[arch-commits] Commit in openssh/repos/testing-x86_64 (16 files)
Giancarlo Razzolini
grazzolini at archlinux.org
Fri Oct 2 16:42:08 UTC 2020
Date: Friday, October 2, 2020 @ 16:42:07
Author: grazzolini
Revision: 397082
archrelease: copy trunk to testing-x86_64
Added:
openssh/repos/testing-x86_64/PKGBUILD
(from rev 397081, openssh/trunk/PKGBUILD)
openssh/repos/testing-x86_64/glibc-2.31.patch
(from rev 397081, openssh/trunk/glibc-2.31.patch)
openssh/repos/testing-x86_64/install
(from rev 397081, openssh/trunk/install)
openssh/repos/testing-x86_64/sshd.conf
(from rev 397081, openssh/trunk/sshd.conf)
openssh/repos/testing-x86_64/sshd.pam
(from rev 397081, openssh/trunk/sshd.pam)
openssh/repos/testing-x86_64/sshd.service
(from rev 397081, openssh/trunk/sshd.service)
openssh/repos/testing-x86_64/sshdgenkeys.service
(from rev 397081, openssh/trunk/sshdgenkeys.service)
Deleted:
openssh/repos/testing-x86_64/3122.patch
openssh/repos/testing-x86_64/67290.patch
openssh/repos/testing-x86_64/PKGBUILD
openssh/repos/testing-x86_64/glibc-2.31.patch
openssh/repos/testing-x86_64/install
openssh/repos/testing-x86_64/sshd.conf
openssh/repos/testing-x86_64/sshd.pam
openssh/repos/testing-x86_64/sshd.service
openssh/repos/testing-x86_64/sshdgenkeys.service
---------------------+
3122.patch | 98 ----------------------
67290.patch | 49 -----------
PKGBUILD | 220 +++++++++++++++++++++++---------------------------
glibc-2.31.patch | 200 ++++++++++++++++++++++-----------------------
install | 64 +++++++-------
sshd.conf | 2
sshd.pam | 12 +-
sshd.service | 28 +++---
sshdgenkeys.service | 30 +++---
9 files changed, 272 insertions(+), 431 deletions(-)
Deleted: 3122.patch
===================================================================
--- 3122.patch 2020-10-02 16:41:02 UTC (rev 397081)
+++ 3122.patch 2020-10-02 16:42:07 UTC (rev 397082)
@@ -1,98 +0,0 @@
-diff -Naur old/servconf.c new/servconf.c
---- old/servconf.c 2020-05-26 14:38:00.000000000 -1000
-+++ new/servconf.c 2020-07-16 10:14:14.076284901 -1000
-@@ -550,6 +550,7 @@
- #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
- #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
- #define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
-+#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
-
- /* Textual representation of the tokens. */
- static struct {
-@@ -1259,7 +1260,7 @@
- static int
- process_server_config_line_depth(ServerOptions *options, char *line,
- const char *filename, int linenum, int *activep,
-- struct connection_info *connectinfo, int inc_flags, int depth,
-+ struct connection_info *connectinfo, int *inc_flags, int depth,
- struct include_list *includes)
- {
- char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
-@@ -2002,7 +2003,9 @@
- parse_server_config_depth(options,
- item->filename, item->contents,
- includes, connectinfo,
-- (oactive ? 0 : SSHCFG_NEVERMATCH),
-+ (*inc_flags & SSHCFG_MATCH_ONLY
-+ ? SSHCFG_MATCH_ONLY : (oactive
-+ ? 0 : SSHCFG_NEVERMATCH)),
- activep, depth + 1);
- }
- found = 1;
-@@ -2050,7 +2053,9 @@
- parse_server_config_depth(options,
- item->filename, item->contents,
- includes, connectinfo,
-- (oactive ? 0 : SSHCFG_NEVERMATCH),
-+ (*inc_flags & SSHCFG_MATCH_ONLY
-+ ? SSHCFG_MATCH_ONLY : (oactive
-+ ? 0 : SSHCFG_NEVERMATCH)),
