On Wed, Mar 29, 2017 at 12:01:49AM +0200, Clemens Gruber wrote: > Update to 7.5p1 and refresh default sshd_config. > > Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com>
Thanks, applied, Michael > --- > > Changes from v1: > - Use sshd user for privsep instead of nobody (Otherwise it runs as root!) > > projectroot/etc/ssh/sshd_config | 19 ++----------------- > rules/openssh.make | 17 ++++++++++++----- > 2 files changed, 14 insertions(+), 22 deletions(-) > > diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config > index f53cb3d8f..7da4b2f26 100644 > --- a/projectroot/etc/ssh/sshd_config > +++ b/projectroot/etc/ssh/sshd_config > @@ -1,4 +1,4 @@ > -# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ > +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ > > # This is the sshd server system-wide configuration file. See > # sshd_config(5) for more information. > @@ -15,26 +15,15 @@ > #ListenAddress 0.0.0.0 > #ListenAddress :: > > -# The default requires explicit activation of protocol 1 > -#Protocol 2 > - > -# HostKey for protocol version 1 > -#HostKey /etc/ssh/ssh_host_key > -# HostKeys for protocol version 2 > HostKey /etc/ssh/ssh_host_rsa_key > #HostKey /etc/ssh/ssh_host_dsa_key > #HostKey /etc/ssh/ssh_host_ecdsa_key > HostKey /etc/ssh/ssh_host_ed25519_key > > -# Lifetime and size of ephemeral version 1 server key > -#KeyRegenerationInterval 1h > -#ServerKeyBits 1024 > - > # Ciphers and keying > #RekeyLimit default none > > # Logging > -# obsoletes QuietMode and FascistLogging > #SyslogFacility AUTH > #LogLevel INFO > > @@ -46,7 +35,6 @@ PermitRootLogin yes > #MaxAuthTries 6 > #MaxSessions 10 > > -#RSAAuthentication yes > #PubkeyAuthentication yes > > # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 > @@ -59,11 +47,9 @@ AuthorizedKeysFile .ssh/authorized_keys > #AuthorizedKeysCommandUser nobody > > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > -#RhostsRSAAuthentication no > -# similar for protocol version 2 > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > -# RhostsRSAAuthentication and HostbasedAuthentication > +# HostbasedAuthentication > #IgnoreUserKnownHosts no > # Don't read the user's ~/.rhosts and ~/.shosts files > #IgnoreRhosts yes > @@ -107,7 +93,6 @@ AuthorizedKeysFile .ssh/authorized_keys > #PrintLastLog yes > #TCPKeepAlive yes > #UseLogin no > -UsePrivilegeSeparation sandbox # Default for new installations. > #PermitUserEnvironment no > #Compression delayed > #ClientAliveInterval 0 > diff --git a/rules/openssh.make b/rules/openssh.make > index 198916366..ae2338b5a 100644 > --- a/rules/openssh.make > +++ b/rules/openssh.make > @@ -17,13 +17,14 @@ PACKAGES-$(PTXCONF_OPENSSH) += openssh > # > # Paths and names > # > -OPENSSH_VERSION := 7.3p1 > -OPENSSH_MD5 := dfadd9f035d38ce5d58a3bf130b86d08 > +OPENSSH_VERSION := 7.5p1 > +OPENSSH_MD5 := 652fdc7d8392f112bef11cacf7e69e23 > OPENSSH := openssh-$(OPENSSH_VERSION) > OPENSSH_SUFFIX := tar.gz > OPENSSH_URL := \ > - > http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) > \ > - > http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) > + > https://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) > \ > + > https://mirror.hs-esslingen.de/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).$(OPENSSH_SUFFIX) > + > OPENSSH_SOURCE := $(SRCDIR)/$(OPENSSH).$(OPENSSH_SUFFIX) > OPENSSH_DIR := $(BUILDDIR)/$(OPENSSH) > OPENSSH_LICENSE := BSD, 2-term BSD, 3-term BSD, MIT, THE BEER-WARE > LICENSE > @@ -46,6 +47,7 @@ OPENSSH_CONF_OPT := \ > --libexecdir=/usr/sbin \ > --sysconfdir=/etc/ssh \ > $(GLOBAL_LARGE_FILE_OPTION) \ > + --disable-pkcs11 \ > --disable-strip \ > --disable-etc-default-login \ > --disable-lastlog \ > @@ -57,9 +59,11 @@ OPENSSH_CONF_OPT := \ > --disable-pututline \ > --disable-pututxline \ > --with-openssl \ > + --without-ssh1 \ > --with-stackprotect \ > --with-hardening \ > --without-rpath \ > + --without-Werror \ > --with-zlib=$(SYSROOT) \ > --without-skey \ > --without-ldns \ > @@ -68,8 +72,11 @@ OPENSSH_CONF_OPT := \ > --with-pie \ > --without-ssl-engine \ > --without-pam \ > + --with-privsep-user=sshd \ > + --with-sandbox=seccomp_filter \ > --$(call ptx/wwo, PTXCONF_GLOBAL_SELINUX)-selinux \ > - --with-privsep-path=/var/run/sshd > + --with-privsep-path=/var/run/sshd \ > + --without-md5-passwords > > # > ---------------------------------------------------------------------------- > # Target-Install > -- > 2.12.1 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de