > ---- a/openbsd-compat/port-linux.h > > -+++ b/openbsd-compat/port-linux.h > > -@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > > - void oom_adjust_setup(void); > > - #endif > > - > > -+#ifdef SYSTEMD_NOTIFY > > -+void ssh_systemd_notify_ready(void); > > -+void ssh_systemd_notify_reload(void); > > -+#endif > > -+ > > - #endif /* ! _PORT_LINUX_H */ > > -diff --git a/platform.c b/platform.c > > -index 4fe8744ee..9cf818153 100644 > > ---- a/platform.c > > -+++ b/platform.c > > -@@ -44,6 +44,14 @@ platform_pre_listen(void) > > - #endif > > - } > > - > > -+void > > -+platform_post_listen(void) > > -+{ > > -+#ifdef SYSTEMD_NOTIFY > > -+ ssh_systemd_notify_ready(); > > -+#endif > > -+} > > -+ > > - void > > - platform_pre_fork(void) > > - { > > -@@ -55,6 +63,9 @@ platform_pre_fork(void) > > - void > > - platform_pre_restart(void) > > - { > > -+#ifdef SYSTEMD_NOTIFY > > -+ ssh_systemd_notify_reload(); > > -+#endif > > - #ifdef LINUX_OOM_ADJUST > > - oom_adjust_restore(); > > - #endif > > -diff --git a/platform.h b/platform.h > > -index 7fef8c983..5dec23276 100644 > > ---- a/platform.h > > -+++ b/platform.h > > -@@ -21,6 +21,7 @@ > > - void platform_pre_listen(void); > > - void platform_pre_fork(void); > > - void platform_pre_restart(void); > > -+void platform_post_listen(void); > > - void platform_post_fork_parent(pid_t child_pid); > > - void platform_post_fork_child(void); > > - int platform_privileged_uidswap(void); > > -diff --git a/sshd.c b/sshd.c > > -index b4f2b9742..865331b46 100644 > > ---- a/sshd.c > > -+++ b/sshd.c > > -@@ -2077,6 +2077,8 @@ main(int ac, char **av) > > - ssh_signal(SIGTERM, sigterm_handler); > > - ssh_signal(SIGQUIT, sigterm_handler); > > - > > -+ platform_post_listen(); > > -+ > > - /* > > - * Write out the pid file after the sigterm handler > > - * is setup and the listen sockets are bound > > --- > > -2.45.2 > > - > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > > index 8763f30f4b..f424288e37 100644 > > --- > a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > > @@ -1,4 +1,4 @@ > > -From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 > > +From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001 > > From: Mikko Rapeli <mikko.rapeli@linaro.org> > > Date: Mon, 11 Sep 2023 09:55:21 +0100 > > Subject: [PATCH] regress/banner.sh: log input and output files on error > > @@ -37,12 +37,13 @@ See: > https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 > > Upstream-Status: Denied [ > https://github.com/openssh/openssh-portable/pull/437] > > > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > regress/banner.sh | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/regress/banner.sh b/regress/banner.sh > > -index a84feb5a..de84957a 100644 > > +index a84feb5..de84957 100644 > > --- a/regress/banner.sh > > +++ b/regress/banner.sh > > @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do > > @@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644 > > done > > > > trace "test suppress banner (-q)" > > --- > > -2.34.1 > > - > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > > new file mode 100644 > > index 0000000000..b90cd2e69d > > --- /dev/null > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > > @@ -0,0 +1,35 @@ > > +From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001 > > +From: Jose Quaresma <jose.quaresma@foundries.io> > > +Date: Mon, 15 Jul 2024 18:43:08 +0100 > > +Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env > > + > > +The SSHAGENT_BIN was changed in [1] to SSH_BIN but > > +the last one don't use the absolute path and consequently > > +the function increase_datafile_size can loops forever > > +if the binary not found. > > + > > +[1] > https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818 > > + > > +Upstream-Status: Submitted [ > https://github.com/openssh/openssh-portable/pull/510] > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > +--- > > + regress/test-exec.sh | 5 +++++ > > + 1 file changed, 5 insertions(+) > > + > > +diff --git a/regress/test-exec.sh b/regress/test-exec.sh > > +index 7afc2807..175f554b 100644 > > +--- a/regress/test-exec.sh > > ++++ b/regress/test-exec.sh > > +@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then > > + fi > > + > > + # Path to sshd must be absolute for rexec > > ++case "$SSH" in > > ++/*) ;; > > ++*) SSH=`which $SSH` ;; > > ++esac > > ++ > > + case "$SSHD" in > > + /*) ;; > > + *) SSHD=`which $SSHD` ;; > > diff --git > a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > > deleted file mode 100644 > > index 3e7c707100..0000000000 > > --- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > > +++ /dev/null > > @@ -1,27 +0,0 @@ > > -Description: fix signal handler race condition > > -Bug-Ubuntu: > https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 > > - > > -CVE: CVE-2024-6387 > > - > > -Upstream-Status: Backport > > - > https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc > > - > > -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > - > > ---- a/log.c > > -+++ b/log.c > > -@@ -452,12 +452,14 @@ void > > - sshsigdie(const char *file, const char *func, int line, int showfunc, > > - LogLevel level, const char *suffix, const char *fmt, ...) > > - { > > -+#if 0 > > - va_list args; > > - > > - va_start(args, fmt); > > - sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > > - suffix, fmt, args); > > - va_end(args); > > -+#endif > > - _exit(1); > > - } > > - > > diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest > b/meta/recipes-connectivity/openssh/openssh/run-ptest > > index b2244d725a..c9100f9f37 100755 > > --- a/meta/recipes-connectivity/openssh/openssh/run-ptest > > +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest > > @@ -1,5 +1,6 @@ > > #!/bin/sh > > > > +export TEST_SSH_SSH=ssh > > export TEST_SHELL=sh > > export SKIP_UNIT=1 > > > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb > > similarity index 96% > > rename from meta/recipes-connectivity/openssh/openssh_9.7p1.bb > > rename to meta/recipes-connectivity/openssh/openssh_9.8p1.bb > > index 4680d12be5..9554b4783f 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > > +++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb > > @@ -23,11 +23,11 @@ SRC_URI = " > http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > > file://volatiles.99_sshd \ > > file://run-ptest \ > > file://sshd_check_keys \ > > + file://0001-Cast-to-sockaddr-in-systemd-interface.patch \ > > > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > > - file://0001-notify-systemd-on-listen-and-reload.patch \ > > - file://CVE-2024-6387.patch \ > > + > file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \ > > " > > -SRC_URI[sha256sum] = > "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > > +SRC_URI[sha256sum] = > "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3" > > > > CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is > specific to OpenSSH with the pam opie which we don't build/use here." > > > > @@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1" > > PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp > ${PN}-misc ${PN}-sftp-server" > > FILES:${PN}-scp = "${bindir}/scp.${BPN}" > > FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" > > -FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd > ${systemd_system_unitdir}" > > +FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session > ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" > > FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli > ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly > ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" > > FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" > > FILES:${PN}-sftp = "${bindir}/sftp" > > -- > > 2.45.2 > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#202117): > https://lists.openembedded.org/g/openembedded-core/message/202117 > > Mute This Topic: https://lists.openembedded.org/mt/107252589/3617179 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > alexandre.belloni@bootlin.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > -- > Alexandre Belloni, co-owner and COO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > -- Best regards, José Quaresma [-- Attachment #2: Type: text/html, Size: 41302 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 2024-07-16 14:16 ` [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 Jose Quaresma ` (2 preceding siblings ...) 2024-07-17 7:57 ` Alexandre Belloni @ 2024-07-17 7:59 ` Alexandre Belloni 2024-07-17 8:50 ` Jose Quaresma 3 siblings, 1 reply; 15+ messages in thread From: Alexandre Belloni @ 2024-07-17 7:59 UTC (permalink / raw) To: Jose Quaresma; +Cc: openembedded-core, Jose Quaresma This also break with systemd: https://autobuilder.yoctoproject.org/typhoon/#/builders/101/builds/7961/steps/15/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/109/builds/8073/steps/14/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/9247/steps/15/logs/stdio AssertionError: 3 != 0 : SYSTEMD_BUS_TIMEOUT=240s systemctl status --full --failed � sshd@0-192.168.7.4:22-192.168.7.3:34206.service - OpenSSH Per-Connection Daemon Loaded: loaded (/usr/lib/systemd/system/sshd@.service; static) Active: failed (Result: protocol) since Wed 2024-07-17 00:49:38 UTC; 1min 2s ago Invocation: 601a75c93d4b442b8d14288d46e9c8b3 Main PID: 317 (code=exited, status=255/EXCEPTION) On 16/07/2024 15:16:39+0100, Jose Quaresma wrote: > - drop the CVE-2024-6387 > - drop the backported systemd notify > - backported fix for musl build > - submited fix for ptest regression > - sshd now had the sshd-session > > Release notes at https://www.openssh.com/txt/release-9.8 > > Security > ======== > > This release contains fixes for two security problems, one critical > and one minor. > > 1) Race condition in sshd(8) > > A critical vulnerability in sshd(8) was present in Portable OpenSSH > versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary > code execution with root privileges. > > Successful exploitation has been demonstrated on 32-bit Linux/glibc > systems with ASLR. Under lab conditions, the attack requires on > average 6-8 hours of continuous connections up to the maximum the > server will accept. Exploitation on 64-bit systems is believed to be > possible but has not been demonstrated at this time. It's likely that > these attacks will be improved upon. > > Exploitation on non-glibc systems is conceivable but has not been > examined. Systems that lack ASLR or users of downstream Linux > distributions that have modified OpenSSH to disable per-connection > ASLR re-randomisation (yes - this is a thing, no - we don't > understand why) may potentially have an easier path to exploitation. > OpenBSD is not vulnerable. > > We thank the Qualys Security Advisory Team for discovering, reporting > and demonstrating exploitability of this problem, and for providing > detailed feedback on additional mitigation measures. > > 2) Logic error in ssh(1) ObscureKeystrokeTiming > > In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an > OpenSSH server version 9.5 or later, a logic error in the ssh(1) > ObscureKeystrokeTiming feature (on by default) rendered this feature > ineffective - a passive observer could still detect which network > packets contained real keystrokes when the countermeasure was active > because both fake and real keystroke packets were being sent > unconditionally. > > This bug was found by Philippos Giavridis and also independently by > Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the > University of Cambridge Computer Lab. > > Worse, the unconditional sending of both fake and real keystroke > packets broke another long-standing timing attack mitigation. Since > OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for > traffic received on TTYs in echo-off mode, such as when entering a > password into su(8) or sudo(8). This bug rendered these fake > keystroke echoes ineffective and could allow a passive observer of > a SSH session to once again detect when echo was off and obtain > fairly limited timing information about keystrokes in this situation > (20ms granularity by default). > > This additional implication of the bug was identified by Jacky Wei > En Kung, Daniel Hugenroth and Alastair Beresford and we thank them > for their detailed analysis. > > This bug does not affect connections when ObscureKeystrokeTiming > was disabled or sessions where no TTY was requested. > > Future deprecation notice > ========================= > > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025. This release disables DSA by default at compile time. > > DSA, as specified in the SSHv2 protocol, is inherently weak - being > limited to a 160 bit private key and use of the SHA1 digest. Its > estimated security level is only 80 bits symmetric equivalent. > > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs, mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA > in OpenSSH to be justified and hope that removing it from OpenSSH > can accelerate its wider deprecation in supporting cryptography > libraries. > > This release, and its deactivation of DSA by default at compile-time, > marks the second step in our timeline to finally deprecate DSA. The > final step of removing DSA support entirely is planned for the first > OpenSSH release of 2025. > > DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" > in Makefile.inc. To enable DSA support in portable OpenSSH, pass > the "--enable-dsa-keys" option to configure. > > Potentially-incompatible changes > -------------------------------- > > * all: as mentioned above, the DSA signature algorithm is now > disabled at compile time. > > * sshd(8): the server will now block client addresses that > repeatedly fail authentication, repeatedly connect without ever > completing authentication or that crash the server. See the > discussion of PerSourcePenalties below for more information. > Operators of servers that accept connections from many users, or > servers that accept connections from addresses behind NAT or > proxies may need to consider these settings. > > * sshd(8): the server has been split into a listener binary, sshd(8), > and a per-session binary "sshd-session". This allows for a much > smaller listener binary, as it no longer needs to support the SSH > protocol. As part of this work, support for disabling privilege > separation (which previously required code changes to disable) and > disabling re-execution of sshd(8) has been removed. Further > separation of sshd-session into additional, minimal binaries is > planned for the future. > > * sshd(8): several log messages have changed. In particular, some > log messages will be tagged with as originating from a process > named "sshd-session" rather than "sshd". > > * ssh-keyscan(1): this tool previously emitted comment lines > containing the hostname and SSH protocol banner to standard error. > This release now emits them to standard output, but adds a new > "-q" flag to silence them altogether. > > * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] > as the PAM service name. A new "PAMServiceName" sshd_config(5) > directive allows selecting the service name at runtime. This > defaults to "sshd". bz2101 > > * (portable OpenSSH only) Automatically-generated files, such as > configure, config.h.in, etc will now be checked in to the portable > OpenSSH git release branch (e.g. V_9_8). This should ensure that > the contents of the signed release branch exactly match