- activep, depth + 1);
- *activep = oactive;
- TAILQ_INSERT_TAIL(includes, item, entry);
-@@ -2068,11 +2073,14 @@
- if (cmdline)
- fatal("Match directive not supported as a command-line "
- "option");
-- value = match_cfg_line(&cp, linenum, connectinfo);
-+ value = match_cfg_line(&cp, linenum,
-+ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
- if (value < 0)
- fatal("%s line %d: Bad Match condition", filename,
- linenum);
-- *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
-+ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
-+ /* The MATCH_ONLY is applicable only until the first match block */
-+ *inc_flags &= ~SSHCFG_MATCH_ONLY;
- break;
-
- case sPermitListen:
-@@ -2375,8 +2383,10 @@
- const char *filename, int linenum, int *activep,
- struct connection_info *connectinfo, struct include_list *includes)
- {
-+ int inc_flags = 0;
-+
- return process_server_config_line_depth(options, line, filename,
-- linenum, activep, connectinfo, 0, 0, includes);
-+ linenum, activep, connectinfo, &inc_flags, 0, includes);
- }
-
-
-@@ -2581,14 +2591,15 @@
- if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
- fatal("Too many recursive configuration includes");
-
-- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
-+ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
-+ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
-
- if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
- fatal("%s: sshbuf_dup_string failed", __func__);
- linenum = 1;
- while ((cp = strsep(&cbuf, "\n")) != NULL) {
- if (process_server_config_line_depth(options, cp,
-- filename, linenum++, activep, connectinfo, flags,
-+ filename, linenum++, activep, connectinfo, &flags,
- depth, includes) != 0)
- bad_options++;
- }
-@@ -2606,7 +2617,7 @@
- {
- int active = connectinfo ? 0 : 1;
- parse_server_config_depth(options, filename, conf, includes,
-- connectinfo, 0, &active, 0);
-+ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
- }
-
- static const char *
Deleted: 67290.patch
===================================================================
--- 67290.patch 2020-10-02 16:41:02 UTC (rev 397081)
+++ 67290.patch 2020-10-02 16:42:07 UTC (rev 397082)
@@ -1,49 +0,0 @@
-From c514f3c0522855b4d548286eaa113e209051a6d2 Mon Sep 17 00:00:00 2001
-From: "djm at openbsd.org" <djm at openbsd.org>
-Date: Thu, 18 Jun 2020 23:33:38 +0000
-Subject: upstream: avoid spurious "Unable to load host key" message when
-
-sshd can load a private key but no public counterpart; with & ok markus@
-
-OpenBSD-Commit-ID: 0713cbdf9aa1ff8ac7b1f78b09ac911af510f81b
----
- authfile.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/authfile.c b/authfile.c
-index 35ccf576..946f50ca 100644
---- a/authfile.c
-+++ b/authfile.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: authfile.c,v 1.140 2020/04/17 07:15:11 djm Exp $ */
-+/* $OpenBSD: authfile.c,v 1.141 2020/06/18 23:33:38 djm Exp $ */
- /*
- * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
- *
-@@ -263,7 +263,7 @@ int
- sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
- {
- char *pubfile = NULL;
-- int r;
-+ int r, oerrno;
-
- if (keyp != NULL)
- *keyp = NULL;
-@@ -283,8 +283,14 @@ sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
- if ((r = sshkey_load_pubkey_from_private(filename, keyp)) == 0)
- goto out;
-
-+ /* Pretend we couldn't find the key */
-+ r = SSH_ERR_SYSTEM_ERROR;
-+ errno = ENOENT;
-+
- out:
-+ oerrno = errno;
- free(pubfile);
-+ errno = oerrno;
- return r;
- }
-
---
-cgit v1.2.3
-
Deleted: PKGBUILD
===================================================================
--- PKGBUILD 2020-10-02 16:41:02 UTC (rev 397081)
+++ PKGBUILD 2020-10-02 16:42:07 UTC (rev 397082)
@@ -1,116 +0,0 @@
-# Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org>
-# Contributor: Gaetan Bisson <bisson at archlinux.org>
-# Contributor: Aaron Griffin <aaron at archlinux.org>
-# Contributor: judd <jvinet at zeroflux.org>
-
-pkgname=openssh
-pkgver=8.3p1
-pkgrel=5
-pkgdesc='Premier connectivity tool for remote login with the SSH protocol'
-url='https://www.openssh.com/portable.html'
-license=('custom:BSD')
-arch=('x86_64')
-depends=('glibc' 'krb5' 'openssl' 'libedit' 'ldns' 'libxcrypt' 'libcrypt.so' 'zlib' 'pam')
-makedepends=('linux-headers' 'libfido2')
-checkdepends=('inetutils')
-optdepends=('xorg-xauth: X11 forwarding'
- 'x11-ssh-askpass: input passphrase in X'
- 'libfido2: FIDO/U2F support')
-validpgpkeys=('59C2118ED206D927E667EBE3D3E5F56B6D920D30')
-#source=("git://anongit.mindrot.org/openssh.git?signed#tag=V_8_2_P1"
-source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc}
- '67290.patch'
- '3122.patch'
- 'sshdgenkeys.service'
- 'sshd.service'
- 'sshd.conf'
- 'sshd.pam'
- 'glibc-2.31.patch')
-sha256sums=('f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2'
- 'SKIP'
- '3ccc1c6672521782c154c89607d2c2d7a67e0f66a349260e00e28ae999ea54f5'
- 'a13330ca7560b25e4defcd4bdecf28ed37b416362e13aebcb0e57164e575e659'
- '4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7'
- 'e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7'
- '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6'
- '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846'
- '25b4a4d9e2d9d3289ef30636a30e85fa1c71dd930d5efd712cca1a01a5019f93')
-
-backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
-
-install=install
-
-prepare() {
- cd "${srcdir}/${pkgname}-${pkgver}"
-
- # Fix FS#67290
- # From https://anongit.mindrot.org/openssh.git/patch/?id=c514f3c0522855b4d548286eaa113e209051a6d2
- patch -p1 -i ../67290.patch
-
- # Fix https://bugzilla.mindrot.org/show_bug.cgi?id=3122
- # Backported from https://anongit.mindrot.org/openssh.git/patch/?id=7af1e92cd289b7eaa9a683e9a6f2fddd98f37a01'
- patch -p1 -i ../3122.patch
-
- patch -p1 -i ../glibc-2.31.patch
- autoreconf
-}
-
-build() {
- cd "${srcdir}/${pkgname}-${pkgver}"
-
- ./configure \
- --prefix=/usr \
- --sbindir=/usr/bin \
- --libexecdir=/usr/lib/ssh \
- --sysconfdir=/etc/ssh \
- --disable-strip \
- --with-ldns \
- --with-libedit \
- --with-security-key-builtin \
- --with-ssl-engine \
- --with-pam \
- --with-privsep-user=nobody \
- --with-kerberos5=/usr \
- --with-xauth=/usr/bin/xauth \
- --with-md5-passwords \
- --with-pid-dir=/run \
- --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' \
-
- make
-}
-
-check() {
- cd "${srcdir}/${pkgname}-${pkgver}"
-
- # Tests require openssh to be already installed system-wide,
- # also connectivity tests will fail under makechrootpkg since
- # it runs as nobody which has /bin/false as login shell.
