Message ID | 20240716141639.1564355-2-jose.quaresma@foundries.io |
---|---|
State | New |
Headers | show |
Series | [v5,1/3] openssh: drop rejected patch fixed in 8.6p1 release | expand |
actually I narrowed down my problem of disconnection to this patch in the series. Earlier I thought it might be related to the openssh upgrade patch but reverting that still causes the problem but this patch when reverted, the problem is gone. On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via lists.openembedded.org <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > Still side effects of the XZ backdoor. The systemd sd-notify patch > was rejected [1] upstream and was chosen a standalone implementation > that does not depend on libsystemd [2]. > > Racional [1]: > > License incompatibility and library bloatedness were the reasons. > Given recent events we're never going to take a dependency on libsystemd, > though we might implement the notification protocol ourselves if it isn't too much work. > > [1] https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 > [2] https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > > v4: > - split update of Upstream-Status in new patches in the serie > > v5: > - use the upstream solution > > ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ > ...tional-support-for-systemd-sd_notify.patch | 96 -------- > .../openssh/openssh/sshd.service | 2 +- > .../openssh/openssh/sshd@.service | 1 + > .../openssh/openssh_9.7p1.bb | 4 +- > 5 files changed, 228 insertions(+), 100 deletions(-) > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > new file mode 100644 > index 0000000000..4925c969fe > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > @@ -0,0 +1,225 @@ > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > +From: Damien Miller <djm@mindrot.org> > +Date: Wed, 3 Apr 2024 14:40:32 +1100 > +Subject: [PATCH] notify systemd on listen and reload > + > +Standalone implementation that does not depend on libsystemd. > +With assistance from Luca Boccassi, and feedback/testing from Colin > +Watson. bz2641 > + > +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c] > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > +--- > + configure.ac | 1 + > + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > + openbsd-compat/port-linux.h | 5 ++ > + platform.c | 11 +++++ > + platform.h | 1 + > + sshd.c | 2 + > + 6 files changed, 115 insertions(+), 2 deletions(-) > + > +diff --git a/configure.ac b/configure.ac > +index 82e8bb7c1..854f92b5b 100644 > +--- a/configure.ac > ++++ b/configure.ac > +@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) > + AC_DEFINE([USE_BTMP]) > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) > + inet6_default_4in6=yes > + case `uname -r` in > + 1.*|2.0.*) > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > +index 0457e28d0..df7290246 100644 > +--- a/openbsd-compat/port-linux.c > ++++ b/openbsd-compat/port-linux.c > +@@ -21,16 +21,23 @@ > + > + #include "includes.h" > + > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > ++ defined(SYSTEMD_NOTIFY) > ++#include <sys/socket.h> > ++#include <sys/un.h> > ++ > + #include <errno.h> > ++#include <inttypes.h> > + #include <stdarg.h> > + #include <string.h> > + #include <stdio.h> > + #include <stdlib.h> > ++#include <time.h> > + > + #include "log.h" > + #include "xmalloc.h" > + #include "port-linux.h" > ++#include "misc.h" > + > + #ifdef WITH_SELINUX > + #include <selinux/selinux.h> > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) > + return; > + } > + #endif /* LINUX_OOM_ADJUST */ > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > ++ > ++#ifdef SYSTEMD_NOTIFY > ++ > ++static void ssh_systemd_notify(const char *, ...) > ++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); > ++ > ++static void > ++ssh_systemd_notify(const char *fmt, ...) > ++{ > ++ char *s = NULL; > ++ const char *path; > ++ struct stat sb; > ++ struct sockaddr_un addr; > ++ int fd = -1; > ++ va_list ap; > ++ > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > ++ return; > ++ > ++ va_start(ap, fmt); > ++ xvasprintf(&s, fmt, ap); > ++ va_end(ap); > ++ > ++ /* Only AF_UNIX is supported, with path or abstract sockets */ > ++ if (path[0] != '/' && path[0] != '@') { > ++ error_f("socket \"%s\" is not compatible with AF_UNIX", path); > ++ goto out; > ++ } > ++ > ++ if (path[0] == '/' && stat(path, &sb) != 0) { > ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ > ++ memset(&addr, 0, sizeof(addr)); > ++ addr.sun_family = AF_UNIX; > ++ if (strlcpy(addr.sun_path, path, > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > ++ error_f("socket path \"%s\" too long", path); > ++ goto out; > ++ } > ++ /* Support for abstract socket */ > ++ if (addr.sun_path[0] == '@') > ++ addr.sun_path[0] = 0; > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > ++ error_f("socket \"%s\": %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { > ++ error_f("socket \"%s\" connect: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > ++ error_f("socket \"%s\" write: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ debug_f("socket \"%s\" notified %s", path, s); > ++ out: > ++ if (fd != -1) > ++ close(fd); > ++ free(s); > ++} > ++ > ++void > ++ssh_systemd_notify_ready(void) > ++{ > ++ ssh_systemd_notify("READY=1"); > ++} > ++ > ++void > ++ssh_systemd_notify_reload(void) > ++{ > ++ struct timespec now; > ++ > ++ monotime_ts(&now); > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { > ++ error_f("monotime returned negative value"); > ++ ssh_systemd_notify("RELOADING=1"); > ++ } else { > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > ++ ((uint64_t)now.tv_sec * 1000000ULL) + > ++ ((uint64_t)now.tv_nsec / 1000ULL)); > ++ } > ++} > ++#endif /* SYSTEMD_NOTIFY */ > ++ > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > +index 3c22a854d..14064f87d 100644 > +--- a/openbsd-compat/port-linux.h > ++++ b/openbsd-compat/port-linux.h > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > + void oom_adjust_setup(void); > + #endif > + > ++#ifdef SYSTEMD_NOTIFY > ++void ssh_systemd_notify_ready(void); > ++void ssh_systemd_notify_reload(void); > ++#endif > ++ > + #endif /* ! _PORT_LINUX_H */ > +diff --git a/platform.c b/platform.c > +index 4fe8744ee..9cf818153 100644 > +--- a/platform.c > ++++ b/platform.c > +@@ -44,6 +44,14 @@ platform_pre_listen(void) > + #endif > + } > + > ++void > ++platform_post_listen(void) > ++{ > ++#ifdef SYSTEMD_NOTIFY > ++ ssh_systemd_notify_ready(); > ++#endif > ++} > ++ > + void > + platform_pre_fork(void) > + { > +@@ -55,6 +63,9 @@ platform_pre_fork(void) > + void > + platform_pre_restart(void) > + { > ++#ifdef SYSTEMD_NOTIFY > ++ ssh_systemd_notify_reload(); > ++#endif > + #ifdef LINUX_OOM_ADJUST > + oom_adjust_restore(); > + #endif > +diff --git a/platform.h b/platform.h > +index 7fef8c983..5dec23276 100644 > +--- a/platform.h > ++++ b/platform.h > +@@ -21,6 +21,7 @@ > + void platform_pre_listen(void); > + void platform_pre_fork(void); > + void platform_pre_restart(void); > ++void platform_post_listen(void); > + void platform_post_fork_parent(pid_t child_pid); > + void platform_post_fork_child(void); > + int platform_privileged_uidswap(void); > +diff --git a/sshd.c b/sshd.c > +index b4f2b9742..865331b46 100644 > +--- a/sshd.c > ++++ b/sshd.c > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) > + ssh_signal(SIGTERM, sigterm_handler); > + ssh_signal(SIGQUIT, sigterm_handler); > + > ++ platform_post_listen(); > ++ > + /* > + * Write out the pid file after the sigterm handler > + * is setup and the listen sockets are bound > +-- > +2.45.2 > + > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > deleted file mode 100644 > index f079d936a4..0000000000 > --- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > +++ /dev/null > @@ -1,96 +0,0 @@ > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 > -From: Matt Jolly <Matt.Jolly@footclan.ninja> > -Date: Thu, 2 Feb 2023 21:05:40 +1100 > -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` > - > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> > -patch based on Jakub Jelen's <jjelen@redhat.com> original patch > - > -Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56] > - > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> > ---- > - configure.ac | 24 ++++++++++++++++++++++++ > - sshd.c | 13 +++++++++++++ > - 2 files changed, 37 insertions(+) > - > -diff --git a/configure.ac b/configure.ac > -index 82e8bb7..d1145d3 100644 > ---- a/configure.ac > -+++ b/configure.ac > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) > - AC_SUBST([K5LIBS]) > - AC_SUBST([CHANNELLIBS]) > - > -+# Check whether user wants systemd support > -+SYSTEMD_MSG="no" > -+AC_ARG_WITH(systemd, > -+ [ --with-systemd Enable systemd support], > -+ [ if test "x$withval" != "xno" ; then > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > -+ if test "$PKGCONFIG" != "no"; then > -+ AC_MSG_CHECKING([for libsystemd]) > -+ if $PKGCONFIG --exists libsystemd; then > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > -+ AC_MSG_RESULT([yes]) > -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) > -+ SYSTEMD_MSG="yes" > -+ else > -+ AC_MSG_RESULT([no]) > -+ fi > -+ fi > -+ fi ] > -+) > -+ > - # Looking for programs, paths and files > - > - PRIVSEP_PATH=/var/empty > -@@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG" > - echo " Solaris process contract support: $SPC_MSG" > - echo " Solaris project support: $SP_MSG" > - echo " Solaris privilege support: $SPP_MSG" > -+echo " systemd support: $SYSTEMD_MSG" > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > - echo " BSD Auth support: $BSD_AUTH_MSG" > -diff --git a/sshd.c b/sshd.c > -index b4f2b97..6820a41 100644 > ---- a/sshd.c > -+++ b/sshd.c > -@@ -88,6 +88,10 @@ > - #include <prot.h> > - #endif > - > -+#ifdef HAVE_SYSTEMD > -+#include <systemd/sd-daemon.h> > -+#endif > -+ > - #include "xmalloc.h" > - #include "ssh.h" > - #include "ssh2.h" > -@@ -308,6 +312,10 @@ static void > - sighup_restart(void) > - { > - logit("Received SIGHUP; restarting."); > -+#ifdef HAVE_SYSTEMD > -+ /* Signal systemd that we are reloading */ > -+ sd_notify(0, "RELOADING=1"); > -+#endif > - if (options.pid_file != NULL) > - unlink(options.pid_file); > - platform_pre_restart(); > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) > - } > - } > - > -+#ifdef HAVE_SYSTEMD > -+ /* Signal systemd that we are ready to accept connections */ > -+ sd_notify(0, "READY=1"); > -+#endif > -+ > - /* Accept a connection and return in a forked child */ > - server_accept_loop(&sock_in, &sock_out, > - &newsock, config_s); > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service > index 3e570ab1e5..c71fff1cc1 100644 > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service > @@ -5,11 +5,11 @@ After=sshdgenkeys.service > After=nss-user-lookup.target > > [Service] > +Type=notify-reload > Environment="SSHD_OPTS=" > EnvironmentFile=-/etc/default/ssh > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > KillMode=process > Restart=on-failure > RestartSec=42s > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service > index 9d9965e624..dcfec8f054 100644 > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon > After=sshdgenkeys.service > > [Service] > +Type=notify-reload > Environment="SSHD_OPTS=" > EnvironmentFile=-/etc/default/ssh > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > index 4f20616295..4680d12be5 100644 > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > @@ -24,7 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://run-ptest \ > file://sshd_check_keys \ > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > - file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > + file://0001-notify-systemd-on-listen-and-reload.patch \ > file://CVE-2024-6387.patch \ > " > SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" > SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}" > > inherit autotools-brokensep ptest pkgconfig > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" > > # systemd-sshd-socket-mode means installing sshd.socket > # and systemd-sshd-service-mode corresponding to sshd.service > @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ > --sysconfdir=${sysconfdir}/ssh \ > --with-xauth=${bindir}/xauth \ > --disable-strip \ > - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \ > " > > # musl doesn't implement wtmp/utmp and logwtmp > -- > 2.45.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#202116): https://lists.openembedded.org/g/openembedded-core/message/202116 > Mute This Topic: https://lists.openembedded.org/mt/107252588/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Khem Raj <raj.khem@gmail.com> escreveu (quarta, 17/07/2024 à(s) 07:38): > actually I narrowed down my problem of disconnection to this patch in > the series. Earlier I thought it might be related to the openssh > upgrade patch > but reverting that still causes the problem but this patch when > reverted, the problem is gone. > I will jump on this today and try to find the root cause. The ptest goes well in my local tests but I didn't do anything with testimage. I'll see if the testimage picks up something. Thanks for the feedback. Jose > > On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via > lists.openembedded.org > <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > > > Still side effects of the XZ backdoor. The systemd sd-notify patch > > was rejected [1] upstream and was chosen a standalone implementation > > that does not depend on libsystemd [2]. > > > > Racional [1]: > > > > License incompatibility and library bloatedness were the reasons. > > Given recent events we're never going to take a dependency on libsystemd, > > though we might implement the notification protocol ourselves if it > isn't too much work. > > > > [1] > https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 > > [2] > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > > > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > > > v4: > > - split update of Upstream-Status in new patches in the serie > > > > v5: > > - use the upstream solution > > > > ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ > > ...tional-support-for-systemd-sd_notify.patch | 96 -------- > > .../openssh/openssh/sshd.service | 2 +- > > .../openssh/openssh/sshd@.service | 1 + > > .../openssh/openssh_9.7p1.bb | 4 +- > > 5 files changed, 228 insertions(+), 100 deletions(-) > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > delete mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > new file mode 100644 > > index 0000000000..4925c969fe > > --- /dev/null > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > @@ -0,0 +1,225 @@ > > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > > +From: Damien Miller <djm@mindrot.org> > > +Date: Wed, 3 Apr 2024 14:40:32 +1100 > > +Subject: [PATCH] notify systemd on listen and reload > > + > > +Standalone implementation that does not depend on libsystemd. > > +With assistance from Luca Boccassi, and feedback/testing from Colin > > +Watson. bz2641 > > + > > +Upstream-Status: Backport [ > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > ] > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > +--- > > + configure.ac | 1 + > > + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > > + openbsd-compat/port-linux.h | 5 ++ > > + platform.c | 11 +++++ > > + platform.h | 1 + > > + sshd.c | 2 + > > + 6 files changed, 115 insertions(+), 2 deletions(-) > > + > > +diff --git a/configure.ac b/configure.ac > > +index 82e8bb7c1..854f92b5b 100644 > > +--- a/configure.ac > > ++++ b/configure.ac > > +@@ -915,6 +915,7 @@ int main(void) { if > (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login > attempts]) > > + AC_DEFINE([USE_BTMP]) > > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory > killer]) > > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on > start/reload]) > > + inet6_default_4in6=yes > > + case `uname -r` in > > + 1.*|2.0.*) > > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > > +index 0457e28d0..df7290246 100644 > > +--- a/openbsd-compat/port-linux.c > > ++++ b/openbsd-compat/port-linux.c > > +@@ -21,16 +21,23 @@ > > + > > + #include "includes.h" > > + > > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > > ++ defined(SYSTEMD_NOTIFY) > > ++#include <sys/socket.h> > > ++#include <sys/un.h> > > ++ > > + #include <errno.h> > > ++#include <inttypes.h> > > + #include <stdarg.h> > > + #include <string.h> > > + #include <stdio.h> > > + #include <stdlib.h> > > ++#include <time.h> > > + > > + #include "log.h" > > + #include "xmalloc.h" > > + #include "port-linux.h" > > ++#include "misc.h" > > + > > + #ifdef WITH_SELINUX > > + #include <selinux/selinux.h> > > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) > > + return; > > + } > > + #endif /* LINUX_OOM_ADJUST */ > > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > > ++ > > ++#ifdef SYSTEMD_NOTIFY > > ++ > > ++static void ssh_systemd_notify(const char *, ...) > > ++ __attribute__((__format__ (printf, 1, 2))) > __attribute__((__nonnull__ (1))); > > ++ > > ++static void > > ++ssh_systemd_notify(const char *fmt, ...) > > ++{ > > ++ char *s = NULL; > > ++ const char *path; > > ++ struct stat sb; > > ++ struct sockaddr_un addr; > > ++ int fd = -1; > > ++ va_list ap; > > ++ > > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == > 0) > > ++ return; > > ++ > > ++ va_start(ap, fmt); > > ++ xvasprintf(&s, fmt, ap); > > ++ va_end(ap); > > ++ > > ++ /* Only AF_UNIX is supported, with path or abstract sockets */ > > ++ if (path[0] != '/' && path[0] != '@') { > > ++ error_f("socket \"%s\" is not compatible with AF_UNIX", > path); > > ++ goto out; > > ++ } > > ++ > > ++ if (path[0] == '/' && stat(path, &sb) != 0) { > > ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > > ++ goto out; > > ++ } > > ++ > > ++ memset(&addr, 0, sizeof(addr)); > > ++ addr.sun_family = AF_UNIX; > > ++ if (strlcpy(addr.sun_path, path, > > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > > ++ error_f("socket path \"%s\" too long", path); > > ++ goto out; > > ++ } > > ++ /* Support for abstract socket */ > > ++ if (addr.sun_path[0] == '@') > > ++ addr.sun_path[0] = 0; > > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > > ++ error_f("socket \"%s\": %s", path, strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { > > ++ error_f("socket \"%s\" connect: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > > ++ error_f("socket \"%s\" write: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ debug_f("socket \"%s\" notified %s", path, s); > > ++ out: > > ++ if (fd != -1) > > ++ close(fd); > > ++ free(s); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_ready(void) > > ++{ > > ++ ssh_systemd_notify("READY=1"); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_reload(void) > > ++{ > > ++ struct timespec now; > > ++ > > ++ monotime_ts(&now); > > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { > > ++ error_f("monotime returned negative value"); > > ++ ssh_systemd_notify("RELOADING=1"); > > ++ } else { > > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > > ++ ((uint64_t)now.tv_sec * 1000000ULL) + > > ++ ((uint64_t)now.tv_nsec / 1000ULL)); > > ++ } > > ++} > > ++#endif /* SYSTEMD_NOTIFY */ > > ++ > > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > > +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > > +index 3c22a854d..14064f87d 100644 > > +--- a/openbsd-compat/port-linux.h > > ++++ b/openbsd-compat/port-linux.h > > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > > + void oom_adjust_setup(void); > > + #endif > > + > > ++#ifdef SYSTEMD_NOTIFY > > ++void ssh_systemd_notify_ready(void); > > ++void ssh_systemd_notify_reload(void); > > ++#endif > > ++ > > + #endif /* ! _PORT_LINUX_H */ > > +diff --git a/platform.c b/platform.c > > +index 4fe8744ee..9cf818153 100644 > > +--- a/platform.c > > ++++ b/platform.c > > +@@ -44,6 +44,14 @@ platform_pre_listen(void) > > + #endif > > + } > > + > > ++void > > ++platform_post_listen(void) > > ++{ > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_ready(); > > ++#endif > > ++} > > ++ > > + void > > + platform_pre_fork(void) > > + { > > +@@ -55,6 +63,9 @@ platform_pre_fork(void) > > + void > > + platform_pre_restart(void) > > + { > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_reload(); > > ++#endif > > + #ifdef LINUX_OOM_ADJUST > > + oom_adjust_restore(); > > + #endif > > +diff --git a/platform.h b/platform.h > > +index 7fef8c983..5dec23276 100644 > > +--- a/platform.h > > ++++ b/platform.h > > +@@ -21,6 +21,7 @@ > > + void platform_pre_listen(void); > > + void platform_pre_fork(void); > > + void platform_pre_restart(void); > > ++void platform_post_listen(void); > > + void platform_post_fork_parent(pid_t child_pid); > > + void platform_post_fork_child(void); > > + int platform_privileged_uidswap(void); > > +diff --git a/sshd.c b/sshd.c > > +index b4f2b9742..865331b46 100644 > > +--- a/sshd.c > > ++++ b/sshd.c > > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) > > + ssh_signal(SIGTERM, sigterm_handler); > > + ssh_signal(SIGQUIT, sigterm_handler); > > + > > ++ platform_post_listen(); > > ++ > > + /* > > + * Write out the pid file after the sigterm handler > > + * is setup and the listen sockets are bound > > +-- > > +2.45.2 > > + > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > deleted file mode 100644 > > index f079d936a4..0000000000 > > --- > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > +++ /dev/null > > @@ -1,96 +0,0 @@ > > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 > > -From: Matt Jolly <Matt.Jolly@footclan.ninja> > > -Date: Thu, 2 Feb 2023 21:05:40 +1100 > > -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` > > - > > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> > > -patch based on Jakub Jelen's <jjelen@redhat.com> original patch > > - > > -Upstream-Status: Submitted [ > https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56 > ] > > - > > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> > > ---- > > - configure.ac | 24 ++++++++++++++++++++++++ > > - sshd.c | 13 +++++++++++++ > > - 2 files changed, 37 insertions(+) > > - > > -diff --git a/configure.ac b/configure.ac > > -index 82e8bb7..d1145d3 100644 > > ---- a/configure.ac > > -+++ b/configure.ac > > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) > > - AC_SUBST([K5LIBS]) > > - AC_SUBST([CHANNELLIBS]) > > - > > -+# Check whether user wants systemd support > > -+SYSTEMD_MSG="no" > > -+AC_ARG_WITH(systemd, > > -+ [ --with-systemd Enable systemd support], > > -+ [ if test "x$withval" != "xno" ; then > > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > > -+ if test "$PKGCONFIG" != "no"; then > > -+ AC_MSG_CHECKING([for libsystemd]) > > -+ if $PKGCONFIG --exists libsystemd; then > > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags > libsystemd` > > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs > libsystemd` > > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > > -+ AC_MSG_RESULT([yes]) > > -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if > you want systemd support.]) > > -+ SYSTEMD_MSG="yes" > > -+ else > > -+ AC_MSG_RESULT([no]) > > -+ fi > > -+ fi > > -+ fi ] > > -+) > > -+ > > - # Looking for programs, paths and files > > - > > - PRIVSEP_PATH=/var/empty > > -@@ -5688,6 +5711,7 @@ echo " libldns support: > $LDNS_MSG" > > - echo " Solaris process contract support: $SPC_MSG" > > - echo " Solaris project support: $SP_MSG" > > - echo " Solaris privilege support: $SPP_MSG" > > -+echo " systemd support: $SYSTEMD_MSG" > > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > > - echo " BSD Auth support: $BSD_AUTH_MSG" > > -diff --git a/sshd.c b/sshd.c > > -index b4f2b97..6820a41 100644 > > ---- a/sshd.c > > -+++ b/sshd.c > > -@@ -88,6 +88,10 @@ > > - #include <prot.h> > > - #endif > > - > > -+#ifdef HAVE_SYSTEMD > > -+#include <systemd/sd-daemon.h> > > -+#endif > > -+ > > - #include "xmalloc.h" > > - #include "ssh.h" > > - #include "ssh2.h" > > -@@ -308,6 +312,10 @@ static void > > - sighup_restart(void) > > - { > > - logit("Received SIGHUP; restarting."); > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are reloading */ > > -+ sd_notify(0, "RELOADING=1"); > > -+#endif > > - if (options.pid_file != NULL) > > - unlink(options.pid_file); > > - platform_pre_restart(); > > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) > > - } > > - } > > - > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are ready to accept > connections */ > > -+ sd_notify(0, "READY=1"); > > -+#endif > > -+ > > - /* Accept a connection and return in a forked child */ > > - server_accept_loop(&sock_in, &sock_out, > > - &newsock, config_s); > > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service > b/meta/recipes-connectivity/openssh/openssh/sshd.service > > index 3e570ab1e5..c71fff1cc1 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service > > @@ -5,11 +5,11 @@ After=sshdgenkeys.service > > After=nss-user-lookup.target > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd > > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS > > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > > KillMode=process > > Restart=on-failure > > RestartSec=42s > > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service > b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > index 9d9965e624..dcfec8f054 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon > > After=sshdgenkeys.service > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > > index 4f20616295..4680d12be5 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > > @@ -24,7 +24,7 @@ SRC_URI = " > http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > > file://run-ptest \ > > file://sshd_check_keys \ > > > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > > - > file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > > + file://0001-notify-systemd-on-listen-and-reload.patch \ > > file://CVE-2024-6387.patch \ > > " > > SRC_URI[sha256sum] = > "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" > > SYSTEMD_SERVICE:${PN}-sshd = > "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', > '', d)} > ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', > '', d)}" > > > > inherit autotools-brokensep ptest pkgconfig > > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > 'systemd', '', d)}" > > > > # systemd-sshd-socket-mode means installing sshd.socket > > # and systemd-sshd-service-mode corresponding to sshd.service > > @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ > > --sysconfdir=${sysconfdir}/ssh \ > > --with-xauth=${bindir}/xauth \ > > --disable-strip \ > > - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > '--with-systemd', '--without-systemd', d)} \ > > " > > > > # musl doesn't implement wtmp/utmp and logwtmp > > -- > > 2.45.2 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#202116): > https://lists.openembedded.org/g/openembedded-core/message/202116 > > Mute This Topic: https://lists.openembedded.org/mt/107252588/1997914 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > raj.khem@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
I think the problem might be related to the "+Type=notify-reload" change in sshd@.service. It's in inetd mode so the upstream change about SYSTEMD_NOTIFY should have nothing to do with it. I also doubt if the following line should be removed from sshd.service. -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID Regards, Qi On 7/17/24 16:46, Jose Quaresma wrote: > > Khem Raj <raj.khem@gmail.com> escreveu (quarta, 17/07/2024 à(s) 07:38): > > actually I narrowed down my problem of disconnection to this patch in > the series. Earlier I thought it might be related to the openssh > upgrade patch > but reverting that still causes the problem but this patch when > reverted, the problem is gone. > > > I will jump on this today and try to find the root cause. > The ptest goes well in my local tests but I didn't do anything with > testimage. > I'll see if the testimage picks up something. > > Thanks for the feedback. > > Jose > > > On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via > lists.openembedded.org > <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BUuo8VXD$> > <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > > > Still side effects of the XZ backdoor. The systemd sd-notify patch > > was rejected [1] upstream and was chosen a standalone implementation > > that does not depend on libsystemd [2]. > > > > Racional [1]: > > > > License incompatibility and library bloatedness were the reasons. > > Given recent events we're never going to take a dependency on > libsystemd, > > though we might implement the notification protocol ourselves if > it isn't too much work. > > > > [1] > https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 > <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/pull/375*issuecomment-2027749729__;Iw!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BXB1d9mL$> > > [2] > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> > > > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > > > v4: > > - split update of Upstream-Status in new patches in the serie > > > > v5: > > - use the upstream solution > > > > ...-notify-systemd-on-listen-and-reload.patch | 225 > ++++++++++++++++++ > > ...tional-support-for-systemd-sd_notify.patch | 96 -------- > > .../openssh/openssh/sshd.service | 2 +- > > .../openssh/openssh/sshd@.service | 1 + > > .../openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > | 4 +- > > 5 files changed, 228 insertions(+), 100 deletions(-) > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > delete mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > new file mode 100644 > > index 0000000000..4925c969fe > > --- /dev/null > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > @@ -0,0 +1,225 @@ > > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 > 00:00:00 2001 > > +From: Damien Miller <djm@mindrot.org> > > +Date: Wed, 3 Apr 2024 14:40:32 +1100 > > +Subject: [PATCH] notify systemd on listen and reload > > + > > +Standalone implementation that does not depend on libsystemd. > > +With assistance from Luca Boccassi, and feedback/testing from Colin > > +Watson. bz2641 > > + > > +Upstream-Status: Backport > [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$>] > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > +--- > > + configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > | 1 + > > + openbsd-compat/port-linux.c | 97 > ++++++++++++++++++++++++++++++++++++- > > + openbsd-compat/port-linux.h | 5 ++ > > + platform.c | 11 +++++ > > + platform.h | 1 + > > + sshd.c | 2 + > > + 6 files changed, 115 insertions(+), 2 deletions(-) > > + > > +diff --git a/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > b/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > +index 82e8bb7c1..854f92b5b 100644 > > +--- a/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > ++++ b/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > +@@ -915,6 +915,7 @@ int main(void) { if > (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad > login attempts]) > > + AC_DEFINE([USE_BTMP]) > > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux > out-of-memory killer]) > > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify > systemd on start/reload]) > > + inet6_default_4in6=yes > > + case `uname -r` in > > + 1.*|2.0.*) > > +diff --git a/openbsd-compat/port-linux.c > b/openbsd-compat/port-linux.c > > +index 0457e28d0..df7290246 100644 > > +--- a/openbsd-compat/port-linux.c > > ++++ b/openbsd-compat/port-linux.c > > +@@ -21,16 +21,23 @@ > > + > > + #include "includes.h" > > + > > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > > ++ defined(SYSTEMD_NOTIFY) > > ++#include <sys/socket.h> > > ++#include <sys/un.h> > > ++ > > + #include <errno.h> > > ++#include <inttypes.h> > > + #include <stdarg.h> > > + #include <string.h> > > + #include <stdio.h> > > + #include <stdlib.h> > > ++#include <time.h> > > + > > + #include "log.h" > > + #include "xmalloc.h" > > + #include "port-linux.h" > > ++#include "misc.h" > > + > > + #ifdef WITH_SELINUX > > + #include <selinux/selinux.h> > > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) > > + return; > > + } > > + #endif /* LINUX_OOM_ADJUST */ > > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > > ++ > > ++#ifdef SYSTEMD_NOTIFY > > ++ > > ++static void ssh_systemd_notify(const char *, ...) > > ++ __attribute__((__format__ (printf, 1, 2))) > __attribute__((__nonnull__ (1))); > > ++ > > ++static void > > ++ssh_systemd_notify(const char *fmt, ...) > > ++{ > > ++ char *s = NULL; > > ++ const char *path; > > ++ struct stat sb; > > ++ struct sockaddr_un addr; > > ++ int fd = -1; > > ++ va_list ap; > > ++ > > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || > strlen(path) == 0) > > ++ return; > > ++ > > ++ va_start(ap, fmt); > > ++ xvasprintf(&s, fmt, ap); > > ++ va_end(ap); > > ++ > > ++ /* Only AF_UNIX is supported, with path or abstract > sockets */ > > ++ if (path[0] != '/' && path[0] != '@') { > > ++ error_f("socket \"%s\" is not compatible with > AF_UNIX", path); > > ++ goto out; > > ++ } > > ++ > > ++ if (path[0] == '/' && stat(path, &sb) != 0) { > > ++ error_f("socket \"%s\" stat: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ > > ++ memset(&addr, 0, sizeof(addr)); > > ++ addr.sun_family = AF_UNIX; > > ++ if (strlcpy(addr.sun_path, path, > > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > > ++ error_f("socket path \"%s\" too long", path); > > ++ goto out; > > ++ } > > ++ /* Support for abstract socket */ > > ++ if (addr.sun_path[0] == '@') > > ++ addr.sun_path[0] = 0; > > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > > ++ error_f("socket \"%s\": %s", path, strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { > > ++ error_f("socket \"%s\" connect: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > > ++ error_f("socket \"%s\" write: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ debug_f("socket \"%s\" notified %s", path, s); > > ++ out: > > ++ if (fd != -1) > > ++ close(fd); > > ++ free(s); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_ready(void) > > ++{ > > ++ ssh_systemd_notify("READY=1"); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_reload(void) > > ++{ > > ++ struct timespec now; > > ++ > > ++ monotime_ts(&now); > > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { > > ++ error_f("monotime returned negative value"); > > ++ ssh_systemd_notify("RELOADING=1"); > > ++ } else { > > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > > ++ ((uint64_t)now.tv_sec * 1000000ULL) + > > ++ ((uint64_t)now.tv_nsec / 1000ULL)); > > ++ } > > ++} > > ++#endif /* SYSTEMD_NOTIFY */ > > ++ > > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > > +diff --git a/openbsd-compat/port-linux.h > b/openbsd-compat/port-linux.h > > +index 3c22a854d..14064f87d 100644 > > +--- a/openbsd-compat/port-linux.h > > ++++ b/openbsd-compat/port-linux.h > > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > > + void oom_adjust_setup(void); > > + #endif > > + > > ++#ifdef SYSTEMD_NOTIFY > > ++void ssh_systemd_notify_ready(void); > > ++void ssh_systemd_notify_reload(void); > > ++#endif > > ++ > > + #endif /* ! _PORT_LINUX_H */ > > +diff --git a/platform.c b/platform.c > > +index 4fe8744ee..9cf818153 100644 > > +--- a/platform.c > > ++++ b/platform.c > > +@@ -44,6 +44,14 @@ platform_pre_listen(void) > > + #endif > > + } > > + > > ++void > > ++platform_post_listen(void) > > ++{ > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_ready(); > > ++#endif > > ++} > > ++ > > + void > > + platform_pre_fork(void) > > + { > > +@@ -55,6 +63,9 @@ platform_pre_fork(void) > > + void > > + platform_pre_restart(void) > > + { > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_reload(); > > ++#endif > > + #ifdef LINUX_OOM_ADJUST > > + oom_adjust_restore(); > > + #endif > > +diff --git a/platform.h b/platform.h > > +index 7fef8c983..5dec23276 100644 > > +--- a/platform.h > > ++++ b/platform.h > > +@@ -21,6 +21,7 @@ > > + void platform_pre_listen(void); > > + void platform_pre_fork(void); > > + void platform_pre_restart(void); > > ++void platform_post_listen(void); > > + void platform_post_fork_parent(pid_t child_pid); > > + void platform_post_fork_child(void); > > + int platform_privileged_uidswap(void); > > +diff --git a/sshd.c b/sshd.c > > +index b4f2b9742..865331b46 100644 > > +--- a/sshd.c > > ++++ b/sshd.c > > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) > > + ssh_signal(SIGTERM, sigterm_handler); > > + ssh_signal(SIGQUIT, sigterm_handler); > > + > > ++ platform_post_listen(); > > ++ > > + /* > > + * Write out the pid file after the sigterm handler > > + * is setup and the listen sockets are bound > > +-- > > +2.45.2 > > + > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > deleted file mode 100644 > > index f079d936a4..0000000000 > > --- > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > +++ /dev/null > > @@ -1,96 +0,0 @@ > > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 > 00:00:00 2001 > > -From: Matt Jolly <Matt.Jolly@footclan.ninja> > > -Date: Thu, 2 Feb 2023 21:05:40 +1100 > > -Subject: [PATCH] systemd: Add optional support for systemd > `sd_notify` > > - > > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> > > -patch based on Jakub Jelen's <jjelen@redhat.com> original patch > > - > > -Upstream-Status: Submitted > [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56 > <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfwiLKAT$>] > > - > > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> > > ---- > > - configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > | 24 ++++++++++++++++++++++++ > > - sshd.c | 13 +++++++++++++ > > - 2 files changed, 37 insertions(+) > > - > > -diff --git a/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > b/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -index 82e8bb7..d1145d3 100644 > > ---- a/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -+++ b/configure.ac > <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) > > - AC_SUBST([K5LIBS]) > > - AC_SUBST([CHANNELLIBS]) > > - > > -+# Check whether user wants systemd support > > -+SYSTEMD_MSG="no" > > -+AC_ARG_WITH(systemd, > > -+ [ --with-systemd Enable systemd support], > > -+ [ if test "x$withval" != "xno" ; then > > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > > -+ if test "$PKGCONFIG" != "no"; then > > -+ AC_MSG_CHECKING([for libsystemd]) > > -+ if $PKGCONFIG --exists libsystemd; then > > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` > > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` > > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > > -+ AC_MSG_RESULT([yes]) > > -+ AC_DEFINE(HAVE_SYSTEMD, 1, > [Define if you want systemd support.]) > > -+ SYSTEMD_MSG="yes" > > -+ else > > -+ AC_MSG_RESULT([no]) > > -+ fi > > -+ fi > > -+ fi ] > > -+) > > -+ > > - # Looking for programs, paths and files > > - > > - PRIVSEP_PATH=/var/empty > > -@@ -5688,6 +5711,7 @@ echo " libldns support: > $LDNS_MSG" > > - echo " Solaris process contract support: $SPC_MSG" > > - echo " Solaris project support: $SP_MSG" > > - echo " Solaris privilege support: $SPP_MSG" > > -+echo " systemd support: $SYSTEMD_MSG" > > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > > - echo " BSD Auth support: $BSD_AUTH_MSG" > > -diff --git a/sshd.c b/sshd.c > > -index b4f2b97..6820a41 100644 > > ---- a/sshd.c > > -+++ b/sshd.c > > -@@ -88,6 +88,10 @@ > > - #include <prot.h> > > - #endif > > - > > -+#ifdef HAVE_SYSTEMD > > -+#include <systemd/sd-daemon.h> > > -+#endif > > -+ > > - #include "xmalloc.h" > > - #include "ssh.h" > > - #include "ssh2.h" > > -@@ -308,6 +312,10 @@ static void > > - sighup_restart(void) > > - { > > - logit("Received SIGHUP; restarting."); > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are reloading */ > > -+ sd_notify(0, "RELOADING=1"); > > -+#endif > > - if (options.pid_file != NULL) > > - unlink(options.pid_file); > > - platform_pre_restart(); > > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) > > - } > > - } > > - > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are ready to accept > connections */ > > -+ sd_notify(0, "READY=1"); > > -+#endif > > -+ > > - /* Accept a connection and return in a forked > child */ > > - server_accept_loop(&sock_in, &sock_out, > > - &newsock, config_s); > > diff --git > a/meta/recipes-connectivity/openssh/openssh/sshd.service > b/meta/recipes-connectivity/openssh/openssh/sshd.service > > index 3e570ab1e5..c71fff1cc1 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service > > @@ -5,11 +5,11 @@ After=sshdgenkeys.service > > After=nss-user-lookup.target > <https://urldefense.com/v3/__http://nss-user-lookup.target__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfffE4_Q$> > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd > > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS > > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > > KillMode=process > > Restart=on-failure > > RestartSec=42s > > diff --git > a/meta/recipes-connectivity/openssh/openssh/sshd@.service > b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > index 9d9965e624..dcfec8f054 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon > > After=sshdgenkeys.service > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > index 4f20616295..4680d12be5 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > @@ -24,7 +24,7 @@ SRC_URI = > "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > <https://urldefense.com/v3/__http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$*7BPV*7D.tar__;JSU!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZvn3QuC$> > > file://run-ptest \ > > file://sshd_check_keys \ > > > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch > \ > > - > file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > > + file://0001-notify-systemd-on-listen-and-reload.patch \ > > file://CVE-2024-6387.patch \ > > " > > SRC_URI[sha256sum] = > "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" > > SYSTEMD_SERVICE:${PN}-sshd = > "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', > '', d)} > ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', > '', d)}" > > > > inherit autotools-brokensep ptest pkgconfig > > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > 'systemd', '', d)}" > > > > # systemd-sshd-socket-mode means installing sshd.socket > > # and systemd-sshd-service-mode corresponding to sshd.service > > @@ -78,7 +77,6 @@ EXTRA_OECONF = > "'LOGIN_PROGRAM=${base_bindir}/login' \ > > --sysconfdir=${sysconfdir}/ssh \ > > --with-xauth=${bindir}/xauth \ > > --disable-strip \ > > - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > '--with-systemd', '--without-systemd', d)} \ > > " > > > > # musl doesn't implement wtmp/utmp and logwtmp > > -- > > 2.45.2 > > > > > > > > > > > > -- > Best regards, > > José Quaresma > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#202144):https://lists.openembedded.org/g/openembedded-core/message/202144 > Mute This Topic:https://lists.openembedded.org/mt/107252588/7304865 > Group Owner:openembedded-core+owner@lists.openembedded.org > Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [Qi.Chen@eng.windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
ChenQi <Qi.Chen@windriver.com> escreveu (quarta, 17/07/2024 à(s) 10:25): > I think the problem might be related to the "+Type=notify-reload" change > in sshd@.service. It's in inetd mode so the upstream change about > SYSTEMD_NOTIFY should have nothing to do with it. > I also doubt if the following line should be removed from sshd.service. > > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > > Make sense. Maybe the service changes in the patch need to be conditional on whether or not we are using systemd. I'm going to try this path a little. but I am now facing some issues with testimage without the overall openssh patch series. Jose > Regards, > Qi > > On 7/17/24 16:46, Jose Quaresma wrote: > > > Khem Raj <raj.khem@gmail.com> escreveu (quarta, 17/07/2024 à(s) 07:38): > >> actually I narrowed down my problem of disconnection to this patch in >> the series. Earlier I thought it might be related to the openssh >> upgrade patch >> but reverting that still causes the problem but this patch when >> reverted, the problem is gone. >> > > I will jump on this today and try to find the root cause. > The ptest goes well in my local tests but I didn't do anything with > testimage. > I'll see if the testimage picks up something. > > Thanks for the feedback. > > Jose > > >> >> On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via >> lists.openembedded.org >> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BUuo8VXD$> >> <quaresma.jose=gmail.com@lists.openembedded.org> wrote: >> > >> > Still side effects of the XZ backdoor. The systemd sd-notify patch >> > was rejected [1] upstream and was chosen a standalone implementation >> > that does not depend on libsystemd [2]. >> > >> > Racional [1]: >> > >> > License incompatibility and library bloatedness were the reasons. >> > Given recent events we're never going to take a dependency on >> libsystemd, >> > though we might implement the notification protocol ourselves if it >> isn't too much work. >> > >> > [1] >> https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 >> <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/pull/375*issuecomment-2027749729__;Iw!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BXB1d9mL$> >> > [2] >> https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c >> <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> >> > >> > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> >> > --- >> > >> > v4: >> > - split update of Upstream-Status in new patches in the serie >> > >> > v5: >> > - use the upstream solution >> > >> > ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ >> > ...tional-support-for-systemd-sd_notify.patch | 96 -------- >> > .../openssh/openssh/sshd.service | 2 +- >> > .../openssh/openssh/sshd@.service | 1 + >> > .../openssh/openssh_9.7p1.bb >> <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> >> | 4 +- >> > 5 files changed, 228 insertions(+), 100 deletions(-) >> > create mode 100644 >> meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch >> > delete mode 100644 >> meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch >> > >> > diff --git >> a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch >> b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch >> > new file mode 100644 >> > index 0000000000..4925c969fe >> > --- /dev/null >> > +++ >> b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch >> > @@ -0,0 +1,225 @@ >> > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 >> > +From: Damien Miller <djm@mindrot.org> >> > +Date: Wed, 3 Apr 2024 14:40:32 +1100 >> > +Subject: [PATCH] notify systemd on listen and reload >> > + >> > +Standalone implementation that does not depend on libsystemd. >> > +With assistance from Luca Boccassi, and feedback/testing from Colin >> > +Watson. bz2641 >> > + >> > +Upstream-Status: Backport [ >> https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c >> <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> >> ] >> > + >> > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> >> > +--- >> > + configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> | 1 + >> > + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- >> > + openbsd-compat/port-linux.h | 5 ++ >> > + platform.c | 11 +++++ >> > + platform.h | 1 + >> > + sshd.c | 2 + >> > + 6 files changed, 115 insertions(+), 2 deletions(-) >> > + >> > +diff --git a/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> b/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > +index 82e8bb7c1..854f92b5b 100644 >> > +--- a/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > ++++ b/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > +@@ -915,6 +915,7 @@ int main(void) { if >> (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) >> > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login >> attempts]) >> > + AC_DEFINE([USE_BTMP]) >> > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory >> killer]) >> > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on >> start/reload]) >> > + inet6_default_4in6=yes >> > + case `uname -r` in >> > + 1.*|2.0.*) >> > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c >> > +index 0457e28d0..df7290246 100644 >> > +--- a/openbsd-compat/port-linux.c >> > ++++ b/openbsd-compat/port-linux.c >> > +@@ -21,16 +21,23 @@ >> > + >> > + #include "includes.h" >> > + >> > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) >> > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ >> > ++ defined(SYSTEMD_NOTIFY) >> > ++#include <sys/socket.h> >> > ++#include <sys/un.h> >> > ++ >> > + #include <errno.h> >> > ++#include <inttypes.h> >> > + #include <stdarg.h> >> > + #include <string.h> >> > + #include <stdio.h> >> > + #include <stdlib.h> >> > ++#include <time.h> >> > + >> > + #include "log.h" >> > + #include "xmalloc.h" >> > + #include "port-linux.h" >> > ++#include "misc.h" >> > + >> > + #ifdef WITH_SELINUX >> > + #include <selinux/selinux.h> >> > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) >> > + return; >> > + } >> > + #endif /* LINUX_OOM_ADJUST */ >> > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ >> > ++ >> > ++#ifdef SYSTEMD_NOTIFY >> > ++ >> > ++static void ssh_systemd_notify(const char *, ...) >> > ++ __attribute__((__format__ (printf, 1, 2))) >> __attribute__((__nonnull__ (1))); >> > ++ >> > ++static void >> > ++ssh_systemd_notify(const char *fmt, ...) >> > ++{ >> > ++ char *s = NULL; >> > ++ const char *path; >> > ++ struct stat sb; >> > ++ struct sockaddr_un addr; >> > ++ int fd = -1; >> > ++ va_list ap; >> > ++ >> > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == >> 0) >> > ++ return; >> > ++ >> > ++ va_start(ap, fmt); >> > ++ xvasprintf(&s, fmt, ap); >> > ++ va_end(ap); >> > ++ >> > ++ /* Only AF_UNIX is supported, with path or abstract sockets */ >> > ++ if (path[0] != '/' && path[0] != '@') { >> > ++ error_f("socket \"%s\" is not compatible with AF_UNIX", >> path); >> > ++ goto out; >> > ++ } >> > ++ >> > ++ if (path[0] == '/' && stat(path, &sb) != 0) { >> > ++ error_f("socket \"%s\" stat: %s", path, >> strerror(errno)); >> > ++ goto out; >> > ++ } >> > ++ >> > ++ memset(&addr, 0, sizeof(addr)); >> > ++ addr.sun_family = AF_UNIX; >> > ++ if (strlcpy(addr.sun_path, path, >> > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { >> > ++ error_f("socket path \"%s\" too long", path); >> > ++ goto out; >> > ++ } >> > ++ /* Support for abstract socket */ >> > ++ if (addr.sun_path[0] == '@') >> > ++ addr.sun_path[0] = 0; >> > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { >> > ++ error_f("socket \"%s\": %s", path, strerror(errno)); >> > ++ goto out; >> > ++ } >> > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { >> > ++ error_f("socket \"%s\" connect: %s", path, >> strerror(errno)); >> > ++ goto out; >> > ++ } >> > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { >> > ++ error_f("socket \"%s\" write: %s", path, >> strerror(errno)); >> > ++ goto out; >> > ++ } >> > ++ debug_f("socket \"%s\" notified %s", path, s); >> > ++ out: >> > ++ if (fd != -1) >> > ++ close(fd); >> > ++ free(s); >> > ++} >> > ++ >> > ++void >> > ++ssh_systemd_notify_ready(void) >> > ++{ >> > ++ ssh_systemd_notify("READY=1"); >> > ++} >> > ++ >> > ++void >> > ++ssh_systemd_notify_reload(void) >> > ++{ >> > ++ struct timespec now; >> > ++ >> > ++ monotime_ts(&now); >> > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { >> > ++ error_f("monotime returned negative value"); >> > ++ ssh_systemd_notify("RELOADING=1"); >> > ++ } else { >> > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", >> > ++ ((uint64_t)now.tv_sec * 1000000ULL) + >> > ++ ((uint64_t)now.tv_nsec / 1000ULL)); >> > ++ } >> > ++} >> > ++#endif /* SYSTEMD_NOTIFY */ >> > ++ >> > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ >> > +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h >> > +index 3c22a854d..14064f87d 100644 >> > +--- a/openbsd-compat/port-linux.h >> > ++++ b/openbsd-compat/port-linux.h >> > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); >> > + void oom_adjust_setup(void); >> > + #endif >> > + >> > ++#ifdef SYSTEMD_NOTIFY >> > ++void ssh_systemd_notify_ready(void); >> > ++void ssh_systemd_notify_reload(void); >> > ++#endif >> > ++ >> > + #endif /* ! _PORT_LINUX_H */ >> > +diff --git a/platform.c b/platform.c >> > +index 4fe8744ee..9cf818153 100644 >> > +--- a/platform.c >> > ++++ b/platform.c >> > +@@ -44,6 +44,14 @@ platform_pre_listen(void) >> > + #endif >> > + } >> > + >> > ++void >> > ++platform_post_listen(void) >> > ++{ >> > ++#ifdef SYSTEMD_NOTIFY >> > ++ ssh_systemd_notify_ready(); >> > ++#endif >> > ++} >> > ++ >> > + void >> > + platform_pre_fork(void) >> > + { >> > +@@ -55,6 +63,9 @@ platform_pre_fork(void) >> > + void >> > + platform_pre_restart(void) >> > + { >> > ++#ifdef SYSTEMD_NOTIFY >> > ++ ssh_systemd_notify_reload(); >> > ++#endif >> > + #ifdef LINUX_OOM_ADJUST >> > + oom_adjust_restore(); >> > + #endif >> > +diff --git a/platform.h b/platform.h >> > +index 7fef8c983..5dec23276 100644 >> > +--- a/platform.h >> > ++++ b/platform.h >> > +@@ -21,6 +21,7 @@ >> > + void platform_pre_listen(void); >> > + void platform_pre_fork(void); >> > + void platform_pre_restart(void); >> > ++void platform_post_listen(void); >> > + void platform_post_fork_parent(pid_t child_pid); >> > + void platform_post_fork_child(void); >> > + int platform_privileged_uidswap(void); >> > +diff --git a/sshd.c b/sshd.c >> > +index b4f2b9742..865331b46 100644 >> > +--- a/sshd.c >> > ++++ b/sshd.c >> > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) >> > + ssh_signal(SIGTERM, sigterm_handler); >> > + ssh_signal(SIGQUIT, sigterm_handler); >> > + >> > ++ platform_post_listen(); >> > ++ >> > + /* >> > + * Write out the pid file after the sigterm handler >> > + * is setup and the listen sockets are bound >> > +-- >> > +2.45.2 >> > + >> > diff --git >> a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch >> b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch >> > deleted file mode 100644 >> > index f079d936a4..0000000000 >> > --- >> a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch >> > +++ /dev/null >> > @@ -1,96 +0,0 @@ >> > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 >> > -From: Matt Jolly <Matt.Jolly@footclan.ninja> >> <Matt.Jolly@footclan.ninja> >> > -Date: Thu, 2 Feb 2023 21:05:40 +1100 >> > -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` >> > - >> > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> >> > -patch based on Jakub Jelen's <jjelen@redhat.com> original patch >> > - >> > -Upstream-Status: Submitted [ >> https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56 >> <https://urldefense.com/v3/__https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfwiLKAT$> >> ] >> > - >> > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> >> > ---- >> > - configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> | 24 ++++++++++++++++++++++++ >> > - sshd.c | 13 +++++++++++++ >> > - 2 files changed, 37 insertions(+) >> > - >> > -diff --git a/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> b/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > -index 82e8bb7..d1145d3 100644 >> > ---- a/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > -+++ b/configure.ac >> <https://urldefense.com/v3/__http://configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> >> > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) >> > - AC_SUBST([K5LIBS]) >> > - AC_SUBST([CHANNELLIBS]) >> > - >> > -+# Check whether user wants systemd support >> > -+SYSTEMD_MSG="no" >> > -+AC_ARG_WITH(systemd, >> > -+ [ --with-systemd Enable systemd support], >> > -+ [ if test "x$withval" != "xno" ; then >> > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) >> > -+ if test "$PKGCONFIG" != "no"; then >> > -+ AC_MSG_CHECKING([for libsystemd]) >> > -+ if $PKGCONFIG --exists libsystemd; then >> > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags >> libsystemd` >> > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs >> libsystemd` >> > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" >> > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" >> > -+ AC_MSG_RESULT([yes]) >> > -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if >> you want systemd support.]) >> > -+ SYSTEMD_MSG="yes" >> > -+ else >> > -+ AC_MSG_RESULT([no]) >> > -+ fi >> > -+ fi >> > -+ fi ] >> > -+) >> > -+ >> > - # Looking for programs, paths and files >> > - >> > - PRIVSEP_PATH=/var/empty >> > -@@ -5688,6 +5711,7 @@ echo " libldns support: >> $LDNS_MSG" >> > - echo " Solaris process contract support: $SPC_MSG" >> > - echo " Solaris project support: $SP_MSG" >> > - echo " Solaris privilege support: $SPP_MSG" >> > -+echo " systemd support: $SYSTEMD_MSG" >> > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" >> > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" >> > - echo " BSD Auth support: $BSD_AUTH_MSG" >> > -diff --git a/sshd.c b/sshd.c >> > -index b4f2b97..6820a41 100644 >> > ---- a/sshd.c >> > -+++ b/sshd.c >> > -@@ -88,6 +88,10 @@ >> > - #include <prot.h> >> > - #endif >> > - >> > -+#ifdef HAVE_SYSTEMD >> > -+#include <systemd/sd-daemon.h> >> > -+#endif >> > -+ >> > - #include "xmalloc.h" >> > - #include "ssh.h" >> > - #include "ssh2.h" >> > -@@ -308,6 +312,10 @@ static void >> > - sighup_restart(void) >> > - { >> > - logit("Received SIGHUP; restarting."); >> > -+#ifdef HAVE_SYSTEMD >> > -+ /* Signal systemd that we are reloading */ >> > -+ sd_notify(0, "RELOADING=1"); >> > -+#endif >> > - if (options.pid_file != NULL) >> > - unlink(options.pid_file); >> > - platform_pre_restart(); >> > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) >> > - } >> > - } >> > - >> > -+#ifdef HAVE_SYSTEMD >> > -+ /* Signal systemd that we are ready to accept >> connections */ >> > -+ sd_notify(0, "READY=1"); >> > -+#endif >> > -+ >> > - /* Accept a connection and return in a forked child */ >> > - server_accept_loop(&sock_in, &sock_out, >> > - &newsock, config_s); >> > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service >> b/meta/recipes-connectivity/openssh/openssh/sshd.service >> > index 3e570ab1e5..c71fff1cc1 100644 >> > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service >> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service >> > @@ -5,11 +5,11 @@ After=sshdgenkeys.service >> > After=nss-user-lookup.target >> <https://urldefense.com/v3/__http://nss-user-lookup.target__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfffE4_Q$> >> > >> > [Service] >> > +Type=notify-reload >> > Environment="SSHD_OPTS=" >> > EnvironmentFile=-/etc/default/ssh >> > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd >> > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS >> > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID >> > KillMode=process >> > Restart=on-failure >> > RestartSec=42s >> > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service >> b/meta/recipes-connectivity/openssh/openssh/sshd@.service >> > index 9d9965e624..dcfec8f054 100644 >> > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service >> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service >> > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon >> > After=sshdgenkeys.service >> > >> > [Service] >> > +Type=notify-reload >> > Environment="SSHD_OPTS=" >> > EnvironmentFile=-/etc/default/ssh >> > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS >> > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb >> <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> >> b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb >> <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> >> > index 4f20616295..4680d12be5 100644 >> > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb >> <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> >> > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb >> <https://urldefense.com/v3/__http://openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> >> > @@ -24,7 +24,7 @@ SRC_URI = " >> http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar >> <https://urldefense.com/v3/__http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$*7BPV*7D.tar__;JSU!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZvn3QuC$> >> > file://run-ptest \ >> > file://sshd_check_keys \ >> > >> file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ >> > - >> file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ >> > + file://0001-notify-systemd-on-listen-and-reload.patch \ >> > file://CVE-2024-6387.patch \ >> > " >> > SRC_URI[sha256sum] = >> "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" >> > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" >> > SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', >> '', d)} >> ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', >> '', d)}" >> <$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket','',d)%7D$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service','',d)%7D> >> > >> > inherit autotools-brokensep ptest pkgconfig >> > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', >> 'systemd', '', d)}" >> <$%7B@bb.utils.contains('DISTRO_FEATURES','systemd','systemd','',d)%7D> >> > >> > # systemd-sshd-socket-mode means installing sshd.socket >> > # and systemd-sshd-service-mode corresponding to sshd.service >> > @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ >> > --sysconfdir=${sysconfdir}/ssh \ >> > --with-xauth=${bindir}/xauth \ >> > --disable-strip \ >> > - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', >> '--with-systemd', '--without-systemd', d)} \ >> > " >> > >> > # musl doesn't implement wtmp/utmp and logwtmp >> > -- >> > 2.45.2 >> > >> > >> > >> > >> > > > -- > Best regards, > > José Quaresma > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#202144): https://lists.openembedded.org/g/openembedded-core/message/202144 > Mute This Topic: https://lists.openembedded.org/mt/107252588/7304865 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Qi.Chen@eng.windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- > > > >
Hi Jose, The changes in the patch have already done an implicit check: if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) return; return; This means if it’s not systemd who starts sshd (notify type starting), then the function ssh_systemd_notify just does nothing. I looked at the changes in the patch and the codes around it, if I understand it correctly, in case of ‘-i’ option, sshd does not notify systemd. So the ssd@.service<mailto:ssd@.service> should not use the notify type. Regards, Qi From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Jose Quaresma Sent: Wednesday, July 17, 2024 6:53 PM To: Chen, Qi <Qi.Chen@windriver.com> Cc: Khem Raj <raj.khem@gmail.com>; openembedded-core@lists.openembedded.org; Jose Quaresma <jose.quaresma@foundries.io> Subject: Re: [OE-core][PATCH v5 2/3] openssh: systemd notification was implemented upstream ChenQi <Qi.Chen@windriver.com<mailto:Qi.Chen@windriver.com>> escreveu (quarta, 17/07/2024 à(s) 10:25): I think the problem might be related to the "+Type=notify-reload" change in sshd@.service<mailto:sshd@.service>. It's in inetd mode so the upstream change about SYSTEMD_NOTIFY should have nothing to do with it. I also doubt if the following line should be removed from sshd.service. -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID Make sense. Maybe the service changes in the patch need to be conditional on whether or not we are using systemd. I'm going to try this path a little. but I am now facing some issues with testimage without the overall openssh patch series. Jose Regards, Qi On 7/17/24 16:46, Jose Quaresma wrote: Khem Raj <raj.khem@gmail.com<mailto:raj.khem@gmail.com>> escreveu (quarta, 17/07/2024 à(s) 07:38): actually I narrowed down my problem of disconnection to this patch in the series. Earlier I thought it might be related to the openssh upgrade patch but reverting that still causes the problem but this patch when reverted, the problem is gone. I will jump on this today and try to find the root cause. The ptest goes well in my local tests but I didn't do anything with testimage. I'll see if the testimage picks up something. Thanks for the feedback. Jose On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BUuo8VXD$> <quaresma.jose=gmail.com@lists.openembedded.org<mailto:gmail.com@lists.openembedded.org>> wrote: > > Still side effects of the XZ backdoor. The systemd sd-notify patch > was rejected [1] upstream and was chosen a standalone implementation > that does not depend on libsystemd [2]. > > Racional [1]: > > License incompatibility and library bloatedness were the reasons. > Given recent events we're never going to take a dependency on libsystemd, > though we might implement the notification protocol ourselves if it isn't too much work. > > [1] https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729<https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/pull/375*issuecomment-2027749729__;Iw!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BXB1d9mL$> > [2] https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c<https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io<mailto:jose.quaresma@foundries.io>> > --- > > v4: > - split update of Upstream-Status in new patches in the serie > > v5: > - use the upstream solution > > ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ > ...tional-support-for-systemd-sd_notify.patch | 96 -------- > .../openssh/openssh/sshd.service | 2 +- > .../openssh/openssh/sshd@.service<mailto:.../openssh/openssh/sshd@.service> | 1 + > .../openssh/openssh_9.7p1.bb<https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> | 4 +- > 5 files changed, 228 insertions(+), 100 deletions(-) > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > new file mode 100644 > index 0000000000..4925c969fe > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > @@ -0,0 +1,225 @@ > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > +From: Damien Miller <djm@mindrot.org<mailto:djm@mindrot.org>> > +Date: Wed, 3 Apr 2024 14:40:32 +1100 > +Subject: [PATCH] notify systemd on listen and reload > + > +Standalone implementation that does not depend on libsystemd. > +With assistance from Luca Boccassi, and feedback/testing from Colin > +Watson. bz2641 > + > +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c<https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$>] > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io<mailto:jose.quaresma@foundries.io>> > +--- > + configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> | 1 + > + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > + openbsd-compat/port-linux.h | 5 ++ > + platform.c | 11 +++++ > + platform.h | 1 + > + sshd.c | 2 + > + 6 files changed, 115 insertions(+), 2 deletions(-) > + > +diff --git a/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> b/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > +index 82e8bb7c1..854f92b5b 100644 > +--- a/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > ++++ b/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > +@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) > + AC_DEFINE([USE_BTMP]) > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) > + inet6_default_4in6=yes > + case `uname -r` in > + 1.