the > contents of the signed release tarball. > > Changes since OpenSSH 9.7 > ========================= > > This release contains mostly bugfixes. > > New features > ------------ > > * sshd(8): as described above, sshd(8) will now penalise client > addresses that, for various reasons, do not successfully complete > authentication. This feature is controlled by a new sshd_config(5) > PerSourcePenalties option and is on by default. > > sshd(8) will now identify situations where the session did not > authenticate as expected. These conditions include when the client > repeatedly attempted authentication unsucessfully (possibly > indicating an attack against one or more accounts, e.g. password > guessing), or when client behaviour caused sshd to crash (possibly > indicating attempts to exploit bugs in sshd). > > When such a condition is observed, sshd will record a penalty of > some duration (e.g. 30 seconds) against the client's address. If > this time is above a minimum configurable threshold, then all > connections from the client address will be refused (along with any > others in the same PerSourceNetBlockSize CIDR range) until the > penalty expire. > > Repeated offenses by the same client address will accrue greater > penalties, up to a configurable maximum. Address ranges may be > fully exempted from penalties, e.g. to guarantee access from a set > of trusted management addresses, using the new sshd_config(5) > PerSourcePenaltyExemptList option. > > We hope these options will make it significantly more difficult for > attackers to find accounts with weak/guessable passwords or exploit > bugs in sshd(8) itself. This option is enabled by default. > > * ssh(8): allow the HostkeyAlgorithms directive to disable the > implicit fallback from certificate host key to plain host keys. > > Bugfixes > -------- > > * misc: fix a number of inaccuracies in the PROTOCOL.* > documentation files. GHPR430 GHPR487 > > * all: switch to strtonum(3) for more robust integer parsing in most > places. > > * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() > > * ssh-keysign(8): stricter validation of messaging socket fd GHPR492 > > * sftp(1): flush stdout after writing "sftp>" prompt when not using > editline. GHPR480 > > * sftp-server(8): fix home-directory extension implementation, it > previously always returned the current user's home directory > contrary to the spec. GHPR477 > > * ssh-keyscan(1): do not close stdin to prevent error messages when > stdin is read multiple times. E.g. > echo localhost | ssh-keyscan -f - -f - > > * regression tests: fix rekey test that was testing the same KEX > algorithm repeatedly instead of testing all of them. bz3692 > > * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive > documentation, especially around what is supported vs available. > bz3701. > > Portability > ----------- > > * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules > unconditionally. The previous behaviour was to expose it only when > particular authentication methods were in use. > > * build: fix OpenSSL ED25519 support detection. An incorrect function > signature in configure.ac previously prevented enabling the recently > added support for ED25519 private keys in PEM PKCS8 format. > > * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY > environment variable to enable SSH_ASKPASS, similarly to the X11 > DISPLAY environment variable. GHPR479 > > * build: improve detection of the -fzero-call-used-regs compiler > flag. bz3673. > > * build: relax OpenSSL version check to accept all OpenSSL 3.x > versions. > > * sshd(8): add support for notifying systemd on server listen and > reload, using a standalone implementation that doesn't depend on > libsystemd. bz2641 > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > > v2: > - fix musl build > - fix sshd-session packing on openssh-sshd > - rebase on top of the CVE-2024-6387 fix sent > > v3: > - fix the ptest fail > - update upstream status of the systemd sd-notify patch > > v4: > - split update of Upstream-Status in new patches in the serie > - submit the the ptest fix upstream > > v5: > - backport upstream fix for musl build > - drop the backported systemd notify > > ...ast-to-sockaddr-in-systemd-interface.patch | 30 +++ > ...-notify-systemd-on-listen-and-reload.patch | 225 ------------------ > ...h-log-input-and-output-files-on-erro.patch | 8 +- > ...c-use-the-absolute-path-in-the-SSH-e.patch | 35 +++ > .../openssh/openssh/CVE-2024-6387.patch | 27 --- > .../openssh/openssh/run-ptest | 1 + > .../{openssh_9.7p1.bb => openssh_9.8p1.bb} | 8 +- > 7 files changed, 73 insertions(+), 261 deletions(-) > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > rename meta/recipes-connectivity/openssh/{openssh_9.7p1.bb => openssh_9.8p1.bb} (96%) > > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > new file mode 100644 > index 0000000000..c41642ae10 > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > @@ -0,0 +1,30 @@ > +From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001 > +From: Darren Tucker <dtucker@dtucker.net> > +Date: Sun, 7 Jul 2024 18:46:19 +1000 > +Subject: [PATCH] Cast to sockaddr * in systemd interface. > + > +Fixes build with musl libx. bz#3707. > + > +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8] > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > +--- > + openbsd-compat/port-linux.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > +index 4c024c6d2..8adfec5a7 100644 > +--- a/openbsd-compat/port-linux.c > ++++ b/openbsd-compat/port-linux.c > +@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) > + error_f("socket \"%s\": %s", path, strerror(errno)); > + goto out; > + } > +- if (connect(fd, &addr, sizeof(addr)) != 0) { > ++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { > + error_f("socket \"%s\" connect: %s", path, strerror(errno)); > + goto out; > + } > +-- > +2.45.2 > + > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > deleted file mode 100644 > index 4925c969fe..0000000000 > --- a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > +++ /dev/null > @@ -1,225 +0,0 @@ > -From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > -From: Damien Miller <djm@mindrot.org> > -Date: Wed, 3 Apr 2024 14:40:32 +1100 > -Subject: [PATCH] notify systemd on listen and reload > - > -Standalone implementation that does not depend on libsystemd. > -With assistance from Luca Boccassi, and feedback/testing from Colin > -Watson. bz2641 > - > -Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c] > - > -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > ---- > - configure.ac | 1 + > - openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > - openbsd-compat/port-linux.h | 5 ++ > - platform.c | 11 +++++ > - platform.h | 1 + > - sshd.c | 2 + > - 6 files changed, 115 insertions(+), 2 deletions(-) > - > -diff --git a/configure.ac b/configure.ac > -index 82e8bb7c1..854f92b5b 100644 > ---- a/configure.ac > -+++ b/configure.ac > -@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > - AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) > - AC_DEFINE([USE_BTMP]) > - AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) > -+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) > - inet6_default_4in6=yes > - case `uname -r` in > - 1.*|2.0.