From: Clemens Gruber <clemens.gruber@pqgruber.com>
To: ptxdist@pengutronix.de
Cc: Clemens Gruber <clemens.gruber@pqgruber.com>
Subject: [ptxdist] [PATCH v2] openssh: update 7.3p1 -> 7.5p1
Date: Wed, 29 Mar 2017 00:01:49 +0200 [thread overview]
Message-ID: <20170328220149.29824-1-clemens.gruber@pqgruber.com> (raw)
Update to 7.5p1 and refresh default sshd_config.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
Changes from v1:
- Use sshd user for privsep instead of nobody (Otherwise it runs as root!)
projectroot/etc/ssh/sshd_config | 19 ++-----------------
rules/openssh.make | 17 ++++++++++++-----
2 files changed, 14 insertions(+), 22 deletions(-)
diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
index f53cb3d8f..7da4b2f26 100644
--- a/projectroot/etc/ssh/sshd_config
+++ b/projectroot/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
+# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -15,26 +15,15 @@
#ListenAddress 0.0.0.0
#ListenAddress ::
-# The default requires explicit activation of protocol 1
-#Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
# Ciphers and keying
#RekeyLimit default none
# Logging
-# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
@@ -46,7 +35,6 @@ PermitRootLogin yes
#MaxAuthTries 6
#MaxSessions 10
-#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -59,11 +47,9 @@ AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -107,7 +93,6 @@ AuthorizedKeysFile .ssh/authorized_keys
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
-UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
diff --git a/rules/openssh.make b/rules/openssh.make
index 198916366..ae2338b5a 100644
--- a/rules/openssh.make
+++ b/rules/openssh.make
@@ -17,13 +17,14 @@ PACKAGES-$(PTXCONF_OPENSSH) += openssh
#
# Paths and names
#
-OPENSSH_VERSION := 7.3p1
-OPENSSH_MD5 := dfadd9f035d38ce5d58a3bf130b86d08
+OPENSSH_VERSION := 7.5p1
+OPENSSH_MD5 := 652fdc7d8392f112bef11cacf7e69e23
OPENSSH := openssh-$(OPENSSH_VERSION)
OPENSSH_SUFFIX := tar.gz
OPENSSH_URL := \
- http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) \
- http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX)
+ https://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) \
+ https://mirror.hs-esslingen.de/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX)
+
OPENSSH_SOURCE := $(SRCDIR)/$(OPENSSH).$(OPENSSH_SUFFIX)
OPENSSH_DIR := $(BUILDDIR)/$(OPENSSH)
OPENSSH_LICENSE := BSD, 2-term BSD, 3-term BSD, MIT, THE BEER-WARE LICENSE
@@ -46,6 +47,7 @@ OPENSSH_CONF_OPT := \
--libexecdir=/usr/sbin \
--sysconfdir=/etc/ssh \
$(GLOBAL_LARGE_FILE_OPTION) \
+ --disable-pkcs11 \
--disable-strip \
--disable-etc-default-login \
--disable-lastlog \
@@ -57,9 +59,11 @@ OPENSSH_CONF_OPT := \
--disable-pututline \
--disable-pututxline \
--with-openssl \
+ --without-ssh1 \
--with-stackprotect \
--with-hardening \
--without-rpath \
+ --without-Werror \
--with-zlib=$(SYSROOT) \
--without-skey \
--without-ldns \
@@ -68,8 +72,11 @@ OPENSSH_CONF_OPT := \
--with-pie \
--without-ssl-engine \
--without-pam \
+ --with-privsep-user=sshd \
+ --with-sandbox=seccomp_filter \
--$(call ptx/wwo, PTXCONF_GLOBAL_SELINUX)-selinux \
- --with-privsep-path=/var/run/sshd
+ --with-privsep-path=/var/run/sshd \
+ --without-md5-passwords
# ----------------------------------------------------------------------------
# Target-Install
--
2.12.1
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next reply other threads:[~2017-03-28 22:02 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-28 22:01 Clemens Gruber [this message]
2017-04-03 8:33 ` Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170328220149.29824-1-clemens.gruber@pqgruber.com \
--to=clemens.gruber@pqgruber.com \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox