[PATCH 0/7] Replace sshd_config patching by snippets

[PATCH 0/7] Replace sshd_config patching by snippets

[Enrico Scholz]

To deal with system setups, sshd was configured in the following way:

 - sshd_config is shipped completely by OE and DISTRO_FEATURES (pam,
   x11) are patched in during do_install

   --> this is difficulty to maintain; e.g. sshd_config must be
       synchronized between OpenSSH releases and OE adaptations
       manually inserted

 - two different configuration files (sshd_config + sshd_config_readonly)
   are created; IMAGE_FEATURES decides which one is used and it is patched
   in a ROOTFS_COMMAND in the system

   --> this make it difficult for third party recipes to incorporate
       their changes (they have to go over both files)

   --> the readonly HostKey locations and algorithms are hardcoded
       which makes it difficult to place them e.g. on a persistent
       /opt partition and disable e.g. ecdsa

 - depending on IMAGE_FEATURES (empty passwords, root login), both
   files are patched by a ROOTFS_POSTCOMMAND

   --> these changes are lost when pkgmgmt is used for the image and
       openssh being updated


The patchset:

 - reduces changes to sshd_config to

   | Include /etc/ssh/sshd_config.d/*.conf

   --> This is already the done in current recipe and most mainline
       Linux distributions are doing it

 - moves configuration in new openssh-config recipe which is a weak
   dependency of openssh (and can be replaced by another IMAGE_INSTALL)

   Recipe ships configuration as small snippets which might contain
   dynamically created content (e.g. 'UsePAM yes')

 - IMAGE_FEATURE based setup is done by creating subpackages with
   the corresponding options.  These subpackages are added to
   FEATURE_PACKAGES_ssh-server-openssh

 - readonly rootfs setup has been enhanced by

   | RO_KEYDIR ??= "/var/run/ssh"
   | KEY_ALGORITHMS ??= "rsa ecdsa ed25519"

   parameters which can be overridden.


Enrico Scholz (7):
  openssh: replace complete configuration files by patch
  openssh-config: initial checkin
  openssh: move configuration tweaking in configuration recipe
  image: prepare openssh configuration
  openssh: replace 'allow-empty-password' rootfs scipt by configuration
  openssh: replace 'allow-root-login' rootfs scipt by configuration
  openssh: move read-only-rootfs setup in configuration snippet

 meta/classes-recipe/core-image.bbclass        |  19 ++-
 .../rootfs-postcommands.bbclass               |  25 +---
 .../openssh/openssh-config.bb                 |  51 ++++++++
 .../60-allow-empty-password.conf              |   1 +
 .../openssh-config/60-allow-root-login.conf   |   1 +
 .../openssh/openssh-config/80-oe.conf         |   5 +
 .../openssh/openssh/include-conf.patch        |  32 +++++
 .../openssh/openssh/ssh_config                |  48 -------
 .../openssh/openssh/sshd_config               | 119 ------------------
 .../openssh/openssh_9.6p1.bb                  |  20 +--
 10 files changed, 112 insertions(+), 209 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh-config.bb
 create mode 100644 meta/recipes-connectivity/openssh/openssh-config/60-allow-empty-password.conf
 create mode 100644 meta/recipes-connectivity/openssh/openssh-config/60-allow-root-login.conf
 create mode 100644 meta/recipes-connectivity/openssh/openssh-config/80-oe.conf
 create mode 100644 meta/recipes-connectivity/openssh/openssh/include-conf.patch
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config

-- 
2.44.0

[PATCH 1/7] openssh: replace complete configuration files by patch

[Enrico Scholz]

From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>

Instead of shipping the whole configuration files for openssh, add
small patch includes configuration snippets from subdirectories.

This allows us to keep the original upstream configuration which is
mainly useful for documentation purposes.  It makes it more easy to
identify OE specific setup.

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
---
 .../openssh/openssh/include-conf.patch        |  32 +++++
 .../openssh/openssh/ssh_config                |  48 -------
 .../openssh/openssh/sshd_config               | 119 ------------------
 .../openssh/openssh_9.6p1.bb                  |   5 +-
 4 files changed, 33 insertions(+), 171 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/include-conf.patch
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config

diff --git a/meta/recipes-connectivity/openssh/openssh/include-conf.patch b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
new file mode 100644
index 000000000000..3e0bd2957e25
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
@@ -0,0 +1,32 @@
+Include configuration snippets from subdirectory.
+
+NOTE: first configuration option wins.
+
+Upstream-Status: Inappropriate
+
+Index: openssh-9.5p1/ssh_config
+===================================================================
+--- openssh-9.5p1.orig/ssh_config
++++ openssh-9.5p1/ssh_config
+@@ -5,6 +5,8 @@
+ # users, and the values can be changed in per-user configuration files
+ # or on the command line.
+ 
++Include /etc/ssh/ssh_config.d/*.conf
++
+ # Configuration data is parsed as follows:
+ #  1. command line options
+ #  2. user-specific file
+Index: openssh-9.5p1/sshd_config
+===================================================================
+--- openssh-9.5p1.orig/sshd_config
++++ openssh-9.5p1/sshd_config
+@@ -10,6 +10,8 @@
+ # possible, but leave them commented.  Uncommented options override the
+ # default value.
+ 
++Include /etc/ssh/sshd_config.d/*.conf
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
deleted file mode 100644
index cb2774a163ed..000000000000
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ /dev/null
@@ -1,48 +0,0 @@
-#	$OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
-
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for some commonly used options.  For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
-
-Include /etc/ssh/ssh_config.d/*.conf
-
-# Host *
-#   ForwardAgent no
-#   ForwardX11 no
-#   PasswordAuthentication yes
-#   HostbasedAuthentication no
-#   GSSAPIAuthentication no
-#   GSSAPIDelegateCredentials no
-#   BatchMode no
-#   CheckHostIP yes
-#   AddressFamily any
-#   ConnectTimeout 0
-#   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/id_rsa
-#   IdentityFile ~/.ssh/id_dsa
-#   IdentityFile ~/.ssh/id_ecdsa
-#   IdentityFile ~/.ssh/id_ed25519
-#   Port 22
-#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
-#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
-#   EscapeChar ~
-#   Tunnel no
-#   TunnelDevice any:any
-#   PermitLocalCommand no
-#   VisualHostKey no
-#   ProxyCommand ssh -q -W %h:%p gateway.example.com
-#   RekeyLimit 1G 1h
-#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
deleted file mode 100644
index e9eaf9315775..000000000000
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ /dev/null
@@ -1,119 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-Include /etc/ssh/sshd_config.d/*.conf
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable keyboard-interactive authentication (beware issues
-# with some PAM modules and threads)
-KbdInteractiveAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the KbdInteractiveAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-Compression no
-ClientAliveInterval 15
-ClientAliveCountMax 4
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# override default of no subsystems
-Subsystem	sftp	/usr/libexec/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index edd8e8c2d18f..d500ca6019fe 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -12,8 +12,6 @@ DEPENDS = "zlib openssl virtual/crypt"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
-           file://sshd_config \
-           file://ssh_config \
            file://init \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://sshd.service \
@@ -23,6 +21,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://volatiles.99_sshd \
            file://run-ptest \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
+           file://include-conf.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
            file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
@@ -101,8 +100,6 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
 do_configure:prepend () {
 	export LD="${CC}"
-	install -m 0644 ${WORKDIR}/sshd_config ${B}/
-	install -m 0644 ${WORKDIR}/ssh_config ${B}/
 }
 
 do_compile_ptest() {
-- 
2.44.0

Patchtest results for [PATCH 1/7] openssh: replace complete configuration files by patch

[patchtest]

[-- Attachment #1: Type: text/plain, Size: 2963 bytes --]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/1-7-openssh-replace-complete-configuration-files-by-patch.patch

FAIL: test Signed-off-by presence: A patch file has been added without a Signed-off-by tag: 'include-conf.patch' (test_patch.TestPatch.test_signed_off_by_presence)
FAIL: test Upstream-Status presence: Upstream-Status is Inappropriate, but no reason was provided (test_patch.TestPatch.test_upstream_status_presence_format)

PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

[PATCH 1/7, v2] openssh: replace complete configuration files by patch

[Enrico Scholz]

From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>

Instead of shipping the whole configuration files for openssh, add
small patch includes configuration snippets from subdirectories.

This allows us to keep the original upstream configuration which is
mainly useful for documentation purposes.  It makes it more easy to
identify OE specific setup.

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
---
 .../openssh/openssh/include-conf.patch        |  32 +++++
 .../openssh/openssh/ssh_config                |  48 -------
 .../openssh/openssh/sshd_config               | 119 ------------------
 .../openssh/openssh_9.6p1.bb                  |   5 +-
 4 files changed, 33 insertions(+), 171 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/include-conf.patch
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config

diff --git a/meta/recipes-connectivity/openssh/openssh/include-conf.patch b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
new file mode 100644
index 000000000000..3e0bd2957e25
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
@@ -0,0 +1,32 @@
+Include configuration snippets from subdirectory.
+
+NOTE: first configuration option wins.
+
+Upstream-Status: Inappropriate [configuration]
+
+Index: openssh-9.5p1/ssh_config
+===================================================================
+--- openssh-9.5p1.orig/ssh_config
++++ openssh-9.5p1/ssh_config
+@@ -5,6 +5,8 @@
+ # users, and the values can be changed in per-user configuration files
+ # or on the command line.
+ 
++Include /etc/ssh/ssh_config.d/*.conf
++
+ # Configuration data is parsed as follows:
+ #  1. command line options
+ #  2. user-specific file
+Index: openssh-9.5p1/sshd_config
+===================================================================
+--- openssh-9.5p1.orig/sshd_config
++++ openssh-9.5p1/sshd_config
+@@ -10,6 +10,8 @@
+ # possible, but leave them commented.  Uncommented options override the
+ # default value.
+ 
++Include /etc/ssh/sshd_config.d/*.conf
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
deleted file mode 100644
index cb2774a163ed..000000000000
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ /dev/null
@@ -1,48 +0,0 @@
-#	$OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
-
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for some commonly used options.  For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
-
-Include /etc/ssh/ssh_config.d/*.conf
-
-# Host *
-#   ForwardAgent no
-#   ForwardX11 no
-#   PasswordAuthentication yes
-#   HostbasedAuthentication no
-#   GSSAPIAuthentication no
-#   GSSAPIDelegateCredentials no
-#   BatchMode no
-#   CheckHostIP yes
-#   AddressFamily any
-#   ConnectTimeout 0
-#   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/id_rsa
-#   IdentityFile ~/.ssh/id_dsa
-#   IdentityFile ~/.ssh/id_ecdsa
-#   IdentityFile ~/.ssh/id_ed25519
-#   Port 22
-#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
-#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
-#   EscapeChar ~
-#   Tunnel no
-#   TunnelDevice any:any
-#   PermitLocalCommand no
-#   VisualHostKey no
-#   ProxyCommand ssh -q -W %h:%p gateway.example.com
-#   RekeyLimit 1G 1h
-#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
deleted file mode 100644
index e9eaf9315775..000000000000
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ /dev/null
@@ -1,119 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-Include /etc/ssh/sshd_config.d/*.conf
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable keyboard-interactive authentication (beware issues
-# with some PAM modules and threads)
-KbdInteractiveAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the KbdInteractiveAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-Compression no
-ClientAliveInterval 15
-ClientAliveCountMax 4
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# override default of no subsystems
-Subsystem	sftp	/usr/libexec/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index edd8e8c2d18f..d500ca6019fe 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -12,8 +12,6 @@ DEPENDS = "zlib openssl virtual/crypt"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
-           file://sshd_config \
-           file://ssh_config \
            file://init \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://sshd.service \
@@ -23,6 +21,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://volatiles.99_sshd \
            file://run-ptest \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
+           file://include-conf.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
            file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
@@ -101,8 +100,6 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
 do_configure:prepend () {
 	export LD="${CC}"
-	install -m 0644 ${WORKDIR}/sshd_config ${B}/
-	install -m 0644 ${WORKDIR}/ssh_config ${B}/
 }
 
 do_compile_ptest() {
-- 
2.44.0

Patchtest results for [PATCH 1/7, v2] openssh: replace complete configuration files by patch

[patchtest]

[-- Attachment #1: Type: text/plain, Size: 2904 bytes --]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/1-7-v2-openssh-replace-complete-configuration-files-by-patch.patch

FAIL: test Signed-off-by presence: A patch file has been added without a Signed-off-by tag: 'include-conf.patch' (test_patch.TestPatch.test_signed_off_by_presence)

PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

[PATCH 1/7, v3] openssh: replace complete configuration files by patch

[Enrico Scholz]

From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>

Instead of shipping the whole configuration files for openssh, add
small patch includes configuration snippets from subdirectories.

This allows us to keep the original upstream configuration which is
mainly useful for documentation purposes.  It makes it more easy to
identify OE specific setup.

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
---
 .../openssh/openssh/include-conf.patch        |  34 +++++
 .../openssh/openssh/ssh_config                |  48 -------
 .../openssh/openssh/sshd_config               | 119 ------------------
 .../openssh/openssh_9.6p1.bb                  |   5 +-
 4 files changed, 35 insertions(+), 171 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/include-conf.patch
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config

diff --git a/meta/recipes-connectivity/openssh/openssh/include-conf.patch b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
new file mode 100644
index 000000000000..0a3f6839f838
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
@@ -0,0 +1,34 @@
+Include configuration snippets from subdirectory.
+
+NOTE: first configuration option wins.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
+
+Index: openssh-9.5p1/ssh_config
+===================================================================
+--- openssh-9.5p1.orig/ssh_config
++++ openssh-9.5p1/ssh_config
+@@ -5,6 +5,8 @@
+ # users, and the values can be changed in per-user configuration files
+ # or on the command line.
+
++Include /etc/ssh/ssh_config.d/*.conf
++
+ # Configuration data is parsed as follows:
+ #  1. command line options
+ #  2. user-specific file
+Index: openssh-9.5p1/sshd_config
+===================================================================
+--- openssh-9.5p1.orig/sshd_config
++++ openssh-9.5p1/sshd_config
+@@ -10,6 +10,8 @@
+ # possible, but leave them commented.  Uncommented options override the
+ # default value.
+
++Include /etc/ssh/sshd_config.d/*.conf
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
deleted file mode 100644
index cb2774a163ed..000000000000
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ /dev/null
@@ -1,48 +0,0 @@
-#	$OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
-
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for some commonly used options.  For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
-
-Include /etc/ssh/ssh_config.d/*.conf
-
-# Host *
-#   ForwardAgent no
-#   ForwardX11 no
-#   PasswordAuthentication yes
-#   HostbasedAuthentication no
-#   GSSAPIAuthentication no
-#   GSSAPIDelegateCredentials no
-#   BatchMode no
-#   CheckHostIP yes
-#   AddressFamily any
-#   ConnectTimeout 0
-#   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/id_rsa
-#   IdentityFile ~/.ssh/id_dsa
-#   IdentityFile ~/.ssh/id_ecdsa
-#   IdentityFile ~/.ssh/id_ed25519
-#   Port 22
-#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
-#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
-#   EscapeChar ~
-#   Tunnel no
-#   TunnelDevice any:any
-#   PermitLocalCommand no
-#   VisualHostKey no
-#   ProxyCommand ssh -q -W %h:%p gateway.example.com
-#   RekeyLimit 1G 1h
-#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
deleted file mode 100644
index e9eaf9315775..000000000000
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ /dev/null
@@ -1,119 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-Include /etc/ssh/sshd_config.d/*.conf
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable keyboard-interactive authentication (beware issues
-# with some PAM modules and threads)
-KbdInteractiveAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the KbdInteractiveAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-Compression no
-ClientAliveInterval 15
-ClientAliveCountMax 4
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# override default of no subsystems
-Subsystem	sftp	/usr/libexec/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index edd8e8c2d18f..d500ca6019fe 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -12,8 +12,6 @@ DEPENDS = "zlib openssl virtual/crypt"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
-           file://sshd_config \
-           file://ssh_config \
            file://init \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://sshd.service \
@@ -23,6 +21,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://volatiles.99_sshd \
            file://run-ptest \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
+           file://include-conf.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
            file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
@@ -101,8 +100,6 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
 do_configure:prepend () {
 	export LD="${CC}"
-	install -m 0644 ${WORKDIR}/sshd_config ${B}/
-	install -m 0644 ${WORKDIR}/ssh_config ${B}/
 }
 
 do_compile_ptest() {
-- 
2.44.0

Re: [OE-core] [PATCH 1/7, v3] openssh: replace complete configuration files by patch

[Alexander Kanavin]

Why is the patch inappropriate for upstream submission? To me it looks
like it should be at least proposed.

Alex

On Tue, 12 Mar 2024 at 12:00, Enrico Scholz via lists.openembedded.org
<enrico.scholz=sigma-chemnitz.de@lists.openembedded.org> wrote:
>
> From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
>
> Instead of shipping the whole configuration files for openssh, add
> small patch includes configuration snippets from subdirectories.
>
> This allows us to keep the original upstream configuration which is
> mainly useful for documentation purposes.  It makes it more easy to
> identify OE specific setup.
>
> Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
> ---
>  .../openssh/openssh/include-conf.patch        |  34 +++++
>  .../openssh/openssh/ssh_config                |  48 -------
>  .../openssh/openssh/sshd_config               | 119 ------------------
>  .../openssh/openssh_9.6p1.bb                  |   5 +-
>  4 files changed, 35 insertions(+), 171 deletions(-)
>  create mode 100644 meta/recipes-connectivity/openssh/openssh/include-conf.patch
>  delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
>  delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/include-conf.patch b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
> new file mode 100644
> index 000000000000..0a3f6839f838
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
> @@ -0,0 +1,34 @@
> +Include configuration snippets from subdirectory.
> +
> +NOTE: first configuration option wins.
> +
> +Upstream-Status: Inappropriate [configuration]
> +
> +Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
> +
> +Index: openssh-9.5p1/ssh_config
> +===================================================================
> +--- openssh-9.5p1.orig/ssh_config
> ++++ openssh-9.5p1/ssh_config
> +@@ -5,6 +5,8 @@
> + # users, and the values can be changed in per-user configuration files
> + # or on the command line.
> +
> ++Include /etc/ssh/ssh_config.d/*.conf
> ++
> + # Configuration data is parsed as follows:
> + #  1. command line options
> + #  2. user-specific file
> +Index: openssh-9.5p1/sshd_config
> +===================================================================
> +--- openssh-9.5p1.orig/sshd_config
> ++++ openssh-9.5p1/sshd_config
> +@@ -10,6 +10,8 @@
> + # possible, but leave them commented.  Uncommented options override the
> + # default value.
> +
> ++Include /etc/ssh/sshd_config.d/*.conf
> ++
> + #Port 22
> + #AddressFamily any
> + #ListenAddress 0.0.0.0
> diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
> deleted file mode 100644
> index cb2774a163ed..000000000000
> --- a/meta/recipes-connectivity/openssh/openssh/ssh_config
> +++ /dev/null
> @@ -1,48 +0,0 @@
> -#      $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
> -
> -# This is the ssh client system-wide configuration file.  See
> -# ssh_config(5) for more information.  This file provides defaults for
> -# users, and the values can be changed in per-user configuration files
> -# or on the command line.
> -
> -# Configuration data is parsed as follows:
> -#  1. command line options
> -#  2. user-specific file
> -#  3. system-wide file
> -# Any configuration value is only changed the first time it is set.
> -# Thus, host-specific definitions should be at the beginning of the
> -# configuration file, and defaults at the end.
> -
> -# Site-wide defaults for some commonly used options.  For a comprehensive
> -# list of available options, their meanings and defaults, please see the
> -# ssh_config(5) man page.
> -
> -Include /etc/ssh/ssh_config.d/*.conf
> -
> -# Host *
> -#   ForwardAgent no
> -#   ForwardX11 no
> -#   PasswordAuthentication yes
> -#   HostbasedAuthentication no
> -#   GSSAPIAuthentication no
> -#   GSSAPIDelegateCredentials no
> -#   BatchMode no
> -#   CheckHostIP yes
> -#   AddressFamily any
> -#   ConnectTimeout 0
> -#   StrictHostKeyChecking ask
> -#   IdentityFile ~/.ssh/id_rsa
> -#   IdentityFile ~/.ssh/id_dsa
> -#   IdentityFile ~/.ssh/id_ecdsa
> -#   IdentityFile ~/.ssh/id_ed25519
> -#   Port 22
> -#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
> -#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
> -#   EscapeChar ~
> -#   Tunnel no
> -#   TunnelDevice any:any
> -#   PermitLocalCommand no
> -#   VisualHostKey no
> -#   ProxyCommand ssh -q -W %h:%p gateway.example.com
> -#   RekeyLimit 1G 1h
> -#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
> deleted file mode 100644
> index e9eaf9315775..000000000000
> --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
> +++ /dev/null
> @@ -1,119 +0,0 @@
> -#      $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
> -
> -# This is the sshd server system-wide configuration file.  See
> -# sshd_config(5) for more information.
> -
> -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> -
> -# The strategy used for options in the default sshd_config shipped with
> -# OpenSSH is to specify options with their default value where
> -# possible, but leave them commented.  Uncommented options override the
> -# default value.
> -
> -Include /etc/ssh/sshd_config.d/*.conf
> -
> -#Port 22
> -#AddressFamily any
> -#ListenAddress 0.0.0.0
> -#ListenAddress ::
> -
> -#HostKey /etc/ssh/ssh_host_rsa_key
> -#HostKey /etc/ssh/ssh_host_ecdsa_key
> -#HostKey /etc/ssh/ssh_host_ed25519_key
> -
> -# Ciphers and keying
> -#RekeyLimit default none
> -
> -# Logging
> -#SyslogFacility AUTH
> -#LogLevel INFO
> -
> -# Authentication:
> -
> -#LoginGraceTime 2m
> -#PermitRootLogin prohibit-password
> -#StrictModes yes
> -#MaxAuthTries 6
> -#MaxSessions 10
> -
> -#PubkeyAuthentication yes
> -
> -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
> -# but this is overridden so installations will only check .ssh/authorized_keys
> -AuthorizedKeysFile     .ssh/authorized_keys
> -
> -#AuthorizedPrincipalsFile none
> -
> -#AuthorizedKeysCommand none
> -#AuthorizedKeysCommandUser nobody
> -
> -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> -#HostbasedAuthentication no
> -# Change to yes if you don't trust ~/.ssh/known_hosts for
> -# HostbasedAuthentication
> -#IgnoreUserKnownHosts no
> -# Don't read the user's ~/.rhosts and ~/.shosts files
> -#IgnoreRhosts yes
> -
> -# To disable tunneled clear text passwords, change to no here!
> -#PasswordAuthentication yes
> -#PermitEmptyPasswords no
> -
> -# Change to yes to enable keyboard-interactive authentication (beware issues
> -# with some PAM modules and threads)
> -KbdInteractiveAuthentication no
> -
> -# Kerberos options
> -#KerberosAuthentication no
> -#KerberosOrLocalPasswd yes
> -#KerberosTicketCleanup yes
> -#KerberosGetAFSToken no
> -
> -# GSSAPI options
> -#GSSAPIAuthentication no
> -#GSSAPICleanupCredentials yes
> -
> -# Set this to 'yes' to enable PAM authentication, account processing,
> -# and session processing. If this is enabled, PAM authentication will
> -# be allowed through the KbdInteractiveAuthentication and
> -# PasswordAuthentication.  Depending on your PAM configuration,
> -# PAM authentication via KbdInteractiveAuthentication may bypass
> -# the setting of "PermitRootLogin without-password".
> -# If you just want the PAM account and session checks to run without
> -# PAM authentication, then enable this but set PasswordAuthentication
> -# and KbdInteractiveAuthentication to 'no'.
> -#UsePAM no
> -
> -#AllowAgentForwarding yes
> -#AllowTcpForwarding yes
> -#GatewayPorts no
> -#X11Forwarding no
> -#X11DisplayOffset 10
> -#X11UseLocalhost yes
> -#PermitTTY yes
> -#PrintMotd yes
> -#PrintLastLog yes
> -#TCPKeepAlive yes
> -#PermitUserEnvironment no
> -Compression no
> -ClientAliveInterval 15
> -ClientAliveCountMax 4
> -#UseDNS no
> -#PidFile /var/run/sshd.pid
> -#MaxStartups 10:30:100
> -#PermitTunnel no
> -#ChrootDirectory none
> -#VersionAddendum none
> -
> -# no default banner path
> -#Banner none
> -
> -# override default of no subsystems
> -Subsystem      sftp    /usr/libexec/sftp-server
> -
> -# Example of overriding settings on a per-user basis
> -#Match User anoncvs
> -#      X11Forwarding no
> -#      AllowTcpForwarding no
> -#      PermitTTY no
> -#      ForceCommand cvs server
> diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> index edd8e8c2d18f..d500ca6019fe 100644
> --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> @@ -12,8 +12,6 @@ DEPENDS = "zlib openssl virtual/crypt"
>  DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>
>  SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
> -           file://sshd_config \
> -           file://ssh_config \
>             file://init \
>             ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
>             file://sshd.service \
> @@ -23,6 +21,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
>             file://volatiles.99_sshd \
>             file://run-ptest \
>             file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
> +           file://include-conf.patch \
>             file://sshd_check_keys \
>             file://add-test-support-for-busybox.patch \
>             file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
> @@ -101,8 +100,6 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
>
>  do_configure:prepend () {
>         export LD="${CC}"
> -       install -m 0644 ${WORKDIR}/sshd_config ${B}/
> -       install -m 0644 ${WORKDIR}/ssh_config ${B}/
>  }
>
>  do_compile_ptest() {
> --
> 2.44.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196975): https://lists.openembedded.org/g/openembedded-core/message/196975
> Mute This Topic: https://lists.openembedded.org/mt/104882201/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core] [PATCH 1/7, v3] openssh: replace complete configuration files by patch

[Enrico Scholz]

Alexander Kanavin <alex.kanavin@gmail.com> writes:

> Why is the patch inappropriate for upstream submission? To me it looks
> like it should be at least proposed.
>
> ++Include /etc/ssh/sshd_config.d/*.conf

Underlying feature exists for 4 years and nearly every major linux
distribution (including OE) has such a line.  So I assume there is a
reason that it is not upstream yet.

I added an upstream report
(https://bugzilla.mindrot.org/show_bug.cgi?id=3672) and will update
patch status when resubmitting.



Enrico

Re: [OE-core] [PATCH 1/7, v3] openssh: replace complete configuration files by patch

[Alexandre Belloni]

Please always resend the whole series, the maintainer should have to go
and cherry pick patches from various versions once the series has been
dropped.

On 12/03/2024 12:00:21+0100, Enrico Scholz via lists.openembedded.org wrote:
> From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
> 
> Instead of shipping the whole configuration files for openssh, add
> small patch includes configuration snippets from subdirectories.
> 
> This allows us to keep the original upstream configuration which is
> mainly useful for documentation purposes.  It makes it more easy to
> identify OE specific setup.
> 
> Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
> ---
>  .../openssh/openssh/include-conf.patch        |  34 +++++
>  .../openssh/openssh/ssh_config                |  48 -------
>  .../openssh/openssh/sshd_config               | 119 ------------------
>  .../openssh/openssh_9.6p1.bb                  |   5 +-
>  4 files changed, 35 insertions(+), 171 deletions(-)
>  create mode 100644 meta/recipes-connectivity/openssh/openssh/include-conf.patch
>  delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
>  delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config
> 
> diff --git a/meta/recipes-connectivity/openssh/openssh/include-conf.patch b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
> new file mode 100644
> index 000000000000..0a3f6839f838
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
> @@ -0,0 +1,34 @@
> +Include configuration snippets from subdirectory.
> +
> +NOTE: first configuration option wins.
> +
> +Upstream-Status: Inappropriate [configuration]
> +
> +Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
> +
> +Index: openssh-9.5p1/ssh_config
> +===================================================================
> +--- openssh-9.5p1.orig/ssh_config
> ++++ openssh-9.5p1/ssh_config
> +@@ -5,6 +5,8 @@
> + # users, and the values can be changed in per-user configuration files
> + # or on the command line.
> +
> ++Include /etc/ssh/ssh_config.d/*.conf
> ++
> + # Configuration data is parsed as follows:
> + #  1. command line options
> + #  2. user-specific file
> +Index: openssh-9.5p1/sshd_config
> +===================================================================
> +--- openssh-9.5p1.orig/sshd_config
> ++++ openssh-9.5p1/sshd_config
> +@@ -10,6 +10,8 @@
> + # possible, but leave them commented.  Uncommented options override the
> + # default value.
> +
> ++Include /etc/ssh/sshd_config.d/*.conf
> ++
> + #Port 22
> + #AddressFamily any
> + #ListenAddress 0.0.0.0
> diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
> deleted file mode 100644
> index cb2774a163ed..000000000000
> --- a/meta/recipes-connectivity/openssh/openssh/ssh_config
> +++ /dev/null
> @@ -1,48 +0,0 @@
> -#	$OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
> -
> -# This is the ssh client system-wide configuration file.  See
> -# ssh_config(5) for more information.  This file provides defaults for
> -# users, and the values can be changed in per-user configuration files
> -# or on the command line.
> -
> -# Configuration data is parsed as follows:
> -#  1. command line options
> -#  2. user-specific file
> -#  3. system-wide file
> -# Any configuration value is only changed the first time it is set.
> -# Thus, host-specific definitions should be at the beginning of the
> -# configuration file, and defaults at the end.
> -
> -# Site-wide defaults for some commonly used options.  For a comprehensive
> -# list of available options, their meanings and defaults, please see the
> -# ssh_config(5) man page.
> -
> -Include /etc/ssh/ssh_config.d/*.conf
> -
> -# Host *
> -#   ForwardAgent no
> -#   ForwardX11 no
> -#   PasswordAuthentication yes
> -#   HostbasedAuthentication no
> -#   GSSAPIAuthentication no
> -#   GSSAPIDelegateCredentials no
> -#   BatchMode no
> -#   CheckHostIP yes
> -#   AddressFamily any
> -#   ConnectTimeout 0
> -#   StrictHostKeyChecking ask
> -#   IdentityFile ~/.ssh/id_rsa
> -#   IdentityFile ~/.ssh/id_dsa
> -#   IdentityFile ~/.ssh/id_ecdsa
> -#   IdentityFile ~/.ssh/id_ed25519
> -#   Port 22
> -#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
> -#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
> -#   EscapeChar ~
> -#   Tunnel no
> -#   TunnelDevice any:any
> -#   PermitLocalCommand no
> -#   VisualHostKey no
> -#   ProxyCommand ssh -q -W %h:%p gateway.example.com
> -#   RekeyLimit 1G 1h
> -#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
> deleted file mode 100644
> index e9eaf9315775..000000000000
> --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
> +++ /dev/null
> @@ -1,119 +0,0 @@
> -#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
> -
> -# This is the sshd server system-wide configuration file.  See
> -# sshd_config(5) for more information.
> -
> -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> -
> -# The strategy used for options in the default sshd_config shipped with
> -# OpenSSH is to specify options with their default value where
> -# possible, but leave them commented.  Uncommented options override the
> -# default value.
> -
> -Include /etc/ssh/sshd_config.d/*.conf
> -
> -#Port 22
> -#AddressFamily any
> -#ListenAddress 0.0.0.0
> -#ListenAddress ::
> -
> -#HostKey /etc/ssh/ssh_host_rsa_key
> -#HostKey /etc/ssh/ssh_host_ecdsa_key
> -#HostKey /etc/ssh/ssh_host_ed25519_key
> -
> -# Ciphers and keying
> -#RekeyLimit default none
> -
> -# Logging
> -#SyslogFacility AUTH
> -#LogLevel INFO
> -
> -# Authentication:
> -
> -#LoginGraceTime 2m
> -#PermitRootLogin prohibit-password
> -#StrictModes yes
> -#MaxAuthTries 6
> -#MaxSessions 10
> -
> -#PubkeyAuthentication yes
> -
> -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
> -# but this is overridden so installations will only check .ssh/authorized_keys
> -AuthorizedKeysFile	.ssh/authorized_keys
> -
> -#AuthorizedPrincipalsFile none
> -
> -#AuthorizedKeysCommand none
> -#AuthorizedKeysCommandUser nobody
> -
> -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> -#HostbasedAuthentication no
> -# Change to yes if you don't trust ~/.ssh/known_hosts for
> -# HostbasedAuthentication
> -#IgnoreUserKnownHosts no
> -# Don't read the user's ~/.rhosts and ~/.shosts files
> -#IgnoreRhosts yes
> -
> -# To disable tunneled clear text passwords, change to no here!
> -#PasswordAuthentication yes
> -#PermitEmptyPasswords no
> -
> -# Change to yes to enable keyboard-interactive authentication (beware issues
> -# with some PAM modules and threads)
> -KbdInteractiveAuthentication no
> -
> -# Kerberos options
> -#KerberosAuthentication no
> -#KerberosOrLocalPasswd yes
> -#KerberosTicketCleanup yes
> -#KerberosGetAFSToken no
> -
> -# GSSAPI options
> -#GSSAPIAuthentication no
> -#GSSAPICleanupCredentials yes
> -
> -# Set this to 'yes' to enable PAM authentication, account processing,
> -# and session processing. If this is enabled, PAM authentication will
> -# be allowed through the KbdInteractiveAuthentication and
> -# PasswordAuthentication.  Depending on your PAM configuration,
> -# PAM authentication via KbdInteractiveAuthentication may bypass
> -# the setting of "PermitRootLogin without-password".
> -# If you just want the PAM account and session checks to run without
> -# PAM authentication, then enable this but set PasswordAuthentication
> -# and KbdInteractiveAuthentication to 'no'.
> -#UsePAM no
> -
> -#AllowAgentForwarding yes
> -#AllowTcpForwarding yes
> -#GatewayPorts no
> -#X11Forwarding no
> -#X11DisplayOffset 10
> -#X11UseLocalhost yes
> -#PermitTTY yes
> -#PrintMotd yes
> -#PrintLastLog yes
> -#TCPKeepAlive yes
> -#PermitUserEnvironment no
> -Compression no
> -ClientAliveInterval 15
> -ClientAliveCountMax 4
> -#UseDNS no
> -#PidFile /var/run/sshd.pid
> -#MaxStartups 10:30:100
> -#PermitTunnel no
> -#ChrootDirectory none
> -#VersionAddendum none
> -
> -# no default banner path
> -#Banner none
> -
> -# override default of no subsystems
> -Subsystem	sftp	/usr/libexec/sftp-server
> -
> -# Example of overriding settings on a per-user basis
> -#Match User anoncvs
> -#	X11Forwarding no
> -#	AllowTcpForwarding no
> -#	PermitTTY no
> -#	ForceCommand cvs server
> diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> index edd8e8c2d18f..d500ca6019fe 100644
> --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> @@ -12,8 +12,6 @@ DEPENDS = "zlib openssl virtual/crypt"
>  DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>  
>  SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
> -           file://sshd_config \
> -           file://ssh_config \
>             file://init \
>             ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
>             file://sshd.service \
> @@ -23,6 +21,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
>             file://volatiles.99_sshd \
>             file://run-ptest \
>             file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
> +           file://include-conf.patch \
>             file://sshd_check_keys \
>             file://add-test-support-for-busybox.patch \
>             file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
> @@ -101,8 +100,6 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
>  
>  do_configure:prepend () {
>  	export LD="${CC}"
> -	install -m 0644 ${WORKDIR}/sshd_config ${B}/
> -	install -m 0644 ${WORKDIR}/ssh_config ${B}/
>  }
>  
>  do_compile_ptest() {
> -- 
> 2.44.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196975): https://lists.openembedded.org/g/openembedded-core/message/196975
> Mute This Topic: https://lists.openembedded.org/mt/104882201/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[PATCH 2/7] openssh-config: initial checkin

[Enrico Scholz]

From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>

Place OE specific openssh setup (which was removed in a previous
patch) in a configuration snippet.

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
---
 .../openssh/openssh-config.bb                 | 30 +++++++++++++++++++
 .../openssh/openssh-config/80-oe.conf         |  5 ++++
 .../openssh/openssh_9.6p1.bb                  |  2 ++
 3 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh-config.bb
 create mode 100644 meta/recipes-connectivity/openssh/openssh-config/80-oe.conf

diff --git a/meta/recipes-connectivity/openssh/openssh-config.bb b/meta/recipes-connectivity/openssh/openssh-config.bb
new file mode 100644
index 000000000000..2ef6a770fcfe
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-config.bb
@@ -0,0 +1,30 @@
+SUMMARY = "OE openssh configuration"
+DESCRIPTION = "Provides openssh configuration snippets which correspond to IMAGE_FEATURE"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+SRC_URI = "\
+    file://80-oe.conf \
+"
+
+do_install() {
+    d=${D}${sysconfdir}/ssh/sshd_config.d
+    install -d "$d"
+    install -p -m 0644 \
+        ${WORKDIR}/80-oe.conf \
+        "$d"/
+}
+
+python populate_packages:prepend() {
+    dir = d.expand('${sysconfdir}/ssh/sshd_config.d')
+
+    do_split_packages(d, dir, '^60-(.*)\.conf',
+                      output_pattern='${PN}-%s',
+                      description="openssh config for '%s' feature",
+                      extra_depends='',
+                      prepend=True)
+}
+
+PACKAGES_DYNAMIC = "${PN}-*"
+
+FILES:${PN} = "${sysconfdir}/ssh/sshd_config.d/80-oe.conf"
diff --git a/meta/recipes-connectivity/openssh/openssh-config/80-oe.conf b/meta/recipes-connectivity/openssh/openssh-config/80-oe.conf
new file mode 100644
index 000000000000..9a92d3c8d197
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-config/80-oe.conf
@@ -0,0 +1,5 @@
+KbdInteractiveAuthentication no
+
+Compression no
+ClientAliveInterval 15
+ClientAliveCountMax 4
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index d500ca6019fe..406b349f8283 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -191,6 +191,8 @@ RCONFLICTS:${PN}-sshd = "dropbear"
 CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
 CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
 
+RRECOMMENDS:${PN} += "openssh-config"
+
 ALTERNATIVE_PRIORITY = "90"
 ALTERNATIVE:${PN}-scp = "scp"
 ALTERNATIVE:${PN}-ssh = "ssh"
-- 
2.44.0

Patchtest results for [PATCH 2/7] openssh-config: initial checkin

[patchtest]

[-- Attachment #1: Type: text/plain, Size: 2883 bytes --]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/2-7-openssh-config-initial-checkin.patch

FAIL: test lic files chksum modified not mentioned: LIC_FILES_CHKSUM changed without "License-Update:" tag and description in commit message (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)

PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum presence (test_metadata.TestMetadata.test_lic_files_chksum_presence)
PASS: test license presence (test_metadata.TestMetadata.test_license_presence)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)
PASS: test summary presence (test_metadata.TestMetadata.test_summary_presence)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test CVE tag format: No new CVE patches introduced (test_patch.TestPatch.test_cve_tag_format)
SKIP: test Signed-off-by presence: No new CVE patches introduced (test_patch.TestPatch.test_signed_off_by_presence)
SKIP: test Upstream-Status presence: No new CVE patches introduced (test_patch.TestPatch.test_upstream_status_presence_format)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test target mailing list: Series merged, no reason to check other mailing lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

Re: Patchtest results for [PATCH 2/7] openssh-config: initial checkin

[Enrico Scholz]

patchtest@automation.yoctoproject.org writes:

> FAIL: test lic files chksum modified not mentioned: LIC_FILES_CHKSUM changed without "License-Update:" tag and description in commit message (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)

This failure seems to be bogus; patch creates a new recipe with a new
LIC_FILES_CHKSUM.  It does not change/update an existing tag.


Enrico

Re: [OE-core] Patchtest results for [PATCH 2/7] openssh-config: initial checkin

[Trevor Gamblin]

On 2024-03-11 14:12, Enrico Scholz via lists.openembedded.org wrote:
> patchtest@automation.yoctoproject.org writes:
>
>> FAIL: test lic files chksum modified not mentioned: LIC_FILES_CHKSUM changed without "License-Update:" tag and description in commit message (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
> This failure seems to be bogus; patch creates a new recipe with a new
> LIC_FILES_CHKSUM.  It does not change/update an existing tag.
Noted. We'll have to tweak the test...
>
>
> Enrico
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196963): https://lists.openembedded.org/g/openembedded-core/message/196963
> Mute This Topic: https://lists.openembedded.org/mt/104868543/7611679
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [tgamblin@baylibre.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

[PATCH 3/7] openssh: move configuration tweaking in configuration recipe

[Enrico Scholz]

From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>

Instead of applying DISTRO_FEATURE based setup directly to
sshd_config, add it to our configuration snippet.

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
---
 meta/recipes-connectivity/openssh/openssh-config.bb | 10 ++++++++++
 meta/recipes-connectivity/openssh/openssh_9.6p1.bb  |  8 --------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh-config.bb b/meta/recipes-connectivity/openssh/openssh-config.bb
index 2ef6a770fcfe..312a1c903f63 100644
--- a/meta/recipes-connectivity/openssh/openssh-config.bb
+++ b/meta/recipes-connectivity/openssh/openssh-config.bb
@@ -13,6 +13,16 @@ do_install() {
     install -p -m 0644 \
         ${WORKDIR}/80-oe.conf \
         "$d"/
+
+    f=$d/80-oe.conf
+
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
+        echo "UsePAM yes" >> "$f"
+    fi
+
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
+        echo "X11Forwarding yes" >> "$f"
+    fi
 }
 
 python populate_packages:prepend() {
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index 406b349f8283..e792b459d838 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -109,11 +109,6 @@ do_compile_ptest() {
 do_install:append () {
 	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
 		install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
-		sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
-	fi
-
-	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
-		sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
 	fi
 
 	install -d ${D}${sysconfdir}/init.d
@@ -188,9 +183,6 @@ RPROVIDES:${PN}-sshd = "sshd"
 RCONFLICTS:${PN} = "dropbear"
 RCONFLICTS:${PN}-sshd = "dropbear"
 
-CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
-CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
-
 RRECOMMENDS:${PN} += "openssh-config"
 
 ALTERNATIVE_PRIORITY = "90"
-- 
2.44.0

[PATCH 4/7] image: prepare openssh configuration

[Enrico Scholz]

From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>

Add an OPENSSH_FEATURE_CONFIGURATION variable which will hold openssh
configuration packages.

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
---
 meta/classes-recipe/core-image.bbclass | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/classes-recipe/core-image.bbclass b/meta/classes-recipe/core-image.bbclass
index 40fc15cb04f2..adf236e0693e 100644
--- a/meta/classes-recipe/core-image.bbclass
+++ b/meta/classes-recipe/core-image.bbclass
@@ -55,7 +55,7 @@ FEATURE_PACKAGES_tools-sdk = "packagegroup-core-sdk packagegroup-core-standalone
 FEATURE_PACKAGES_nfs-server = "packagegroup-core-nfs-server"
 FEATURE_PACKAGES_nfs-client = "packagegroup-core-nfs-client"
 FEATURE_PACKAGES_ssh-server-dropbear = "packagegroup-core-ssh-dropbear"
-FEATURE_PACKAGES_ssh-server-openssh = "packagegroup-core-ssh-openssh"
+FEATURE_PACKAGES_ssh-server-openssh = "packagegroup-core-ssh-openssh ${OPENSSH_FEATURE_CONFIGURATION}"
 FEATURE_PACKAGES_hwcodecs = "${MACHINE_HWCODECS}"
 
 
@@ -83,4 +83,7 @@ CORE_IMAGE_EXTRA_INSTALL ?= ""
 
 IMAGE_INSTALL ?= "${CORE_IMAGE_BASE_INSTALL}"
 
+OPENSSH_FEATURE_CONFIGURATION = "\
+"
+
 inherit image
-- 
2.44.0

[PATCH 5/7] openssh: replace 'allow-empty-password' rootfs scipt by configuration

[Enrico Scholz]

From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>

Install 'openssh-config-allow-empty-password' when corresponding
IMAGE_FEATURES are active.

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
---
 meta/classes-recipe/core-image.bbclass                      | 1 +
 meta/classes-recipe/rootfs-postcommands.bbclass             | 6 ------
 meta/recipes-connectivity/openssh/openssh-config.bb         | 2 ++
 .../openssh/openssh-config/60-allow-empty-password.conf     | 1 +
 4 files changed, 4 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh-config/60-allow-empty-password.conf

diff --git a/meta/classes-recipe/core-image.bbclass b/meta/classes-recipe/core-image.bbclass
index adf236e0693e..63e0e99b2a56 100644
--- a/meta/classes-recipe/core-image.bbclass
+++ b/meta/classes-recipe/core-image.bbclass
@@ -84,6 +84,7 @@ CORE_IMAGE_EXTRA_INSTALL ?= ""
 IMAGE_INSTALL ?= "${CORE_IMAGE_BASE_INSTALL}"
 
 OPENSSH_FEATURE_CONFIGURATION = "\
+    ${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 'allow-empty-password' ], 'openssh-config-allow-empty-password', '',d)} \
 "
 
 inherit image
diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass
index e81b69a239b5..88f88505b5ed 100644
--- a/meta/classes-recipe/rootfs-postcommands.bbclass
+++ b/meta/classes-recipe/rootfs-postcommands.bbclass
@@ -246,12 +246,6 @@ zap_empty_root_password () {
 # allow dropbear/openssh to accept logins from accounts with an empty password string
 #
 ssh_allow_empty_password () {
-	for config in sshd_config sshd_config_readonly; do
-		if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config ]; then
-			sed -i 's/^[#[:space:]]*PermitEmptyPasswords.*/PermitEmptyPasswords yes/' ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config
-		fi
-	done
-
 	if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then
 		if grep -q DROPBEAR_EXTRA_ARGS ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear 2>/dev/null ; then
 			if ! grep -q "DROPBEAR_EXTRA_ARGS=.*-B" ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear ; then
diff --git a/meta/recipes-connectivity/openssh/openssh-config.bb b/meta/recipes-connectivity/openssh/openssh-config.bb
index 312a1c903f63..20dfe086f8ab 100644
--- a/meta/recipes-connectivity/openssh/openssh-config.bb
+++ b/meta/recipes-connectivity/openssh/openssh-config.bb
@@ -4,6 +4,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
 SRC_URI = "\
+    file://60-allow-empty-password.conf \
     file://80-oe.conf \
 "
 
@@ -11,6 +12,7 @@ do_install() {
     d=${D}${sysconfdir}/ssh/sshd_config.d
     install -d "$d"
     install -p -m 0644 \
+        ${WORKDIR}/60-allow-empty-password.conf \
         ${WORKDIR}/80-oe.conf \
         "$d"/
 
diff --git a/meta/recipes-connectivity/openssh/openssh-config/60-allow-empty-password.conf b/meta/recipes-connectivity/openssh/openssh-config/60-allow-empty-password.conf
new file mode 100644
index 000000000000..04e75ab6cefa
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-config/60-allow-empty-password.conf
@@ -0,0 +1 @@
+PermitEmptyPasswords yes
-- 
2.44.0

[PATCH 6/7] openssh: replace 'allow-root-login' rootfs scipt by configuration

[Enrico Scholz]

From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>

Install 'openssh-config-allow-root-login' when corresponding
IMAGE_FEATURES are active.

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
---
 meta/classes-recipe/core-image.bbclass                      | 1 +
 meta/classes-recipe/rootfs-postcommands.bbclass             | 6 ------
 meta/recipes-connectivity/openssh/openssh-config.bb         | 2 ++
 .../openssh/openssh-config/60-allow-root-login.conf         | 1 +
 4 files changed, 4 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh-config/60-allow-root-login.conf

diff --git a/meta/classes-recipe/core-image.bbclass b/meta/classes-recipe/core-image.bbclass
index 63e0e99b2a56..10a2905d9a27 100644
--- a/meta/classes-recipe/core-image.bbclass
+++ b/meta/classes-recipe/core-image.bbclass
@@ -85,6 +85,7 @@ IMAGE_INSTALL ?= "${CORE_IMAGE_BASE_INSTALL}"
 
 OPENSSH_FEATURE_CONFIGURATION = "\
     ${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 'allow-empty-password' ], 'openssh-config-allow-empty-password', '',d)} \
+    ${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 'allow-root-login' ], 'openssh-config-allow-root-login', '',d)} \
 "
 
 inherit image
diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass
index 88f88505b5ed..633f88de6ec8 100644
--- a/meta/classes-recipe/rootfs-postcommands.bbclass
+++ b/meta/classes-recipe/rootfs-postcommands.bbclass
@@ -268,12 +268,6 @@ ssh_allow_empty_password () {
 # allow dropbear/openssh to accept root logins
 #
 ssh_allow_root_login () {
-	for config in sshd_config sshd_config_readonly; do
-		if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config ]; then
-			sed -i 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config
-		fi
-	done
-
 	if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then
 		if grep -q DROPBEAR_EXTRA_ARGS ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear 2>/dev/null ; then
 			sed -i '/^DROPBEAR_EXTRA_ARGS=/ s/-w//' ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear
diff --git a/meta/recipes-connectivity/openssh/openssh-config.bb b/meta/recipes-connectivity/openssh/openssh-config.bb
index 20dfe086f8ab..d4ed661d8299 100644
--- a/meta/recipes-connectivity/openssh/openssh-config.bb
+++ b/meta/recipes-connectivity/openssh/openssh-config.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
 
 SRC_URI = "\
     file://60-allow-empty-password.conf \
+    file://60-allow-root-login.conf \
     file://80-oe.conf \
 "
 
@@ -13,6 +14,7 @@ do_install() {
     install -d "$d"
     install -p -m 0644 \
         ${WORKDIR}/60-allow-empty-password.conf \
+        ${WORKDIR}/60-allow-root-login.conf \
         ${WORKDIR}/80-oe.conf \
         "$d"/
 
diff --git a/meta/recipes-connectivity/openssh/openssh-config/60-allow-root-login.conf b/meta/recipes-connectivity/openssh/openssh-config/60-allow-root-login.conf
new file mode 100644
index 000000000000..1073982f77c1
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-config/60-allow-root-login.conf
@@ -0,0 +1 @@
+PermitRootLogin yes
-- 
2.44.0

[PATCH 7/7] openssh: move read-only-rootfs setup in configuration snippet

[Enrico Scholz]

From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>

This patch replaces the duplicate 'sshd_config_readonly' configuration
file and logic behind by an extra packages which is installed when
corresponding IMAGE_FEATURES are set.

**NOTE**: this causes a regression when host keys are added manually
to the image.  Users have to do

| OPENSSH_FEATURE_CONFIGURATION:remove = "openssh-config-read-only-rootfs"

in this case, or create a .bbappend for openssh-config which sets
RO_KEYDIR.