*) > -diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > -index 0457e28d0..df7290246 100644 > ---- a/openbsd-compat/port-linux.c > -+++ b/openbsd-compat/port-linux.c > -@@ -21,16 +21,23 @@ > - > - #include "includes.h" > - > --#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > -+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > -+ defined(SYSTEMD_NOTIFY) > -+#include <sys/socket.h> > -+#include <sys/un.h> > -+ > - #include <errno.h> > -+#include <inttypes.h> > - #include <stdarg.h> > - #include <string.h> > - #include <stdio.h> > - #include <stdlib.h> > -+#include <time.h> > - > - #include "log.h" > - #include "xmalloc.h" > - #include "port-linux.h" > -+#include "misc.h" > - > - #ifdef WITH_SELINUX > - #include <selinux/selinux.h> > -@@ -310,4 +317,90 @@ oom_adjust_restore(void) > - return; > - } > - #endif /* LINUX_OOM_ADJUST */ > --#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > -+ > -+#ifdef SYSTEMD_NOTIFY > -+ > -+static void ssh_systemd_notify(const char *, ...) > -+ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); > -+ > -+static void > -+ssh_systemd_notify(const char *fmt, ...) > -+{ > -+ char *s = NULL; > -+ const char *path; > -+ struct stat sb; > -+ struct sockaddr_un addr; > -+ int fd = -1; > -+ va_list ap; > -+ > -+ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > -+ return; > -+ > -+ va_start(ap, fmt); > -+ xvasprintf(&s, fmt, ap); > -+ va_end(ap); > -+ > -+ /* Only AF_UNIX is supported, with path or abstract sockets */ > -+ if (path[0] != '/' && path[0] != '@') { > -+ error_f("socket \"%s\" is not compatible with AF_UNIX", path); > -+ goto out; > -+ } > -+ > -+ if (path[0] == '/' && stat(path, &sb) != 0) { > -+ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ > -+ memset(&addr, 0, sizeof(addr)); > -+ addr.sun_family = AF_UNIX; > -+ if (strlcpy(addr.sun_path, path, > -+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > -+ error_f("socket path \"%s\" too long", path); > -+ goto out; > -+ } > -+ /* Support for abstract socket */ > -+ if (addr.sun_path[0] == '@') > -+ addr.sun_path[0] = 0; > -+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > -+ error_f("socket \"%s\": %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ if (connect(fd, &addr, sizeof(addr)) != 0) { > -+ error_f("socket \"%s\" connect: %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > -+ error_f("socket \"%s\" write: %s", path, strerror(errno)); > -+ goto out; > -+ } > -+ debug_f("socket \"%s\" notified %s", path, s); > -+ out: > -+ if (fd != -1) > -+ close(fd); > -+ free(s); > -+} > -+ > -+void > -+ssh_systemd_notify_ready(void) > -+{ > -+ ssh_systemd_notify("READY=1"); > -+} > -+ > -+void > -+ssh_systemd_notify_reload(void) > -+{ > -+ struct timespec now; > -+ > -+ monotime_ts(&now); > -+ if (now.tv_sec < 0 || now.tv_nsec < 0) { > -+ error_f("monotime returned negative value"); > -+ ssh_systemd_notify("RELOADING=1"); > -+ } else { > -+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > -+ ((uint64_t)now.tv_sec * 1000000ULL) + > -+ ((uint64_t)now.tv_nsec / 1000ULL)); > -+ } > -+} > -+#endif /* SYSTEMD_NOTIFY */ > -+ > -+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > -diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > -index 3c22a854d..14064f87d 100644 > ---- a/openbsd-compat/port-linux.h > -+++ b/openbsd-compat/port-linux.h > -@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > - void oom_adjust_setup(void); > - #endif > - > -+#ifdef SYSTEMD_NOTIFY > -+void ssh_systemd_notify_ready(void); > -+void ssh_systemd_notify_reload(void); > -+#endif > -+ > - #endif /* ! _PORT_LINUX_H */ > -diff --git a/platform.c b/platform.c > -index 4fe8744ee..9cf818153 100644 > ---- a/platform.c > -+++ b/platform.c > -@@ -44,6 +44,14 @@ platform_pre_listen(void) > - #endif > - } > - > -+void > -+platform_post_listen(void) > -+{ > -+#ifdef SYSTEMD_NOTIFY > -+ ssh_systemd_notify_ready(); > -+#endif > -+} > -+ > - void > - platform_pre_fork(void) > - { > -@@ -55,6 +63,9 @@ platform_pre_fork(void) > - void > - platform_pre_restart(void) > - { > -+#ifdef SYSTEMD_NOTIFY > -+ ssh_systemd_notify_reload(); > -+#endif > - #ifdef LINUX_OOM_ADJUST > - oom_adjust_restore(); > - #endif > -diff --git a/platform.h b/platform.h > -index 7fef8c983..5dec23276 100644 > ---- a/platform.h > -+++ b/platform.h > -@@ -21,6 +21,7 @@ > - void platform_pre_listen(void); > - void platform_pre_fork(void); > - void platform_pre_restart(void); > -+void platform_post_listen(void); > - void platform_post_fork_parent(pid_t child_pid); > - void platform_post_fork_child(void); > - int platform_privileged_uidswap(void); > -diff --git a/sshd.c b/sshd.c > -index b4f2b9742..865331b46 100644 > ---- a/sshd.c > -+++ b/sshd.c > -@@ -2077,6 +2077,8 @@ main(int ac, char **av) > - ssh_signal(SIGTERM, sigterm_handler); > - ssh_signal(SIGQUIT, sigterm_handler); > - > -+ platform_post_listen(); > -+ > - /* > - * Write out the pid file after the sigterm handler > - * is setup and the listen sockets are bound > --- > -2.45.2 > - > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > index 8763f30f4b..f424288e37 100644 > --- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > @@ -1,4 +1,4 @@ > -From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 > +From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001 > From: Mikko Rapeli <mikko.rapeli@linaro.org> > Date: Mon, 11 Sep 2023 09:55:21 +0100 > Subject: [PATCH] regress/banner.sh: log input and output files on error > @@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 > Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437] > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > regress/banner.sh | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/regress/banner.sh b/regress/banner.sh > -index a84feb5a..de84957a 100644 > +index a84feb5..de84957 100644 > --- a/regress/banner.sh > +++ b/regress/banner.sh > @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do > @@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644 > done > > trace "test suppress banner (-q)" > --- > -2.34.1 > - > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > new file mode 100644 > index 0000000000..b90cd2e69d > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > @@ -0,0 +1,35 @@ > +From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001 > +From: Jose Quaresma <jose.quaresma@foundries.io> > +Date: Mon, 15 Jul 2024 18:43:08 +0100 > +Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env > + > +The SSHAGENT_BIN was changed in [1] to SSH_BIN but > +the last one don't use the absolute path and consequently > +the function increase_datafile_size can loops forever > +if the binary not found. > + > +[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818 > + > +Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510] > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > +--- > + regress/test-exec.sh | 5 +++++ > + 1 file changed, 5 insertions(+) > + > +diff --git a/regress/test-exec.sh b/regress/test-exec.sh > +index 7afc2807..175f554b 100644 > +--- a/regress/test-exec.sh > ++++ b/regress/test-exec.sh > +@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then > + fi > + > + # Path to sshd must be absolute for rexec > ++case "$SSH" in > ++/*) ;; > ++*) SSH=`which $SSH` ;; > ++esac > ++ > + case "$SSHD" in > + /*) ;; > + *) SSHD=`which $SSHD` ;; > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > deleted file mode 100644 > index 3e7c707100..0000000000 > --- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > +++ /dev/null > @@ -1,27 +0,0 @@ > -Description: fix signal handler race condition > -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 > - > -CVE: CVE-2024-6387 > - > -Upstream-Status: Backport > -https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc > - > -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > - > ---- a/log.c > -+++ b/log.c > -@@ -452,12 +452,14 @@ void > - sshsigdie(const char *file, const char *func, int line, int showfunc, > - LogLevel level, const char *suffix, const char *fmt, ...) > - { > -+#if 0 > - va_list args; > - > - va_start(args, fmt); > - sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > - suffix, fmt, args); > - va_end(args); > -+#endif > - _exit(1); > - } > - > diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest > index b2244d725a..c9100f9f37 100755 > --- a/meta/recipes-connectivity/openssh/openssh/run-ptest > +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest > @@ -1,5 +1,6 @@ > #!/bin/sh > > +export TEST_SSH_SSH=ssh > export TEST_SHELL=sh > export SKIP_UNIT=1 > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb > similarity index 96% > rename from meta/recipes-connectivity/openssh/openssh_9.7p1.bb > rename to meta/recipes-connectivity/openssh/openssh_9.8p1.bb > index 4680d12be5..9554b4783f 100644 > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb > @@ -23,11 +23,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://volatiles.99_sshd \ > file://run-ptest \ > file://sshd_check_keys \ > + file://0001-Cast-to-sockaddr-in-systemd-interface.patch \ > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > - file://0001-notify-systemd-on-listen-and-reload.patch \ > - file://CVE-2024-6387.patch \ > + file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \ > " > -SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > +SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3" > > CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." > > @@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1" > PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" > FILES:${PN}-scp = "${bindir}/scp.${BPN}" > FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" > -FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" > +FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" > FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" > FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" > FILES:${PN}-sftp = "${bindir}/sftp" > -- > 2.45.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#202117): https://lists.openembedded.org/g/openembedded-core/message/202117 > Mute This Topic: https://lists.openembedded.org/mt/107252589/3617179 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com] > -=-=-=-=-=-=-=-=-=-=-=- > -- Alexandre Belloni, co-owner and COO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 2024-07-17 7:59 ` Alexandre Belloni @ 2024-07-17 8:50 ` Jose Quaresma 0 siblings, 0 replies; 15+ messages in thread From: Jose Quaresma @ 2024-07-17 8:50 UTC (permalink / raw) To: Alexandre Belloni; +Cc: openembedded-core, Jose Quaresma [-- Attachment #1: Type: text/plain, Size: 31854 bytes --] Alexandre Belloni <alexandre.belloni@bootlin.com> escreveu (quarta, 17/07/2024 à(s) 08:59): > This also break with systemd: > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/101/builds/7961/steps/15/logs/stdio > > https://autobuilder.yoctoproject.org/typhoon/#/builders/109/builds/8073/steps/14/logs/stdio > > https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/9247/steps/15/logs/stdio > > AssertionError: 3 != 0 : SYSTEMD_BUS_TIMEOUT=240s systemctl status --full > --failed > в sshd@0-192.168.7.4:22-192.168.7.3:34206.service - OpenSSH > Per-Connection Daemon > Loaded: loaded (/usr/lib/systemd/system/sshd@.service; static) > Active: failed (Result: protocol) since Wed 2024-07-17 00:49:38 UTC; > 1min 2s ago > Invocation: 601a75c93d4b442b8d14288d46e9c8b3 > Main PID: 317 (code=exited, status=255/EXCEPTION) > I will jump on this today and try to find the root cause. The ptest goes well in my local tests but I didn't do anything with testimage. I'll see if the testimage picks up something. Thanks for the feedback. Jose > > On 16/07/2024 15:16:39+0100, Jose Quaresma wrote: > > - drop the CVE-2024-6387 > > - drop the backported systemd notify > > - backported fix for musl build > > - submited fix for ptest regression > > - sshd now had the sshd-session > > > > Release notes at https://www.openssh.com/txt/release-9.8 > > > > Security > > ======== > > > > This release contains fixes for two security problems, one critical > > and one minor. > > > > 1) Race condition in sshd(8) > > > > A critical vulnerability in sshd(8) was present in Portable OpenSSH > > versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary > > code execution with root privileges. > > > > Successful exploitation has been demonstrated on 32-bit Linux/glibc > > systems with ASLR. Under lab conditions, the attack requires on > > average 6-8 hours of continuous connections up to the maximum the > > server will accept. Exploitation on 64-bit systems is believed to be > > possible but has not been demonstrated at this time. It's likely that > > these attacks will be improved upon. > > > > Exploitation on non-glibc systems is conceivable but has not been > > examined. Systems that lack ASLR or users of downstream Linux > > distributions that have modified OpenSSH to disable per-connection > > ASLR re-randomisation (yes - this is a thing, no - we don't > > understand why) may potentially have an easier path to exploitation. > > OpenBSD is not vulnerable. > > > > We thank the Qualys Security Advisory Team for discovering, reporting > > and demonstrating exploitability of this problem, and for providing > > detailed feedback on additional mitigation measures. > > > > 2) Logic error in ssh(1) ObscureKeystrokeTiming > > > > In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an > > OpenSSH server version 9.5 or later, a logic error in the ssh(1) > > ObscureKeystrokeTiming feature (on by default) rendered this feature > > ineffective - a passive observer could still detect which network > > packets contained real keystrokes when the countermeasure was active > > because both fake and real keystroke packets were being sent > > unconditionally. > > > > This bug was found by Philippos Giavridis and also independently by > > Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the > > University of Cambridge Computer Lab. > > > > Worse, the unconditional sending of both fake and real keystroke > > packets broke another long-standing timing attack mitigation. Since > > OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for > > traffic received on TTYs in echo-off mode, such as when entering a > > password into su(8) or sudo(8). This bug rendered these fake > > keystroke echoes ineffective and could allow a passive observer of > > a SSH session to once again detect when echo was off and obtain > > fairly limited timing information about keystrokes in this situation > > (20ms granularity by default). > > > > This additional implication of the bug was identified by Jacky Wei > > En Kung, Daniel Hugenroth and Alastair Beresford and we thank them > > for their detailed analysis. > > > > This bug does not affect connections when ObscureKeystrokeTiming > > was disabled or sessions where no TTY was requested. > > > > Future deprecation notice > > ========================= > > > > OpenSSH plans to remove support for the DSA signature algorithm in > > early 2025. This release disables DSA by default at compile time. > > > > DSA, as specified in the SSHv2 protocol, is inherently weak - being > > limited to a 160 bit private key and use of the SHA1 digest. Its > > estimated security level is only 80 bits symmetric equivalent. > > > > OpenSSH has disabled DSA keys by default since 2015 but has retained > > run-time optional support for them. DSA was the only mandatory-to- > > implement algorithm in the SSHv2 RFCs, mostly because alternative > > algorithms were encumbered by patents when the SSHv2 protocol was > > specified. > > > > This has not been the case for decades at this point and better > > algorithms are well supported by all actively-maintained SSH > > implementations. We do not consider the costs of maintaining DSA > > in OpenSSH to be justified and hope that removing it from OpenSSH > > can accelerate its wider deprecation in supporting cryptography > > libraries. > > > > This release, and its deactivation of DSA by default at compile-time, > > marks the second step in our timeline to finally deprecate DSA. The > > final step of removing DSA support entirely is planned for the first > > OpenSSH release of 2025. > > > > DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" > > in Makefile.inc. To enable DSA support in portable OpenSSH, pass > > the "--enable-dsa-keys" option to configure. > > > > Potentially-incompatible changes > > -------------------------------- > > > > * all: as mentioned above, the DSA signature algorithm is now > > disabled at compile time. > > > > * sshd(8): the server will now block client addresses that > > repeatedly fail authentication, repeatedly connect without ever > > completing authentication or that crash the server. See the > > discussion of PerSourcePenalties below for more information. > > Operators of servers that accept connections from many users, or > > servers that accept connections from addresses behind NAT or > > proxies may need to consider these settings. > > > > * sshd(8): the server has been split into a listener binary, sshd(8), > > and a per-session binary "sshd-session". This allows for a much > > smaller listener binary, as it no longer needs to support the SSH > > protocol. As part of this work, support for disabling privilege > > separation (which previously required code changes to disable) and > > disabling re-execution of sshd(8) has been removed. Further > > separation of sshd-session into additional, minimal binaries is > > planned for the future. > > > > * sshd(8): several log messages have changed. In particular, some > > log messages will be tagged with as originating from a process > > named "sshd-session" rather than "sshd". > > > > * ssh-keyscan(1): this tool previously emitted comment lines > > containing the hostname and SSH protocol banner to standard error. > > This release now emits them to standard output, but adds a new > > "-q" flag to silence them altogether. > > > > * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] > > as the PAM service name. A new "PAMServiceName" sshd_config(5) > > directive allows selecting the service name at runtime. This > > defaults to "sshd". bz2101 > > > > * (portable OpenSSH only) Automatically-generated files, such as > > configure, config.h.in, etc will now be checked in to the portable > > OpenSSH git release branch (e.g. V_9_8). This should ensure that > > the contents of the signed release branch exactly match the > > contents of the signed release tarball. > > > > Changes since OpenSSH 9.7 > > ========================= > > > > This release contains mostly bugfixes. > > > > New features > > ------------ > > > > * sshd(8): as described above, sshd(8) will now penalise client > > addresses that, for various reasons, do not successfully complete > > authentication. This feature is controlled by a new sshd_config(5) > > PerSourcePenalties option and is on by default. > > > > sshd(8) will now identify situations where the session did not > > authenticate as expected. These conditions include when the client > > repeatedly attempted authentication unsucessfully (possibly > > indicating an attack against one or more accounts, e.g. password > > guessing), or when client behaviour caused sshd to crash (possibly > > indicating attempts to exploit bugs in sshd). > > > > When such a condition is observed, sshd will record a penalty of > > some duration (e.g. 30 seconds) against the client's address. If > > this time is above a minimum configurable threshold, then all > > connections from the client address will be refused (along with any > > others in the same PerSourceNetBlockSize CIDR range) until the > > penalty expire. > > > > Repeated offenses by the same client address will accrue greater > > penalties, up to a configurable maximum. Address ranges may be > > fully exempted from penalties, e.g. to guarantee access from a set > > of trusted management addresses, using the new sshd_config(5) > > PerSourcePenaltyExemptList option. > > > > We hope these options will make it significantly more difficult for > > attackers to find accounts with weak/guessable passwords or exploit > > bugs in sshd(8) itself. This option is enabled by default. > > > > * ssh(8): allow the HostkeyAlgorithms directive to disable the > > implicit fallback from certificate host key to plain host keys. > > > > Bugfixes > > -------- > > > > * misc: fix a number of inaccuracies in the PROTOCOL.* > > documentation files. GHPR430 GHPR487 > > > > * all: switch to strtonum(3) for more robust integer parsing in most > > places. > > > > * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() > > > > * ssh-keysign(8): stricter validation of messaging socket fd GHPR492 > > > > * sftp(1): flush stdout after writing "sftp>" prompt when not using > > editline. GHPR480 > > > > * sftp-server(8): fix home-directory extension implementation, it > > previously always returned the current user's home directory > > contrary to the spec. GHPR477 > > > > * ssh-keyscan(1): do not close stdin to prevent error messages when > > stdin is read multiple times. E.g. > > echo localhost | ssh-keyscan -f - -f - > > > > * regression tests: fix rekey test that was testing the same KEX > > algorithm repeatedly instead of testing all of them. bz3692 > > > > * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive > > documentation, especially around what is supported vs available. > > bz3701. > > > > Portability > > ----------- > > > > * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules > > unconditionally. The previous behaviour was to expose it only when > > particular authentication methods were in use. > > > > * build: fix OpenSSL ED25519 support detection. An incorrect function > > signature in configure.ac previously prevented enabling the recently > > added support for ED25519 private keys in PEM PKCS8 format. > > > > * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY > > environment variable to enable SSH_ASKPASS, similarly to the X11 > > DISPLAY environment variable. GHPR479 > > > > * build: improve detection of the -fzero-call-used-regs compiler > > flag. bz3673. > > > > * build: relax OpenSSL version check to accept all OpenSSL 3.x > > versions. > > > > * sshd(8): add support for notifying systemd on server listen and > > reload, using a standalone implementation that doesn't depend on > > libsystemd. bz2641 > > > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > > > v2: > > - fix musl build > > - fix sshd-session packing on openssh-sshd > > - rebase on top of the CVE-2024-6387 fix sent > > > > v3: > > - fix the ptest fail > > - update upstream status of the systemd sd-notify patch > > > > v4: > > - split update of Upstream-Status in new patches in the serie > > - submit the the ptest fix upstream > > > > v5: > > - backport upstream fix for musl build > > - drop the backported systemd notify > > > > ...ast-to-sockaddr-in-systemd-interface.patch | 30 +++ > > ...-notify-systemd-on-listen-and-reload.patch | 225 ------------------ > > ...h-log-input-and-output-files-on-erro.patch | 8 +- > > ...c-use-the-absolute-path-in-the-SSH-e.patch | 35 +++ > > .../openssh/openssh/CVE-2024-6387.patch | 27 --- > > .../openssh/openssh/run-ptest | 1 + > > .../{openssh_9.7p1.bb => openssh_9.8p1.bb} | 8 +- > > 7 files changed, 73 insertions(+), 261 deletions(-) > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > > delete mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > > delete mode 100644 > meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > > rename meta/recipes-connectivity/openssh/{openssh_9.7p1.bb => > openssh_9.8p1.bb} (96%) > > > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > > new file mode 100644 > > index 0000000000..c41642ae10 > > --- /dev/null > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch > > @@ -0,0 +1,30 @@ > > +From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001 > > +From: Darren Tucker <dtucker@dtucker.net> > > +Date: Sun, 7 Jul 2024 18:46:19 +1000 > > +Subject: [PATCH] Cast to sockaddr * in systemd interface. > > + > > +Fixes build with musl libx. bz#3707. > > + > > +Upstream-Status: Backport [ > https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8 > ] > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > +--- > > + openbsd-compat/port-linux.