-
- if [[ -e /usr/bin/scp && ! -e /.arch-chroot ]]; then
- make tests
- fi
-}
-
-package() {
- cd "${srcdir}/${pkgname}-${pkgver}"
-
- make DESTDIR="${pkgdir}" install
-
- ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
- install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE"
-
- install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service
- install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service
- install -Dm644 ../sshd.conf "${pkgdir}"/usr/lib/tmpfiles.d/sshd.conf
- install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
-
- install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
- install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
- install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
-
- sed \
- -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
- -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \
- -e '/^#UsePAM no$/c UsePAM yes' \
- -i "${pkgdir}"/etc/ssh/sshd_config
-}
Copied: openssh/repos/testing-x86_64/PKGBUILD (from rev 397081, openssh/trunk/PKGBUILD)
===================================================================
--- PKGBUILD (rev 0)
+++ PKGBUILD 2020-10-02 16:42:07 UTC (rev 397082)
@@ -0,0 +1,104 @@
+# Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org>
+# Contributor: Gaetan Bisson <bisson at archlinux.org>
+# Contributor: Aaron Griffin <aaron at archlinux.org>
+# Contributor: judd <jvinet at zeroflux.org>
+
+pkgname=openssh
+pkgver=8.4p1
+pkgrel=1
+pkgdesc='Premier connectivity tool for remote login with the SSH protocol'
+url='https://www.openssh.com/portable.html'
+license=('custom:BSD')
+arch=('x86_64')
+depends=('glibc' 'krb5' 'openssl' 'libedit' 'ldns' 'libxcrypt' 'libcrypt.so' 'zlib' 'pam')
+makedepends=('linux-headers' 'libfido2')
+checkdepends=('inetutils')
+optdepends=('xorg-xauth: X11 forwarding'
+ 'x11-ssh-askpass: input passphrase in X'
+ 'libfido2: FIDO/U2F support')
+validpgpkeys=('59C2118ED206D927E667EBE3D3E5F56B6D920D30')
+#source=("git://anongit.mindrot.org/openssh.git?signed#tag=V_8_2_P1"
+source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc}
+ 'sshdgenkeys.service'
+ 'sshd.service'
+ 'sshd.conf'
+ 'sshd.pam'
+ 'glibc-2.31.patch')
+sha256sums=('5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24'
+ 'SKIP'
+ '4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7'
+ 'e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7'
+ '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6'
+ '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846'
+ '25b4a4d9e2d9d3289ef30636a30e85fa1c71dd930d5efd712cca1a01a5019f93')
+
+backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
+
+install=install
+
+prepare() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ patch -p1 -i ../glibc-2.31.patch
+ autoreconf
+}
+
+build() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ ./configure \
+ --prefix=/usr \
+ --sbindir=/usr/bin \
+ --libexecdir=/usr/lib/ssh \
+ --sysconfdir=/etc/ssh \
+ --disable-strip \
+ --with-ldns \
+ --with-libedit \
+ --with-security-key-builtin \
+ --with-ssl-engine \
+ --with-pam \
+ --with-privsep-user=nobody \
+ --with-kerberos5=/usr \
+ --with-xauth=/usr/bin/xauth \
+ --with-md5-passwords \
+ --with-pid-dir=/run \
+ --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' \
+
+ make
+}
+
+check() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ # Tests require openssh to be already installed system-wide,
+ # also connectivity tests will fail under makechrootpkg since
+ # it runs as nobody which has /bin/false as login shell.
+
+ if [[ -e /usr/bin/scp && ! -e /.arch-chroot ]]; then
+ make tests
+ fi
+}
+
+package() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ make DESTDIR="${pkgdir}" install
+
+ ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
+ install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE"
+
+ install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service
+ install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service
+ install -Dm644 ../sshd.conf "${pkgdir}"/usr/lib/tmpfiles.d/sshd.conf
+ install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
+
+ install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
+ install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
+ install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
+
+ sed \
+ -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
+ -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \
+ -e '/^#UsePAM no$/c UsePAM yes' \
+ -i "${pkgdir}"/etc/ssh/sshd_config
+}
Deleted: glibc-2.31.patch
===================================================================
--- glibc-2.31.patch 2020-10-02 16:41:02 UTC (rev 397081)
+++ glibc-2.31.patch 2020-10-02 16:42:07 UTC (rev 397082)
@@ -1,100 +0,0 @@
-From beee0ef61866cb567b9abc23bd850f922e59e3f0 Mon Sep 17 00:00:00 2001
-From: Darren Tucker <dtucker at dtucker.net>
-Date: Wed, 13 Nov 2019 23:19:35 +1100
-Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox.
-
-seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
-glibc. Patch from Jakub Jelen <jjelen at redhat.com> via bz #3093.
----
- sandbox-seccomp-filter.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index b5cda70bb..96ab141f7 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -242,6 +242,12 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_nanosleep
- SC_ALLOW(__NR_nanosleep),
- #endif
-+#ifdef __NR_clock_nanosleep
-+ SC_ALLOW(__NR_clock_nanosleep),
-+#endif
-+#ifdef __NR_clock_nanosleep
-+ SC_ALLOW(__NR_clock_nanosleep),
-+#endif
- #ifdef __NR__newselect
- SC_ALLOW(__NR__newselect),
- #endif
-From 69298ebfc2c066acee5d187eac8ce9f38c796630 Mon Sep 17 00:00:00 2001
-From: Darren Tucker <dtucker at dtucker.net>
-Date: Wed, 13 Nov 2019 23:27:31 +1100
-Subject: [PATCH] Remove duplicate __NR_clock_nanosleep
-
----
- sandbox-seccomp-filter.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 96ab141f7..be2397671 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -245,9 +245,6 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_clock_nanosleep
- SC_ALLOW(__NR_clock_nanosleep),
- #endif
--#ifdef __NR_clock_nanosleep
-- SC_ALLOW(__NR_clock_nanosleep),
--#endif
- #ifdef __NR__newselect
- SC_ALLOW(__NR__newselect),
- #endif
-From 030b4c2b8029563bc8a9fd764288fde08fa2347c Mon Sep 17 00:00:00 2001
-From: Darren Tucker <dtucker at dtucker.net>
-Date: Mon, 16 Dec 2019 13:55:56 +1100
-Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox.
-
-Needed on Linux ARM. bz#3100, patch from jjelen at redhat.com.
----
- sandbox-seccomp-filter.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index be2397671..3ef30c9d5 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -245,6 +245,9 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_clock_nanosleep
- SC_ALLOW(__NR_clock_nanosleep),
- #endif
-+#ifdef __NR_clock_nanosleep_time64
-+ SC_ALLOW(__NR_clock_nanosleep_time64),
-+#endif
- #ifdef __NR__newselect
- SC_ALLOW(__NR__newselect),
- #endif
-From a991cc5ed5a7c455fefe909a30cf082011ef5dff Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem at gmail.com>
-Date: Tue, 7 Jan 2020 16:26:45 -0800
-Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox.
-
-This helps sshd accept connections on mips platforms with
-upcoming glibc ( 2.31 )
----
- sandbox-seccomp-filter.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 3ef30c9d5..999c46c9f 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_clock_nanosleep_time64
- SC_ALLOW(__NR_clock_nanosleep_time64),
- #endif
-+#ifdef __NR_clock_gettime64
-+ SC_ALLOW(__NR_clock_gettime64),
-+#endif
- #ifdef __NR__newselect
- SC_ALLOW(__NR__newselect),
- #endif
Copied: openssh/repos/testing-x86_64/glibc-2.31.patch (from rev 397081, openssh/trunk/glibc-2.31.patch)
===================================================================
--- glibc-2.31.patch (rev 0)
+++ glibc-2.31.patch 2020-10-02 16:42:07 UTC (rev 397082)
@@ -0,0 +1,100 @@
+From beee0ef61866cb567b9abc23bd850f922e59e3f0 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker at dtucker.net>
+Date: Wed, 13 Nov 2019 23:19:35 +1100
+Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox.
+
+seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
+glibc. Patch from Jakub Jelen <jjelen at redhat.com> via bz #3093.
+---
+ sandbox-seccomp-filter.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index b5cda70bb..96ab141f7 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -242,6 +242,12 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_nanosleep
+ SC_ALLOW(__NR_nanosleep),
+ #endif
++#ifdef __NR_clock_nanosleep
++ SC_ALLOW(__NR_clock_nanosleep),
++#endif
++#ifdef __NR_clock_nanosleep
++ SC_ALLOW(__NR_clock_nanosleep),
++#endif
+ #ifdef __NR__newselect
+ SC_ALLOW(__NR__newselect),
+ #endif
+From 69298ebfc2c066acee5d187eac8ce9f38c796630 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker at dtucker.net>
+Date: Wed, 13 Nov 2019 23:27:31 +1100
+Subject: [PATCH] Remove duplicate __NR_clock_nanosleep
+
+---
+ sandbox-seccomp-filter.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 96ab141f7..be2397671 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -245,9 +245,6 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep
+ SC_ALLOW(__NR_clock_nanosleep),
+ #endif
+-#ifdef __NR_clock_nanosleep
+- SC_ALLOW(__NR_clock_nanosleep),
+-#endif
+ #ifdef __NR__newselect
+ SC_ALLOW(__NR__newselect),
+ #endif
+From 030b4c2b8029563bc8a9fd764288fde08fa2347c Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker at dtucker.net>
+Date: Mon, 16 Dec 2019 13:55:56 +1100
+Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox.
