It's a very much welcome refactoring (existing code is an inconsistent mess), but there's also a feature freeze right now, and this patchset is invasive. Can you resubmit once the LTS is out?
Alex On Mon, 11 Mar 2024 at 18:19, Enrico Scholz via lists.openembedded.org <enrico.scholz=sigma-chemnitz...@lists.openembedded.org> wrote: > > To deal with system setups, sshd was configured in the following way: > > - sshd_config is shipped completely by OE and DISTRO_FEATURES (pam, > x11) are patched in during do_install > > --> this is difficulty to maintain; e.g. sshd_config must be > synchronized between OpenSSH releases and OE adaptations > manually inserted > > - two different configuration files (sshd_config + sshd_config_readonly) > are created; IMAGE_FEATURES decides which one is used and it is patched > in a ROOTFS_COMMAND in the system > > --> this make it difficult for third party recipes to incorporate > their changes (they have to go over both files) > > --> the readonly HostKey locations and algorithms are hardcoded > which makes it difficult to place them e.g. on a persistent > /opt partition and disable e.g. ecdsa > > - depending on IMAGE_FEATURES (empty passwords, root login), both > files are patched by a ROOTFS_POSTCOMMAND > > --> these changes are lost when pkgmgmt is used for the image and > openssh being updated > > > The patchset: > > - reduces changes to sshd_config to > > | Include /etc/ssh/sshd_config.d/*.conf > > --> This is already the done in current recipe and most mainline > Linux distributions are doing it > > - moves configuration in new openssh-config recipe which is a weak > dependency of openssh (and can be replaced by another IMAGE_INSTALL) > > Recipe ships configuration as small snippets which might contain > dynamically created content (e.g. 'UsePAM yes') > > - IMAGE_FEATURE based setup is done by creating subpackages with > the corresponding options. These subpackages are added to > FEATURE_PACKAGES_ssh-server-openssh > > - readonly rootfs setup has been enhanced by > > | RO_KEYDIR ??= "/var/run/ssh" > | KEY_ALGORITHMS ??= "rsa ecdsa ed25519" > > parameters which can be overridden. > > > Enrico Scholz (7): > openssh: replace complete configuration files by patch > openssh-config: initial checkin > openssh: move configuration tweaking in configuration recipe > image: prepare openssh configuration > openssh: replace 'allow-empty-password' rootfs scipt by configuration > openssh: replace 'allow-root-login' rootfs scipt by configuration > openssh: move read-only-rootfs setup in configuration snippet > > meta/classes-recipe/core-image.bbclass | 19 ++- > .../rootfs-postcommands.bbclass | 25 +--- > .../openssh/openssh-config.bb | 51 ++++++++ > .../60-allow-empty-password.conf | 1 + > .../openssh-config/60-allow-root-login.conf | 1 + > .../openssh/openssh-config/80-oe.conf | 5 + > .../openssh/openssh/include-conf.patch | 32 +++++ > .../openssh/openssh/ssh_config | 48 ------- > .../openssh/openssh/sshd_config | 119 ------------------ > .../openssh/openssh_9.6p1.bb | 20 +-- > 10 files changed, 112 insertions(+), 209 deletions(-) > create mode 100644 meta/recipes-connectivity/openssh/openssh-config.bb > create mode 100644 > meta/recipes-connectivity/openssh/openssh-config/60-allow-empty-password.conf > create mode 100644 > meta/recipes-connectivity/openssh/openssh-config/60-allow-root-login.conf > create mode 100644 > meta/recipes-connectivity/openssh/openssh-config/80-oe.conf > create mode 100644 > meta/recipes-connectivity/openssh/openssh/include-conf.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config > delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config > > -- > 2.44.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#196979): https://lists.openembedded.org/g/openembedded-core/message/196979 Mute This Topic: https://lists.openembedded.org/mt/104868003/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
