mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Clemens Gruber <clemens.gruber@pqgruber.com>
To: ptxdist@pengutronix.de
Cc: Clemens Gruber <clemens.gruber@pqgruber.com>
Subject: [ptxdist] [PATCH v2] openssh: update 7.3p1 -> 7.5p1
Date: Wed, 29 Mar 2017 00:01:49 +0200	[thread overview]
Message-ID: <20170328220149.29824-1-clemens.gruber@pqgruber.com> (raw)

Update to 7.5p1 and refresh default sshd_config.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---

Changes from v1:
- Use sshd user for privsep instead of nobody (Otherwise it runs as root!)

 projectroot/etc/ssh/sshd_config | 19 ++-----------------
 rules/openssh.make              | 17 ++++++++++++-----
 2 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
index f53cb3d8f..7da4b2f26 100644
--- a/projectroot/etc/ssh/sshd_config
+++ b/projectroot/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
+#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -15,26 +15,15 @@
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-# The default requires explicit activation of protocol 1
-#Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
 # Ciphers and keying
 #RekeyLimit default none
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO
 
@@ -46,7 +35,6 @@ PermitRootLogin yes
 #MaxAuthTries 6
 #MaxSessions 10
 
-#RSAAuthentication yes
 #PubkeyAuthentication yes
 
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -59,11 +47,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedKeysCommandUser nobody
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
@@ -107,7 +93,6 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-UsePrivilegeSeparation sandbox		# Default for new installations.
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
diff --git a/rules/openssh.make b/rules/openssh.make
index 198916366..ae2338b5a 100644
--- a/rules/openssh.make
+++ b/rules/openssh.make
@@ -17,13 +17,14 @@ PACKAGES-$(PTXCONF_OPENSSH) += openssh
 #
 # Paths and names
 #
-OPENSSH_VERSION	:= 7.3p1
-OPENSSH_MD5	:= dfadd9f035d38ce5d58a3bf130b86d08
+OPENSSH_VERSION	:= 7.5p1
+OPENSSH_MD5	:= 652fdc7d8392f112bef11cacf7e69e23
 OPENSSH		:= openssh-$(OPENSSH_VERSION)
 OPENSSH_SUFFIX	:= tar.gz
 OPENSSH_URL	:= \
-	http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) \
-	http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX)
+	https://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) \
+	https://mirror.hs-esslingen.de/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX)
+
 OPENSSH_SOURCE	:= $(SRCDIR)/$(OPENSSH).$(OPENSSH_SUFFIX)
 OPENSSH_DIR	:= $(BUILDDIR)/$(OPENSSH)
 OPENSSH_LICENSE	:= BSD, 2-term BSD, 3-term BSD, MIT, THE BEER-WARE LICENSE
@@ -46,6 +47,7 @@ OPENSSH_CONF_OPT	:= \
 	--libexecdir=/usr/sbin \
 	--sysconfdir=/etc/ssh \
 	$(GLOBAL_LARGE_FILE_OPTION) \
+	--disable-pkcs11 \
 	--disable-strip \
 	--disable-etc-default-login \
 	--disable-lastlog \
@@ -57,9 +59,11 @@ OPENSSH_CONF_OPT	:= \
 	--disable-pututline \
 	--disable-pututxline \
 	--with-openssl \
+	--without-ssh1 \
 	--with-stackprotect \
 	--with-hardening \
 	--without-rpath \
+	--without-Werror \
 	--with-zlib=$(SYSROOT) \
 	--without-skey \
 	--without-ldns \
@@ -68,8 +72,11 @@ OPENSSH_CONF_OPT	:= \
 	--with-pie \
 	--without-ssl-engine \
 	--without-pam \
+	--with-privsep-user=sshd \
+	--with-sandbox=seccomp_filter \
 	--$(call ptx/wwo, PTXCONF_GLOBAL_SELINUX)-selinux \
-	--with-privsep-path=/var/run/sshd
+	--with-privsep-path=/var/run/sshd \
+	--without-md5-passwords
 
 # ----------------------------------------------------------------------------
 # Target-Install
-- 
2.12.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

             reply	other threads:[~2017-03-28 22:02 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-28 22:01 Clemens Gruber [this message]
2017-04-03  8:33 ` Michael Olbrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170328220149.29824-1-clemens.gruber@pqgruber.com \
    --to=clemens.gruber@pqgruber.com \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox