[ptxdist] [PATCH v2] openssh: update 7.3p1 -> 7.5p1

[ptxdist] [PATCH v2] openssh: update 7.3p1 -> 7.5p1

[Clemens Gruber]

Update to 7.5p1 and refresh default sshd_config.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---

Changes from v1:
- Use sshd user for privsep instead of nobody (Otherwise it runs as root!)

 projectroot/etc/ssh/sshd_config | 19 ++-----------------
 rules/openssh.make              | 17 ++++++++++++-----
 2 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
index f53cb3d8f..7da4b2f26 100644
--- a/projectroot/etc/ssh/sshd_config
+++ b/projectroot/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
+#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -15,26 +15,15 @@
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-# The default requires explicit activation of protocol 1
-#Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
 # Ciphers and keying
 #RekeyLimit default none
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO
 
@@ -46,7 +35,6 @@ PermitRootLogin yes
 #MaxAuthTries 6
 #MaxSessions 10
 
-#RSAAuthentication yes
 #PubkeyAuthentication yes
 
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -59,11 +47,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedKeysCommandUser nobody
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
@@ -107,7 +93,6 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-UsePrivilegeSeparation sandbox		# Default for new installations.
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
diff --git a/rules/openssh.make b/rules/openssh.make
index 198916366..ae2338b5a 100644
--- a/rules/openssh.make
+++ b/rules/openssh.make
@@ -17,13 +17,14 @@ PACKAGES-$(PTXCONF_OPENSSH) += openssh
 #
 # Paths and names
 #
-OPENSSH_VERSION	:= 7.3p1
-OPENSSH_MD5	:= dfadd9f035d38ce5d58a3bf130b86d08
+OPENSSH_VERSION	:= 7.5p1
+OPENSSH_MD5	:= 652fdc7d8392f112bef11cacf7e69e23
 OPENSSH		:= openssh-$(OPENSSH_VERSION)
 OPENSSH_SUFFIX	:= tar.gz
 OPENSSH_URL	:= \
-	http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) \
-	http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX)
+	https://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) \
+	https://mirror.hs-esslingen.de/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX)
+
 OPENSSH_SOURCE	:= $(SRCDIR)/$(OPENSSH).$(OPENSSH_SUFFIX)
 OPENSSH_DIR	:= $(BUILDDIR)/$(OPENSSH)
 OPENSSH_LICENSE	:= BSD, 2-term BSD, 3-term BSD, MIT, THE BEER-WARE LICENSE
@@ -46,6 +47,7 @@ OPENSSH_CONF_OPT	:= \
 	--libexecdir=/usr/sbin \
 	--sysconfdir=/etc/ssh \
 	$(GLOBAL_LARGE_FILE_OPTION) \
+	--disable-pkcs11 \
 	--disable-strip \
 	--disable-etc-default-login \
 	--disable-lastlog \
@@ -57,9 +59,11 @@ OPENSSH_CONF_OPT	:= \
 	--disable-pututline \
 	--disable-pututxline \
 	--with-openssl \
+	--without-ssh1 \
 	--with-stackprotect \
 	--with-hardening \
 	--without-rpath \
+	--without-Werror \
 	--with-zlib=$(SYSROOT) \
 	--without-skey \
 	--without-ldns \
@@ -68,8 +72,11 @@ OPENSSH_CONF_OPT	:= \
 	--with-pie \
 	--without-ssl-engine \
 	--without-pam \
+	--with-privsep-user=sshd \
+	--with-sandbox=seccomp_filter \
 	--$(call ptx/wwo, PTXCONF_GLOBAL_SELINUX)-selinux \
-	--with-privsep-path=/var/run/sshd
+	--with-privsep-path=/var/run/sshd \
+	--without-md5-passwords
 
 # ----------------------------------------------------------------------------
 # Target-Install
-- 
2.12.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2] openssh: update 7.3p1 -> 7.5p1

[Michael Olbrich]

On Wed, Mar 29, 2017 at 12:01:49AM +0200, Clemens Gruber wrote:
> Update to 7.5p1 and refresh default sshd_config.
> 
> Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>

Thanks, applied,

Michael

> ---
> 
> Changes from v1:
> - Use sshd user for privsep instead of nobody (Otherwise it runs as root!)
> 
>  projectroot/etc/ssh/sshd_config | 19 ++-----------------
>  rules/openssh.make              | 17 ++++++++++++-----
>  2 files changed, 14 insertions(+), 22 deletions(-)
> 
> diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
> index f53cb3d8f..7da4b2f26 100644
> --- a/projectroot/etc/ssh/sshd_config
> +++ b/projectroot/etc/ssh/sshd_config
> @@ -1,4 +1,4 @@
> -#	$OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
> +#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
>  
>  # This is the sshd server system-wide configuration file.  See
>  # sshd_config(5) for more information.
> @@ -15,26 +15,15 @@
>  #ListenAddress 0.0.0.0
>  #ListenAddress ::
>  
> -# The default requires explicit activation of protocol 1
> -#Protocol 2
> -
> -# HostKey for protocol version 1
> -#HostKey /etc/ssh/ssh_host_key
> -# HostKeys for protocol version 2
>  HostKey /etc/ssh/ssh_host_rsa_key
>  #HostKey /etc/ssh/ssh_host_dsa_key
>  #HostKey /etc/ssh/ssh_host_ecdsa_key
>  HostKey /etc/ssh/ssh_host_ed25519_key
>  
> -# Lifetime and size of ephemeral version 1 server key
> -#KeyRegenerationInterval 1h
> -#ServerKeyBits 1024
> -
>  # Ciphers and keying
>  #RekeyLimit default none
>  
>  # Logging
> -# obsoletes QuietMode and FascistLogging
>  #SyslogFacility AUTH
>  #LogLevel INFO
>  
> @@ -46,7 +35,6 @@ PermitRootLogin yes
>  #MaxAuthTries 6
>  #MaxSessions 10
>  
> -#RSAAuthentication yes
>  #PubkeyAuthentication yes
>  
>  # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
> @@ -59,11 +47,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
>  #AuthorizedKeysCommandUser nobody
>  
>  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> -#RhostsRSAAuthentication no
> -# similar for protocol version 2
>  #HostbasedAuthentication no
>  # Change to yes if you don't trust ~/.ssh/known_hosts for
> -# RhostsRSAAuthentication and HostbasedAuthentication
> +# HostbasedAuthentication
>  #IgnoreUserKnownHosts no
>  # Don't read the user's ~/.rhosts and ~/.shosts files
>  #IgnoreRhosts yes
> @@ -107,7 +93,6 @@ AuthorizedKeysFile	.ssh/authorized_keys
>  #PrintLastLog yes
>  #TCPKeepAlive yes
>  #UseLogin no
> -UsePrivilegeSeparation sandbox		# Default for new installations.
>  #PermitUserEnvironment no
>  #Compression delayed
>  #ClientAliveInterval 0
> diff --git a/rules/openssh.make b/rules/openssh.make
> index 198916366..ae2338b5a 100644
> --- a/rules/openssh.make
> +++ b/rules/openssh.make
> @@ -17,13 +17,14 @@ PACKAGES-$(PTXCONF_OPENSSH) += openssh
>  #
>  # Paths and names
>  #
> -OPENSSH_VERSION	:= 7.3p1
> -OPENSSH_MD5	:= dfadd9f035d38ce5d58a3bf130b86d08
> +OPENSSH_VERSION	:= 7.5p1
> +OPENSSH_MD5	:= 652fdc7d8392f112bef11cacf7e69e23
>  OPENSSH		:= openssh-$(OPENSSH_VERSION)
>  OPENSSH_SUFFIX	:= tar.gz
>  OPENSSH_URL	:= \
> -	http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) \
> -	http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX)
> +	https://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) \
> +	https://mirror.hs-esslingen.de/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX)
> +
>  OPENSSH_SOURCE	:= $(SRCDIR)/$(OPENSSH).$(OPENSSH_SUFFIX)
>  OPENSSH_DIR	:= $(BUILDDIR)/$(OPENSSH)
>  OPENSSH_LICENSE	:= BSD, 2-term BSD, 3-term BSD, MIT, THE BEER-WARE LICENSE
> @@ -46,6 +47,7 @@ OPENSSH_CONF_OPT	:= \
>  	--libexecdir=/usr/sbin \
>  	--sysconfdir=/etc/ssh \
>  	$(GLOBAL_LARGE_FILE_OPTION) \
> +	--disable-pkcs11 \
>  	--disable-strip \
>  	--disable-etc-default-login \
>  	--disable-lastlog \
> @@ -57,9 +59,11 @@ OPENSSH_CONF_OPT	:= \
>  	--disable-pututline \
>  	--disable-pututxline \
>  	--with-openssl \
> +	--without-ssh1 \
>  	--with-stackprotect \
>  	--with-hardening \
>  	--without-rpath \
> +	--without-Werror \
>  	--with-zlib=$(SYSROOT) \
>  	--without-skey \
>  	--without-ldns \
> @@ -68,8 +72,11 @@ OPENSSH_CONF_OPT	:= \
>  	--with-pie \
>  	--without-ssl-engine \
>  	--without-pam \
> +	--with-privsep-user=sshd \
> +	--with-sandbox=seccomp_filter \
>  	--$(call ptx/wwo, PTXCONF_GLOBAL_SELINUX)-selinux \
> -	--with-privsep-path=/var/run/sshd
> +	--with-privsep-path=/var/run/sshd \
> +	--without-md5-passwords
>  
>  # ----------------------------------------------------------------------------
>  # Target-Install
> -- 
> 2.12.1
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de