David Runge pushed to branch main at Arch Linux / Packaging / Packages / openssh
Commits: 9a5cc9b0 by Mike Yuan at 2024-07-01T19:43:51+02:00 ssh-agent.service: drop unneeded PassEnvironment= According to systemd.exec(5): > Note that this option is only relevant for the system service manager, > as system services by default do not automatically inherit any > environment variables set for the service manager itself. > However, in case of the user service manager all environment variables > are passed to the executed processes anyway, hence this option is > without effect for the user service manager. - - - - - 50a37fbb by Mike Yuan at 2024-07-01T19:45:22+02:00 ssh-agent.service: do not allow word expansion on envvar - - - - - 900817a0 by Mike Yuan at 2024-07-01T19:46:44+02:00 sshdgenkeys.service: do not use RemainAfterExit= RemainAfterExit=yes is pretty pointless here, but rather causes some inconsistency: if the conditions don't pass, the service stays inactive, which means when sshd.service is restarted and new key types got added, the service would actually be triggered. OTOH, if the conditions don't pass initially, the service stays active after doing its job, and sshd.service restarts would not result in reevaluation of the sshdgenkeys.service conditions. Therefore, the behavior is mostly not useful, and sometimes could lead to confusion. Drop it. - - - - - c58e50d7 by Mike Yuan at 2024-07-01T21:07:34+02:00 openssh: use /usr/share/empty.sshd/ as privsep dir The rationale can be found at https://github.com/systemd/systemd/blob/v256/NEWS#L495-L533 While Arch already ships the tmpfiles config for creating /var/empty/ at boot, that still feels kinda unnecessary. Fedora's practice is simpler and effective, hence let's embrace /usr/share/empty.sshd/. - - - - - 4 changed files: - PKGBUILD - openssh.tmpfiles - ssh-agent.service - sshdgenkeys.service Changes: ===================================== PKGBUILD ===================================== @@ -106,6 +106,7 @@ build() { --with-ssl-engine --with-pam --with-privsep-user=nobody + --with-privsep-path=/usr/share/empty.sshd --with-kerberos5=/usr --with-xauth=/usr/bin/xauth --with-pid-dir=/run ===================================== openssh.tmpfiles ===================================== @@ -6,4 +6,3 @@ C /etc/ssh/sshd_config.d/99-archlinux.conf d /etc/ssh/ssh_config.d d /etc/ssh/sshd_config.d -d /var/empty ===================================== ssh-agent.service ===================================== @@ -6,8 +6,7 @@ Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1) [Service] Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket -ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK -PassEnvironment=SSH_AGENT_PID +ExecStart=/usr/bin/ssh-agent -D -a ${SSH_AUTH_SOCK} SuccessExitStatus=2 Type=simple ===================================== sshdgenkeys.service ===================================== @@ -10,4 +10,3 @@ ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub [Service] ExecStart=/usr/bin/ssh-keygen -A Type=oneshot -RemainAfterExit=yes View it on GitLab: https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/compare/af3308ddc8fcc6752f809fd20e0ea287d15734ea...c58e50d7339e03d469f3b2eaf66385f3d0b838e2 -- View it on GitLab: https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/compare/af3308ddc8fcc6752f809fd20e0ea287d15734ea...c58e50d7339e03d469f3b2eaf66385f3d0b838e2 You're receiving this email because of your account on gitlab.archlinux.org.