+
+Needed on Linux ARM. bz#3100, patch from jjelen at redhat.com.
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index be2397671..3ef30c9d5 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -245,6 +245,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep
+ SC_ALLOW(__NR_clock_nanosleep),
+ #endif
++#ifdef __NR_clock_nanosleep_time64
++ SC_ALLOW(__NR_clock_nanosleep_time64),
++#endif
+ #ifdef __NR__newselect
+ SC_ALLOW(__NR__newselect),
+ #endif
+From a991cc5ed5a7c455fefe909a30cf082011ef5dff Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem at gmail.com>
+Date: Tue, 7 Jan 2020 16:26:45 -0800
+Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox.
+
+This helps sshd accept connections on mips platforms with
+upcoming glibc ( 2.31 )
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 3ef30c9d5..999c46c9f 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep_time64
+ SC_ALLOW(__NR_clock_nanosleep_time64),
+ #endif
++#ifdef __NR_clock_gettime64
++ SC_ALLOW(__NR_clock_gettime64),
++#endif
+ #ifdef __NR__newselect
+ SC_ALLOW(__NR__newselect),
+ #endif
Deleted: install
===================================================================
--- install 2020-10-02 16:41:02 UTC (rev 397081)
+++ install 2020-10-02 16:42:07 UTC (rev 397082)
@@ -1,32 +0,0 @@
-pre_upgrade() {
- # Remove socket activation. See: https://bugs.archlinux.org/task/62248
- if (( $(vercmp $2 8.0p1-3) < 0 )); then
- if systemctl is-enabled -q sshd.socket; then
- cat <<EOF
-==> This package no longer provides sshd.socket and sshd at .service;
-==> copies of those files will be placed under /etc/systemd/system
-==> but please migrate to sshd.service whenever possible.
-EOF
- src=/usr/lib/systemd/system
- dst=/etc/systemd/system
- for i in sshd.socket sshd\@.service; do
- if [[ ! -e "$dst/$i" ]]; then
- cp -v "$src/$i" "$dst/$i"
- fi
- done
- systemctl reenable sshd.socket
- fi
- fi
-}
-
-post_upgrade() {
- if (( $(vercmp $2 8.2p1-3) < 0 )); then
- if systemctl is-active sshd.service >/dev/null; then
- cat <<EOF
-==> After this upgrade, your existing SSH daemon may be unable to accept
-==> new connections. To fix this, your SSH daemon will now be restarted.
-EOF
- systemctl restart sshd.service
- fi
- fi
-}
Copied: openssh/repos/testing-x86_64/install (from rev 397081, openssh/trunk/install)
===================================================================
--- install (rev 0)
+++ install 2020-10-02 16:42:07 UTC (rev 397082)
@@ -0,0 +1,32 @@
+pre_upgrade() {
+ # Remove socket activation. See: https://bugs.archlinux.org/task/62248
+ if (( $(vercmp $2 8.0p1-3) < 0 )); then
+ if systemctl is-enabled -q sshd.socket; then
+ cat <<EOF
+==> This package no longer provides sshd.socket and sshd at .service;
+==> copies of those files will be placed under /etc/systemd/system
+==> but please migrate to sshd.service whenever possible.