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
---
 meta/classes-recipe/core-image.bbclass              | 12 ++++++++++++
 meta/classes-recipe/rootfs-postcommands.bbclass     | 13 +------------
 meta/recipes-connectivity/openssh/openssh-config.bb |  7 +++++++
 meta/recipes-connectivity/openssh/openssh_9.6p1.bb  |  7 +------
 4 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/meta/classes-recipe/core-image.bbclass b/meta/classes-recipe/core-image.bbclass
index 10a2905d9a27..477b6ba47042 100644
--- a/meta/classes-recipe/core-image.bbclass
+++ b/meta/classes-recipe/core-image.bbclass
@@ -84,8 +84,20 @@ CORE_IMAGE_EXTRA_INSTALL ?= ""
 IMAGE_INSTALL ?= "${CORE_IMAGE_BASE_INSTALL}"
 
 OPENSSH_FEATURE_CONFIGURATION = "\
+    ${@'openssh-config-read-only-rootfs' if etc_is_readonly(d) else ''} \
     ${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 'allow-empty-password' ], 'openssh-config-allow-empty-password', '',d)} \
     ${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 'allow-root-login' ], 'openssh-config-allow-root-login', '',d)} \
 "
 
+def etc_is_readonly(d):
+    features = (d.getVar('IMAGE_FEATURES') or "").split()
+
+    if 'read-only-rootfs' not in features:
+        return False
+
+    if 'stateless-rootfs' in features:
+        return True
+
+    return 'overlayfs-etc' not in features
+
 inherit image
diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass
index 633f88de6ec8..ba6eb84e4055 100644
--- a/meta/classes-recipe/rootfs-postcommands.bbclass
+++ b/meta/classes-recipe/rootfs-postcommands.bbclass
@@ -188,21 +188,10 @@ read_only_rootfs_hook () {
 	fi
 
 	# If we're using openssh and the /etc/ssh directory has no pre-generated keys,
-	# we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
-	# and the keys under /var/run/ssh.
+	# we should configure dropbear to use the keys under /var/lib/dropbear
 	# If overlayfs-etc is used this is not done as /etc is treated as writable
 	# If stateless-rootfs is enabled this is always done as we don't want to save keys then
 	if ${@ 'true' if not bb.utils.contains('IMAGE_FEATURES', 'overlayfs-etc', True, False, d) or bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, False, d) else 'false'}; then
-		if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
-			if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
-				echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
-				echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
-			else
-				echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
-				echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
-			fi
-		fi
-
 		# Also tweak the key location for dropbear in the same way.
 		if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
 			if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
diff --git a/meta/recipes-connectivity/openssh/openssh-config.bb b/meta/recipes-connectivity/openssh/openssh-config.bb
index d4ed661d8299..d2d0d9f4ad0d 100644
--- a/meta/recipes-connectivity/openssh/openssh-config.bb
+++ b/meta/recipes-connectivity/openssh/openssh-config.bb
@@ -9,6 +9,9 @@ SRC_URI = "\
     file://80-oe.conf \
 "
 
+RO_KEYDIR ??= "/var/run/ssh"
+KEY_ALGORITHMS ??= "rsa ecdsa ed25519"
+
 do_install() {
     d=${D}${sysconfdir}/ssh/sshd_config.d
     install -d "$d"
@@ -27,6 +30,10 @@ do_install() {
     if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
         echo "X11Forwarding yes" >> "$f"
     fi
+
+    for alg in ${KEY_ALGORITHMS}; do
+        printf 'HostKey %s/ssh_host_%s_key\n' '${RO_KEYDIR}' "$alg"
+    done > $d/60-read-only-rootfs.conf
 }
 
 python populate_packages:prepend() {
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index e792b459d838..29bc132de8ef 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -121,11 +121,6 @@ do_install:append () {
 
 	# Create config files for read-only rootfs
 	install -d ${D}${sysconfdir}/ssh
-	install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
-	sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
-	echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-	echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-	echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 
 	install -d ${D}${systemd_system_unitdir}
 	if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
@@ -165,7 +160,7 @@ PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc $
 FILES:${PN}-scp = "${bindir}/scp.${BPN}"
 FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
 FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
-FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
+FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
 FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
 FILES:${PN}-sftp = "${bindir}/sftp"
 FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
-- 
2.44.0

Re: [OE-core] [PATCH 0/7] Replace sshd_config patching by snippets

[Alexander Kanavin]

It's a very much welcome refactoring (existing code is an inconsistent
mess), but there's also a feature freeze right now, and this patchset
is invasive. Can you resubmit once the LTS is out?

Alex

On Mon, 11 Mar 2024 at 18:19, Enrico Scholz via lists.openembedded.org
<enrico.scholz=sigma-chemnitz.de@lists.openembedded.org> wrote:
>
> To deal with system setups, sshd was configured in the following way:
>
>  - sshd_config is shipped completely by OE and DISTRO_FEATURES (pam,
>    x11) are patched in during do_install
>
>    --> this is difficulty to maintain; e.g. sshd_config must be
>        synchronized between OpenSSH releases and OE adaptations
>        manually inserted
>
>  - two different configuration files (sshd_config + sshd_config_readonly)
>    are created; IMAGE_FEATURES decides which one is used and it is patched
>    in a ROOTFS_COMMAND in the system
>
>    --> this make it difficult for third party recipes to incorporate
>        their changes (they have to go over both files)
>
>    --> the readonly HostKey locations and algorithms are hardcoded
>        which makes it difficult to place them e.g. on a persistent
>        /opt partition and disable e.g. ecdsa
>
>  - depending on IMAGE_FEATURES (empty passwords, root login), both
>    files are patched by a ROOTFS_POSTCOMMAND
>
>    --> these changes are lost when pkgmgmt is used for the image and
>        openssh being updated
>
>
> The patchset:
>
>  - reduces changes to sshd_config to
>
>    | Include /etc/ssh/sshd_config.d/*.conf
>
>    --> This is already the done in current recipe and most mainline
>        Linux distributions are doing it
>
>  - moves configuration in new openssh-config recipe which is a weak
>    dependency of openssh (and can be replaced by another IMAGE_INSTALL)
>
>    Recipe ships configuration as small snippets which might contain
>    dynamically created content (e.g. 'UsePAM yes')
>
>  - IMAGE_FEATURE based setup is done by creating subpackages with
>    the corresponding options.  These subpackages are added to
>    FEATURE_PACKAGES_ssh-server-openssh
>
>  - readonly rootfs setup has been enhanced by
>
>    | RO_KEYDIR ??= "/var/run/ssh"
>    | KEY_ALGORITHMS ??= "rsa ecdsa ed25519"
>
>    parameters which can be overridden.
>
>
> Enrico Scholz (7):
>   openssh: replace complete configuration files by patch
>   openssh-config: initial checkin
>   openssh: move configuration tweaking in configuration recipe
>   image: prepare openssh configuration
>   openssh: replace 'allow-empty-password' rootfs scipt by configuration
>   openssh: replace 'allow-root-login' rootfs scipt by configuration
>   openssh: move read-only-rootfs setup in configuration snippet
>
>  meta/classes-recipe/core-image.bbclass        |  19 ++-
>  .../rootfs-postcommands.bbclass               |  25 +---
>  .../openssh/openssh-config.bb                 |  51 ++++++++
>  .../60-allow-empty-password.conf              |   1 +
>  .../openssh-config/60-allow-root-login.conf   |   1 +
>  .../openssh/openssh-config/80-oe.conf         |   5 +
>  .../openssh/openssh/include-conf.patch        |  32 +++++
>  .../openssh/openssh/ssh_config                |  48 -------
>  .../openssh/openssh/sshd_config               | 119 ------------------
>  .../openssh/openssh_9.6p1.bb                  |  20 +--
>  10 files changed, 112 insertions(+), 209 deletions(-)
>  create mode 100644 meta/recipes-connectivity/openssh/openssh-config.bb
>  create mode 100644 meta/recipes-connectivity/openssh/openssh-config/60-allow-empty-password.conf
>  create mode 100644 meta/recipes-connectivity/openssh/openssh-config/60-allow-root-login.conf
>  create mode 100644 meta/recipes-connectivity/openssh/openssh-config/80-oe.conf
>  create mode 100644 meta/recipes-connectivity/openssh/openssh/include-conf.patch
>  delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
>  delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config
>
> --
> 2.44.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196955): https://lists.openembedded.org/g/openembedded-core/message/196955
> Mute This Topic: https://lists.openembedded.org/mt/104868003/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core] [PATCH 0/7] Replace sshd_config patching by snippets

[Richard Purdie]

On Mon, 2024-03-11 at 10:19 -0700, Enrico Scholz via lists.openembedded.org wrote:
> To deal with system setups, sshd was configured in the following way:
> 
>  - sshd_config is shipped completely by OE and DISTRO_FEATURES (pam,
>    x11) are patched in during do_install
> 
>    --> this is difficulty to maintain; e.g. sshd_config must be
>        synchronized between OpenSSH releases and OE adaptations
>        manually inserted
> 
>  - two different configuration files (sshd_config + sshd_config_readonly)
>    are created; IMAGE_FEATURES decides which one is used and it is patched
>    in a ROOTFS_COMMAND in the system
> 
>    --> this make it difficult for third party recipes to incorporate
>        their changes (they have to go over both files)
> 
>    --> the readonly HostKey locations and algorithms are hardcoded
>        which makes it difficult to place them e.g. on a persistent
>        /opt partition and disable e.g. ecdsa
> 
>  - depending on IMAGE_FEATURES (empty passwords, root login), both
>    files are patched by a ROOTFS_POSTCOMMAND
> 
>    --> these changes are lost when pkgmgmt is used for the image and
>        openssh being updated
> 
> 
> The patchset:
> 
>  - reduces changes to sshd_config to
> 
>    | Include /etc/ssh/sshd_config.d/*.conf
> 
>    --> This is already the done in current recipe and most mainline
>        Linux distributions are doing it
> 
>  - moves configuration in new openssh-config recipe which is a weak
>    dependency of openssh (and can be replaced by another IMAGE_INSTALL)
> 
>    Recipe ships configuration as small snippets which might contain
>    dynamically created content (e.g. 'UsePAM yes')
> 
>  - IMAGE_FEATURE based setup is done by creating subpackages with
>    the corresponding options.  These subpackages are added to
>    FEATURE_PACKAGES_ssh-server-openssh
> 
>  - readonly rootfs setup has been enhanced by
> 
>    | RO_KEYDIR ??= "/var/run/ssh"
>    | KEY_ALGORITHMS ??= "rsa ecdsa ed25519"
> 
>    parameters which can be overridden.


Thanks for sending this. I suspect something like this might be
desirable however unfortunately the timing is a little tricky as we're
just past the feature freeze point for 5.0.

I know people often want to push for the inclusion of things into
something like the LTS so I did put this through the automated testing,
just to get an idea of the potential issues.

The first run had lots of these warnings:

https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/8649/steps/14/logs/warnings

so I squashed a fix in for that. The second run had this:

https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6390/steps/12/logs/stdio

which suggests ssh connections into our image testing doesn't work. It
is unclear why that is failing there but there were indications in the
previous build that other ssh connections were working ok. It could be
dropbear vs openssh at a guess. That build is still ongoing too so
there may be other issues.

Anyway I just wanted to highlight the testing results and to say that
this is something we should think about but it will have to wait until
after 5.0 releases.

I haven't reviewed the patches in much detail, I mainly wanted to get
the automated testing results shared.

Cheers,

Richard

Re: [OE-core] [PATCH 0/7] Replace sshd_config patching by snippets

[Enrico Scholz]

Richard Purdie <richard.purdie@linuxfoundation.org> writes:

> Thanks for sending this. I suspect something like this might be
> desirable however unfortunately the timing is a little tricky as we're
> just past the feature freeze point for 5.0.

ok; my fault.  I delayed it too much.

Would it be possible to communicate such schedules more visibly?
E.g. put a link on https://wiki.yoctoproject.org/wiki/Releases ?


> https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/8649/steps/14/logs/warnings

ok


> so I squashed a fix in for that. The second run had this:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6390/steps/12/logs/stdio

It is difficulty for me to analyze this from the outside.  The patchset
requires that the 'openssh-sshd' IMAGE_FEATURE is set; installing the
package manually does not suffice anymore.

I can not detect such an IMAGE_FEATURE configuration in step 10; but I
might miss other setup.



Enrico

Re: [OE-core] [PATCH 0/7] Replace sshd_config patching by snippets

[Richard Purdie]

On Thu, 2024-03-14 at 15:11 +0100, Enrico Scholz wrote:
> Richard Purdie <richard.purdie@linuxfoundation.org> writes:
> 
> > Thanks for sending this. I suspect something like this might be
> > desirable however unfortunately the timing is a little tricky as
> > we're
> > just past the feature freeze point for 5.0.
> 
> ok; my fault.  I delayed it too much.
> 
> Would it be possible to communicate such schedules more visibly?
> E.g. put a link on https://wiki.yoctoproject.org/wiki/Releases ?

The dates are being updated here:

https://wiki.yoctoproject.org/wiki/Weekly_Status

and in weekly status emails sent to the yocto and openembedded-core
mailing lists.

> > https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/8649/steps/14/logs/warnings
> 
> ok
> 
> 
> > so I squashed a fix in for that. The second run had this:
> > 
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6390/steps/12/logs/stdio
> 
> It is difficulty for me to analyze this from the outside.  The
> patchset requires that the 'openssh-sshd' IMAGE_FEATURE is set;
> installing the package manually does not suffice anymore.

That is probably something we may need to improve since lots of others
would expect installing the package to work.

I suspect meta/recipes-core/images/core-image-ptest.bb setting

IMAGE_INSTALL:append = " ${MCNAME}-ptest openssh"

will be the cause.

I don't really time to spend thinking about this now unfortunately as
there will be other priorities for the release.

Cheers,

Richard

Re: [OE-core] [PATCH 0/7] Replace sshd_config patching by snippets

[Richard Purdie]

On Thu, 2024-03-14 at 11:00 +0000, Richard Purdie via
lists.openembedded.org wrote:
> On Mon, 2024-03-11 at 10:19 -0700, Enrico Scholz via
> lists.openembedded.org wrote:
> > To deal with system setups, sshd was configured in the following
> > way:
> > 
> >  - sshd_config is shipped completely by OE and DISTRO_FEATURES
> > (pam,
> >    x11) are patched in during do_install
> > 
> >    --> this is difficulty to maintain; e.g. sshd_config must be
> >        synchronized between OpenSSH releases and OE adaptations
> >        manually inserted
> > 
> >  - two different configuration files (sshd_config +
> > sshd_config_readonly)
> >    are created; IMAGE_FEATURES decides which one is used and it is
> > patched
> >    in a ROOTFS_COMMAND in the system
> > 
> >    --> this make it difficult for third party recipes to
> > incorporate
> >        their changes (they have to go over both files)
> > 
> >    --> the readonly HostKey locations and algorithms are hardcoded
> >        which makes it difficult to place them e.g. on a persistent
> >        /opt partition and disable e.g. ecdsa
> > 
> >  - depending on IMAGE_FEATURES (empty passwords, root login), both
> >    files are patched by a ROOTFS_POSTCOMMAND
> > 
> >    --> these changes are lost when pkgmgmt is used for the image
> > and
> >        openssh being updated
> > 
> > 
> > The patchset:
> > 
> >  - reduces changes to sshd_config to
> > 
> >    | Include /etc/ssh/sshd_config.d/*.conf
> > 
> >    --> This is already the done in current recipe and most mainline
> >        Linux distributions are doing it
> > 
> >  - moves configuration in new openssh-config recipe which is a weak
> >    dependency of openssh (and can be replaced by another
> > IMAGE_INSTALL)
> > 
> >    Recipe ships configuration as small snippets which might contain
> >    dynamically created content (e.g. 'UsePAM yes')
> > 
> >  - IMAGE_FEATURE based setup is done by creating subpackages with
> >    the corresponding options.  These subpackages are added to
> >    FEATURE_PACKAGES_ssh-server-openssh
> > 
> >  - readonly rootfs setup has been enhanced by
> > 
> >    | RO_KEYDIR ??= "/var/run/ssh"
> >    | KEY_ALGORITHMS ??= "rsa ecdsa ed25519"
> > 
> >    parameters which can be overridden.
> 
> 
> Thanks for sending this. I suspect something like this might be
> desirable however unfortunately the timing is a little tricky as
> we're
> just past the feature freeze point for 5.0.
> 
> I know people often want to push for the inclusion of things into
> something like the LTS so I did put this through the automated
> testing,
> just to get an idea of the potential issues.
> 
> The first run had lots of these warnings:
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/8649/steps/14/logs/warnings
> 
> so I squashed a fix in for that. The second run had this:
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6390/steps/12/logs/stdio
> 
> which suggests ssh connections into our image testing doesn't work.
> It
> is unclear why that is failing there but there were indications in
> the
> previous build that other ssh connections were working ok. It could
> be
> dropbear vs openssh at a guess. That build is still ongoing too so
> there may be other issues.
> 
> Anyway I just wanted to highlight the testing results and to say that
> this is something we should think about but it will have to wait
> until
> after 5.0 releases.
> 
> I haven't reviewed the patches in much detail, I mainly wanted to get
> the automated testing results shared.

Some further related warnings:

https://autobuilder.yoctoproject.org/typhoon/#/builders/23/builds/9031/steps/11/logs/warnings

Cheers,

Richard

Re: [OE-core] [PATCH 0/7] Replace sshd_config patching by snippets

[Enrico Scholz]

Richard Purdie <richard.purdie@linuxfoundation.org> writes:

> Some further related warnings:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/23/builds/9031/steps/11/logs/warnins

| stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-config' ...

ok

I will reduce dependency from

|-RRECOMMENDS:${PN} += "openssh-config"

to

|+RRECOMMENDS:${PN}-sshd:class-target += "openssh-config"


| stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-scp' ...
| stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-sshd' ...
| stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-ssh' ...

are these warnings really new?



Enrico

Re: [OE-core] [PATCH 0/7] Replace sshd_config patching by snippets

[Alexander Kanavin]

On Thu, 14 Mar 2024 at 15:57, Enrico Scholz via lists.openembedded.org
<enrico.scholz=sigma-chemnitz.de@lists.openembedded.org> wrote:

> | stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-scp' ...
> | stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-sshd' ...
> | stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-ssh' ...
>
> are these warnings really new?

They are. Warnings are not allowed to creep in and linger around, so
master is always free of them (except for intermittent ptest fails,
which this one isn't).

Alex