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > > +index 4c024c6d2..8adfec5a7 100644 > > +--- a/openbsd-compat/port-linux.c > > ++++ b/openbsd-compat/port-linux.c > > +@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) > > + error_f("socket \"%s\": %s", path, strerror(errno)); > > + goto out; > > + } > > +- if (connect(fd, &addr, sizeof(addr)) != 0) { > > ++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { > > + error_f("socket \"%s\" connect: %s", path, > strerror(errno)); > > + goto out; > > + } > > +-- > > +2.45.2 > > + > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > deleted file mode 100644 > > index 4925c969fe..0000000000 > > --- > a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > +++ /dev/null > > @@ -1,225 +0,0 @@ > > -From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > > -From: Damien Miller <djm@mindrot.org> > > -Date: Wed, 3 Apr 2024 14:40:32 +1100 > > -Subject: [PATCH] notify systemd on listen and reload > > - > > -Standalone implementation that does not depend on libsystemd. > > -With assistance from Luca Boccassi, and feedback/testing from Colin > > -Watson. bz2641 > > - > > -Upstream-Status: Backport [ > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > ] > > - > > -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > ---- > > - configure.ac | 1 + > > - openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > > - openbsd-compat/port-linux.h | 5 ++ > > - platform.c | 11 +++++ > > - platform.h | 1 + > > - sshd.c | 2 + > > - 6 files changed, 115 insertions(+), 2 deletions(-) > > - > > -diff --git a/configure.ac b/configure.ac > > -index 82e8bb7c1..854f92b5b 100644 > > ---- a/configure.ac > > -+++ b/configure.ac > > -@@ -915,6 +915,7 @@ int main(void) { if > (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > > - AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login > attempts]) > > - AC_DEFINE([USE_BTMP]) > > - AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory > killer]) > > -+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on > start/reload]) > > - inet6_default_4in6=yes > > - case `uname -r` in > > - 1.*|2.0.*) > > -diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > > -index 0457e28d0..df7290246 100644 > > ---- a/openbsd-compat/port-linux.c > > -+++ b/openbsd-compat/port-linux.c > > -@@ -21,16 +21,23 @@ > > - > > - #include "includes.h" > > - > > --#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > > -+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > > -+ defined(SYSTEMD_NOTIFY) > > -+#include <sys/socket.h> > > -+#include <sys/un.h> > > -+ > > - #include <errno.h> > > -+#include <inttypes.h> > > - #include <stdarg.h> > > - #include <string.h> > > - #include <stdio.h> > > - #include <stdlib.h> > > -+#include <time.h> > > - > > - #include "log.h" > > - #include "xmalloc.h" > > - #include "port-linux.h" > > -+#include "misc.h" > > - > > - #ifdef WITH_SELINUX > > - #include <selinux/selinux.h> > > -@@ -310,4 +317,90 @@ oom_adjust_restore(void) > > - return; > > - } > > - #endif /* LINUX_OOM_ADJUST */ > > --#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > > -+ > > -+#ifdef SYSTEMD_NOTIFY > > -+ > > -+static void ssh_systemd_notify(const char *, ...) > > -+ __attribute__((__format__ (printf, 1, 2))) > __attribute__((__nonnull__ (1))); > > -+ > > -+static void > > -+ssh_systemd_notify(const char *fmt, ...) > > -+{ > > -+ char *s = NULL; > > -+ const char *path; > > -+ struct stat sb; > > -+ struct sockaddr_un addr; > > -+ int fd = -1; > > -+ va_list ap; > > -+ > > -+ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > > -+ return; > > -+ > > -+ va_start(ap, fmt); > > -+ xvasprintf(&s, fmt, ap); > > -+ va_end(ap); > > -+ > > -+ /* Only AF_UNIX is supported, with path or abstract sockets */ > > -+ if (path[0] != '/' && path[0] != '@') { > > -+ error_f("socket \"%s\" is not compatible with AF_UNIX", > path); > > -+ goto out; > > -+ } > > -+ > > -+ if (path[0] == '/' && stat(path, &sb) != 0) { > > -+ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > > -+ goto out; > > -+ } > > -+ > > -+ memset(&addr, 0, sizeof(addr)); > > -+ addr.sun_family = AF_UNIX; > > -+ if (strlcpy(addr.sun_path, path, > > -+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > > -+ error_f("socket path \"%s\" too long", path); > > -+ goto out; > > -+ } > > -+ /* Support for abstract socket */ > > -+ if (addr.sun_path[0] == '@') > > -+ addr.sun_path[0] = 0; > > -+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > > -+ error_f("socket \"%s\": %s", path, strerror(errno)); > > -+ goto out; > > -+ } > > -+ if (connect(fd, &addr, sizeof(addr)) != 0) { > > -+ error_f("socket \"%s\" connect: %s", path, > strerror(errno)); > > -+ goto out; > > -+ } > > -+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > > -+ error_f("socket \"%s\" write: %s", path, strerror(errno)); > > -+ goto out; > > -+ } > > -+ debug_f("socket \"%s\" notified %s", path, s); > > -+ out: > > -+ if (fd != -1) > > -+ close(fd); > > -+ free(s); > > -+} > > -+ > > -+void > > -+ssh_systemd_notify_ready(void) > > -+{ > > -+ ssh_systemd_notify("READY=1"); > > -+} > > -+ > > -+void > > -+ssh_systemd_notify_reload(void) > > -+{ > > -+ struct timespec now; > > -+ > > -+ monotime_ts(&now); > > -+ if (now.tv_sec < 0 || now.tv_nsec < 0) { > > -+ error_f("monotime returned negative value"); > > -+ ssh_systemd_notify("RELOADING=1"); > > -+ } else { > > -+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > > -+ ((uint64_t)now.tv_sec * 1000000ULL) + > > -+ ((uint64_t)now.tv_nsec / 1000ULL)); > > -+ } > > -+} > > -+#endif /* SYSTEMD_NOTIFY */ > > -+ > > -+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > > -diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > > -index 3c22a854d..14064f87d 100644 > > ---- a/openbsd-compat/port-linux.h > > -+++ b/openbsd-compat/port-linux.h > > -@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > > - void oom_adjust_setup(void); > > - #endif > > - > > -+#ifdef SYSTEMD_NOTIFY > > -+void ssh_systemd_notify_ready(void); > > -+void ssh_systemd_notify_reload(void); > > -+#endif > > -+ > > - #endif /* ! _PORT_LINUX_H */ > > -diff --git a/platform.c b/platform.c > > -index 4fe8744ee..9cf818153 100644 > > ---- a/platform.c > > -+++ b/platform.c > > -@@ -44,6 +44,14 @@ platform_pre_listen(void) > > - #endif > > - } > > - > > -+void > > -+platform_post_listen(void) > > -+{ > > -+#ifdef SYSTEMD_NOTIFY > > -+ ssh_systemd_notify_ready(); > > -+#endif > > -+} > > -+ > > - void > > - platform_pre_fork(void) > > - { > > -@@ -55,6 +63,9 @@ platform_pre_fork(void) > > - void > > - platform_pre_restart(void) > > - { > > -+#ifdef SYSTEMD_NOTIFY > > -+ ssh_systemd_notify_reload(); > > -+#endif > > - #ifdef LINUX_OOM_ADJUST > > - oom_adjust_restore(); > > - #endif > > -diff --git a/platform.h b/platform.h > > -index 7fef8c983..5dec23276 100644 > > ---- a/platform.h > > -+++ b/platform.h > > -@@ -21,6 +21,7 @@ > > - void platform_pre_listen(void); > > - void platform_pre_fork(void); > > - void platform_pre_restart(void); > > -+void platform_post_listen(void); > > - void platform_post_fork_parent(pid_t child_pid); > > - void platform_post_fork_child(void); > > - int platform_privileged_uidswap(void); > > -diff --git a/sshd.c b/sshd.c > > -index b4f2b9742..865331b46 100644 > > ---- a/sshd.c > > -+++ b/sshd.c > > -@@ -2077,6 +2077,8 @@ main(int ac, char **av) > > - ssh_signal(SIGTERM, sigterm_handler); > > - ssh_signal(SIGQUIT, sigterm_handler); > > - > > -+ platform_post_listen(); > > -+ > > - /* > > - * Write out the pid file after the sigterm handler > > - * is setup and the listen sockets are bound > > --- > > -2.45.2 > > - > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > > index 8763f30f4b..f424288e37 100644 > > --- > a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > > @@ -1,4 +1,4 @@ > > -From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 > > +From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001 > > From: Mikko Rapeli <mikko.rapeli@linaro.org> > > Date: Mon, 11 Sep 2023 09:55:21 +0100 > > Subject: [PATCH] regress/banner.sh: log input and output files on error > > @@ -37,12 +37,13 @@ See: > https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 > > Upstream-Status: Denied [ > https://github.com/openssh/openssh-portable/pull/437] > > > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > regress/banner.sh | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/regress/banner.sh b/regress/banner.sh > > -index a84feb5a..de84957a 100644 > > +index a84feb5..de84957 100644 > > --- a/regress/banner.sh > > +++ b/regress/banner.sh > > @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do > > @@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644 > > done > > > > trace "test suppress banner (-q)" > > --- > > -2.34.1 > > - > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > > new file mode 100644 > > index 0000000000..b90cd2e69d > > --- /dev/null > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch > > @@ -0,0 +1,35 @@ > > +From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001 > > +From: Jose Quaresma <jose.quaresma@foundries.io> > > +Date: Mon, 15 Jul 2024 18:43:08 +0100 > > +Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env > > + > > +The SSHAGENT_BIN was changed in [1] to SSH_BIN but > > +the last one don't use the absolute path and consequently > > +the function increase_datafile_size can loops forever > > +if the binary not found. > > + > > +[1] > https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818 > > + > > +Upstream-Status: Submitted [ > https://github.com/openssh/openssh-portable/pull/510] > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > +--- > > + regress/test-exec.sh | 5 +++++ > > + 1 file changed, 5 insertions(+) > > + > > +diff --git a/regress/test-exec.sh b/regress/test-exec.sh > > +index 7afc2807..175f554b 100644 > > +--- a/regress/test-exec.sh > > ++++ b/regress/test-exec.sh > > +@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then > > + fi > > + > > + # Path to sshd must be absolute for rexec > > ++case "$SSH" in > > ++/*) ;; > > ++*) SSH=`which $SSH` ;; > > ++esac > > ++ > > + case "$SSHD" in > > + /*) ;; > > + *) SSHD=`which $SSHD` ;; > > diff --git > a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > > deleted file mode 100644 > > index 3e7c707100..0000000000 > > --- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > > +++ /dev/null > > @@ -1,27 +0,0 @@ > > -Description: fix signal handler race condition > > -Bug-Ubuntu: > https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 > > - > > -CVE: CVE-2024-6387 > > - > > -Upstream-Status: Backport > > - > https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc > > - > > -Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > - > > ---- a/log.c > > -+++ b/log.c > > -@@ -452,12 +452,14 @@ void > > - sshsigdie(const char *file, const char *func, int line, int showfunc, > > - LogLevel level, const char *suffix, const char *fmt, ...) > > - { > > -+#if 0 > > - va_list args; > > - > > - va_start(args, fmt); > > - sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > > - suffix, fmt, args); > > - va_end(args); > > -+#endif > > - _exit(1); > > - } > > - > > diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest > b/meta/recipes-connectivity/openssh/openssh/run-ptest > > index b2244d725a..c9100f9f37 100755 > > --- a/meta/recipes-connectivity/openssh/openssh/run-ptest > > +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest > > @@ -1,5 +1,6 @@ > > #!/bin/sh > > > > +export TEST_SSH_SSH=ssh > > export TEST_SHELL=sh > > export SKIP_UNIT=1 > > > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb > > similarity index 96% > > rename from meta/recipes-connectivity/openssh/openssh_9.7p1.bb > > rename to meta/recipes-connectivity/openssh/openssh_9.8p1.bb > > index 4680d12be5..9554b4783f 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > > +++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb > > @@ -23,11 +23,11 @@ SRC_URI = " > http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > > file://volatiles.99_sshd \ > > file://run-ptest \ > > file://sshd_check_keys \ > > + file://0001-Cast-to-sockaddr-in-systemd-interface.patch \ > > > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > > - file://0001-notify-systemd-on-listen-and-reload.patch \ > > - file://CVE-2024-6387.patch \ > > + > file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \ > > " > > -SRC_URI[sha256sum] = > "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > > +SRC_URI[sha256sum] = > "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3" > > > > CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is > specific to OpenSSH with the pam opie which we don't build/use here." > > > > @@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1" > > PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp > ${PN}-misc ${PN}-sftp-server" > > FILES:${PN}-scp = "${bindir}/scp.${BPN}" > > FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" > > -FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd > ${systemd_system_unitdir}" > > +FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session > ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" > > FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli > ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly > ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" > > FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" > > FILES:${PN}-sftp = "${bindir}/sftp" > > -- > > 2.45.2 > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#202117): > https://lists.openembedded.org/g/openembedded-core/message/202117 > > Mute This Topic: https://lists.openembedded.org/mt/107252589/3617179 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > alexandre.belloni@bootlin.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > -- > Alexandre Belloni, co-owner and COO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > -- Best regards, José Quaresma [-- Attachment #2: Type: text/html, Size: 41754 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2024-07-18 9:16 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-07-16 14:16 [OE-core][PATCH v5 1/3] openssh: drop rejected patch fixed in 8.6p1 release Jose Quaresma 2024-07-16 14:16 ` [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream Jose Quaresma 2024-07-17 6:37 ` Khem Raj 2024-07-17 8:46 ` Jose Quaresma 2024-07-17 9:24 ` ChenQi 2024-07-17 10:52 ` Jose Quaresma 2024-07-18 3:34 ` Chen, Qi 2024-07-18 9:16 ` Jose Quaresma 2024-07-16 14:16 ` [OE-core][PATCH v5 3/3] openssh: upgrade 9.7p1 -> 9.8p1 Jose Quaresma 2024-07-16 14:37 ` Patchtest results for " patchtest 2024-07-17 2:04 ` Khem Raj 2024-07-17 7:57 ` Alexandre Belloni 2024-07-17 8:51 ` Jose Quaresma 2024-07-17 7:59 ` Alexandre Belloni 2024-07-17 8:50 ` Jose Quaresma
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.