+EOF
+ src=/usr/lib/systemd/system
+ dst=/etc/systemd/system
+ for i in sshd.socket sshd\@.service; do
+ if [[ ! -e "$dst/$i" ]]; then
+ cp -v "$src/$i" "$dst/$i"
+ fi
+ done
+ systemctl reenable sshd.socket
+ fi
+ fi
+}
+
+post_upgrade() {
+ if (( $(vercmp $2 8.2p1-3) < 0 )); then
+ if systemctl is-active sshd.service >/dev/null; then
+ cat <<EOF
+==> After this upgrade, your existing SSH daemon may be unable to accept
+==> new connections. To fix this, your SSH daemon will now be restarted.
+EOF
+ systemctl restart sshd.service
+ fi
+ fi
+}
Deleted: sshd.conf
===================================================================
--- sshd.conf 2020-10-02 16:41:02 UTC (rev 397081)
+++ sshd.conf 2020-10-02 16:42:07 UTC (rev 397082)
@@ -1 +0,0 @@
-d /var/empty 0755 root root
Copied: openssh/repos/testing-x86_64/sshd.conf (from rev 397081, openssh/trunk/sshd.conf)
===================================================================
--- sshd.conf (rev 0)
+++ sshd.conf 2020-10-02 16:42:07 UTC (rev 397082)
@@ -0,0 +1 @@
+d /var/empty 0755 root root
Deleted: sshd.pam
===================================================================
--- sshd.pam 2020-10-02 16:41:02 UTC (rev 397081)
+++ sshd.pam 2020-10-02 16:42:07 UTC (rev 397082)
@@ -1,6 +0,0 @@
-#%PAM-1.0
-#auth required pam_securetty.so #disable remote root
-auth include system-remote-login
-account include system-remote-login
-password include system-remote-login
-session include system-remote-login
Copied: openssh/repos/testing-x86_64/sshd.pam (from rev 397081, openssh/trunk/sshd.pam)
===================================================================
--- sshd.pam (rev 0)
+++ sshd.pam 2020-10-02 16:42:07 UTC (rev 397082)
@@ -0,0 +1,6 @@
+#%PAM-1.0
+#auth required pam_securetty.so #disable remote root
+auth include system-remote-login
+account include system-remote-login
+password include system-remote-login
+session include system-remote-login
Deleted: sshd.service
===================================================================
--- sshd.service 2020-10-02 16:41:02 UTC (rev 397081)
+++ sshd.service 2020-10-02 16:42:07 UTC (rev 397082)
@@ -1,14 +0,0 @@
-[Unit]
-Description=OpenSSH Daemon
-Wants=sshdgenkeys.service
-After=sshdgenkeys.service
-After=network.target
-
-[Service]
-ExecStart=/usr/bin/sshd -D
-ExecReload=/bin/kill -HUP $MAINPID
-KillMode=process
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
Copied: openssh/repos/testing-x86_64/sshd.service (from rev 397081, openssh/trunk/sshd.service)
===================================================================
--- sshd.service (rev 0)
+++ sshd.service 2020-10-02 16:42:07 UTC (rev 397082)
@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenSSH Daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/sshd -D
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
Deleted: sshdgenkeys.service
===================================================================
--- sshdgenkeys.service 2020-10-02 16:41:02 UTC (rev 397081)
+++ sshdgenkeys.service 2020-10-02 16:42:07 UTC (rev 397082)
@@ -1,15 +0,0 @@
-[Unit]
-Description=SSH Key Generation
-ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
-ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
-ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
-ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
-ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
-ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
-ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
-ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
-
-[Service]
-ExecStart=/usr/bin/ssh-keygen -A
-Type=oneshot
-RemainAfterExit=yes
Copied: openssh/repos/testing-x86_64/sshdgenkeys.service (from rev 397081, openssh/trunk/sshdgenkeys.service)
===================================================================
--- sshdgenkeys.service (rev 0)
+++ sshdgenkeys.service 2020-10-02 16:42:07 UTC (rev 397082)
@@ -0,0 +1,15 @@
+[Unit]
+Description=SSH Key Generation
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+
+[Service]
+ExecStart=/usr/bin/ssh-keygen -A
+Type=oneshot
+RemainAfterExit=yes
More information about the arch-commits
mailing list