commit: f0469c1f161335aad3997e34f9cef0af0436a502 Author: Matt Jolly <Matt.Jolly <AT> footclan <DOT> ninja> AuthorDate: Thu Feb 2 05:44:07 2023 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Sun Feb 5 00:10:07 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0469c1f
net-misc/openssh: update systemd units - Systemd unit file now sets: + OOMPolicy=continue + Restart=on-failure + RestartSec=42s - Removed `After=syslog.target` from sshd unit files - Remove obsolete substitutions Closes: https://bugs.gentoo.org/892784 Closes: https://github.com/gentoo/gentoo/pull/29386 Signed-off-by: Matt Jolly <Matt.Jolly <AT> footclan.ninja> Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> net-misc/openssh/files/sshd.service.1 | 15 +++++++++++++++ net-misc/openssh/files/sshd_at.service.1 | 8 ++++++++ ...enssh-9.2_p1.ebuild => openssh-9.2_p1-r1.ebuild} | 21 ++++++++++++--------- 3 files changed, 35 insertions(+), 9 deletions(-) diff --git a/net-misc/openssh/files/sshd.service.1 b/net-misc/openssh/files/sshd.service.1 new file mode 100644 index 000000000000..a541164cd7f2 --- /dev/null +++ b/net-misc/openssh/files/sshd.service.1 @@ -0,0 +1,15 @@ +[Unit] +Description=OpenSSH server daemon +After=network.target auditd.service + +[Service] +ExecStartPre=/usr/bin/ssh-keygen -A +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +OOMPolicy=continue +Restart=on-failure +RestartSec=42s + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh/files/sshd_at.service.1 b/net-misc/openssh/files/sshd_at.service.1 new file mode 100644 index 000000000000..e43a457994f4 --- /dev/null +++ b/net-misc/openssh/files/sshd_at.service.1 @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=journal diff --git a/net-misc/openssh/openssh-9.2_p1.ebuild b/net-misc/openssh/openssh-9.2_p1-r1.ebuild similarity index 95% rename from net-misc/openssh/openssh-9.2_p1.ebuild rename to net-misc/openssh/openssh-9.2_p1-r1.ebuild index 9fa1599bd620..8a348bd91862 100644 --- a/net-misc/openssh/openssh-9.2_p1.ebuild +++ b/net-misc/openssh/openssh-9.2_p1-r1.ebuild @@ -1,7 +1,7 @@ # Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig @@ -269,10 +269,6 @@ src_prepare() { "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" fi - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - eapply_user #473004 # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox @@ -282,8 +278,6 @@ src_prepare() { tc-export PKG_CONFIG local sed_args=( -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' # Disable fortify flags ... our gcc does this for us -e 's:-D_FORTIFY_SOURCE=2::' ) @@ -443,8 +437,9 @@ src_install() { dodir /etc/skel/.ssh rmdir "${ED}"/var/empty || die - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' + systemd_dounit "${FILESDIR}"/sshd.socket + systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service + systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service' } pkg_preinst() { @@ -492,6 +487,14 @@ pkg_postinst() { ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" ewarn "connection is generally safe." fi + if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then + ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" + ewarn "'Restart=on-failure', which causes the service to automatically restart if it" + ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," + ewarn "but it can increase the vulnerability of the system in the event of a future exploit." + ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" + ewarn "set 'Restart=no' in your sshd unit file." + fi done if [[ -n ${show_ssl_warning} ]]; then