*|2.0.*) > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > +index 0457e28d0..df7290246 100644 > +--- a/openbsd-compat/port-linux.c > ++++ b/openbsd-compat/port-linux.c > +@@ -21,16 +21,23 @@ > + > + #include "includes.h" > + > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > ++ defined(SYSTEMD_NOTIFY) > ++#include <sys/socket.h> > ++#include <sys/un.h> > ++ > + #include <errno.h> > ++#include <inttypes.h> > + #include <stdarg.h> > + #include <string.h> > + #include <stdio.h> > + #include <stdlib.h> > ++#include <time.h> > + > + #include "log.h" > + #include "xmalloc.h" > + #include "port-linux.h" > ++#include "misc.h" > + > + #ifdef WITH_SELINUX > + #include <selinux/selinux.h> > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) > + return; > + } > + #endif /* LINUX_OOM_ADJUST */ > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > ++ > ++#ifdef SYSTEMD_NOTIFY > ++ > ++static void ssh_systemd_notify(const char *, ...) > ++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); > ++ > ++static void > ++ssh_systemd_notify(const char *fmt, ...) > ++{ > ++ char *s = NULL; > ++ const char *path; > ++ struct stat sb; > ++ struct sockaddr_un addr; > ++ int fd = -1; > ++ va_list ap; > ++ > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > ++ return; > ++ > ++ va_start(ap, fmt); > ++ xvasprintf(&s, fmt, ap); > ++ va_end(ap); > ++ > ++ /* Only AF_UNIX is supported, with path or abstract sockets */ > ++ if (path[0] != '/' && path[0] != '@') { > ++ error_f("socket \"%s\" is not compatible with AF_UNIX", path); > ++ goto out; > ++ } > ++ > ++ if (path[0] == '/' && stat(path, &sb) != 0) { > ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ > ++ memset(&addr, 0, sizeof(addr)); > ++ addr.sun_family = AF_UNIX; > ++ if (strlcpy(addr.sun_path, path, > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > ++ error_f("socket path \"%s\" too long", path); > ++ goto out; > ++ } > ++ /* Support for abstract socket */ > ++ if (addr.sun_path[0] == '@') > ++ addr.sun_path[0] = 0; > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > ++ error_f("socket \"%s\": %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { > ++ error_f("socket \"%s\" connect: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > ++ error_f("socket \"%s\" write: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ debug_f("socket \"%s\" notified %s", path, s); > ++ out: > ++ if (fd != -1) > ++ close(fd); > ++ free(s); > ++} > ++ > ++void > ++ssh_systemd_notify_ready(void) > ++{ > ++ ssh_systemd_notify("READY=1"); > ++} > ++ > ++void > ++ssh_systemd_notify_reload(void) > ++{ > ++ struct timespec now; > ++ > ++ monotime_ts(&now); > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { > ++ error_f("monotime returned negative value"); > ++ ssh_systemd_notify("RELOADING=1"); > ++ } else { > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > ++ ((uint64_t)now.tv_sec * 1000000ULL) + > ++ ((uint64_t)now.tv_nsec / 1000ULL)); > ++ } > ++} > ++#endif /* SYSTEMD_NOTIFY */ > ++ > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > +index 3c22a854d..14064f87d 100644 > +--- a/openbsd-compat/port-linux.h > ++++ b/openbsd-compat/port-linux.h > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > + void oom_adjust_setup(void); > + #endif > + > ++#ifdef SYSTEMD_NOTIFY > ++void ssh_systemd_notify_ready(void); > ++void ssh_systemd_notify_reload(void); > ++#endif > ++ > + #endif /* ! _PORT_LINUX_H */ > +diff --git a/platform.c b/platform.c > +index 4fe8744ee..9cf818153 100644 > +--- a/platform.c > ++++ b/platform.c > +@@ -44,6 +44,14 @@ platform_pre_listen(void) > + #endif > + } > + > ++void > ++platform_post_listen(void) > ++{ > ++#ifdef SYSTEMD_NOTIFY > ++ ssh_systemd_notify_ready(); > ++#endif > ++} > ++ > + void > + platform_pre_fork(void) > + { > +@@ -55,6 +63,9 @@ platform_pre_fork(void) > + void > + platform_pre_restart(void) > + { > ++#ifdef SYSTEMD_NOTIFY > ++ ssh_systemd_notify_reload(); > ++#endif > + #ifdef LINUX_OOM_ADJUST > + oom_adjust_restore(); > + #endif > +diff --git a/platform.h b/platform.h > +index 7fef8c983..5dec23276 100644 > +--- a/platform.h > ++++ b/platform.h > +@@ -21,6 +21,7 @@ > + void platform_pre_listen(void); > + void platform_pre_fork(void); > + void platform_pre_restart(void); > ++void platform_post_listen(void); > + void platform_post_fork_parent(pid_t child_pid); > + void platform_post_fork_child(void); > + int platform_privileged_uidswap(void); > +diff --git a/sshd.c b/sshd.c > +index b4f2b9742..865331b46 100644 > +--- a/sshd.c > ++++ b/sshd.c > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) > + ssh_signal(SIGTERM, sigterm_handler); > + ssh_signal(SIGQUIT, sigterm_handler); > + > ++ platform_post_listen(); > ++ > + /* > + * Write out the pid file after the sigterm handler > + * is setup and the listen sockets are bound > +-- > +2.45.2 > + > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > deleted file mode 100644 > index f079d936a4..0000000000 > --- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > +++ /dev/null > @@ -1,96 +0,0 @@ > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 > -From: Matt Jolly <Matt.Jolly@footclan.ninja><mailto:Matt.Jolly@footclan.ninja> > -Date: Thu, 2 Feb 2023 21:05:40 +1100 > -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` > - > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org<mailto:expeditioneer@gentoo.org>> > -patch based on Jakub Jelen's <jjelen@redhat.com<mailto:jjelen@redhat.com>> original patch > - > -Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56<https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfwiLKAT$>] > - > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com<mailto:xiangyu.chen@windriver.com>> > ---- > - configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> | 24 ++++++++++++++++++++++++ > - sshd.c | 13 +++++++++++++ > - 2 files changed, 37 insertions(+) > - > -diff --git a/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> b/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > -index 82e8bb7..d1145d3 100644 > ---- a/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > -+++ b/configure.ac<https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) > - AC_SUBST([K5LIBS]) > - AC_SUBST([CHANNELLIBS]) > - > -+# Check whether user wants systemd support > -+SYSTEMD_MSG="no" > -+AC_ARG_WITH(systemd, > -+ [ --with-systemd Enable systemd support], > -+ [ if test "x$withval" != "xno" ; then > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > -+ if test "$PKGCONFIG" != "no"; then > -+ AC_MSG_CHECKING([for libsystemd]) > -+ if $PKGCONFIG --exists libsystemd; then > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > -+ AC_MSG_RESULT([yes]) > -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) > -+ SYSTEMD_MSG="yes" > -+ else > -+ AC_MSG_RESULT([no]) > -+ fi > -+ fi > -+ fi ] > -+) > -+ > - # Looking for programs, paths and files > - > - PRIVSEP_PATH=/var/empty > -@@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG" > - echo " Solaris process contract support: $SPC_MSG" > - echo " Solaris project support: $SP_MSG" > - echo " Solaris privilege support: $SPP_MSG" > -+echo " systemd support: $SYSTEMD_MSG" > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > - echo " BSD Auth support: $BSD_AUTH_MSG" > -diff --git a/sshd.c b/sshd.c > -index b4f2b97..6820a41 100644 > ---- a/sshd.c > -+++ b/sshd.c > -@@ -88,6 +88,10 @@ > - #include <prot.h> > - #endif > - > -+#ifdef HAVE_SYSTEMD > -+#include <systemd/sd-daemon.h> > -+#endif > -+ > - #include "xmalloc.h" > - #include "ssh.h" > - #include "ssh2.h" > -@@ -308,6 +312,10 @@ static void > - sighup_restart(void) > - { > - logit("Received SIGHUP; restarting."); > -+#ifdef HAVE_SYSTEMD > -+ /* Signal systemd that we are reloading */ > -+ sd_notify(0, "RELOADING=1"); > -+#endif > - if (options.pid_file != NULL) > - unlink(options.pid_file); > - platform_pre_restart(); > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) > - } > - } > - > -+#ifdef HAVE_SYSTEMD > -+ /* Signal systemd that we are ready to accept connections */ > -+ sd_notify(0, "READY=1"); > -+#endif > -+ > - /* Accept a connection and return in a forked child */ > - server_accept_loop(&sock_in, &sock_out, > - &newsock, config_s); > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service > index 3e570ab1e5..c71fff1cc1 100644 > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service > @@ -5,11 +5,11 @@ After=sshdgenkeys.service > After=nss-user-lookup.target<https://urldefense.com/v3/__http:/nss-user-lookup.target__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfffE4_Q$> > > [Service] > +Type=notify-reload > Environment="SSHD_OPTS=" > EnvironmentFile=-/etc/default/ssh > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > KillMode=process > Restart=on-failure > RestartSec=42s > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service<mailto:a/meta/recipes-connectivity/openssh/openssh/sshd@.service> b/meta/recipes-connectivity/openssh/openssh/sshd@.service<mailto:b/meta/recipes-connectivity/openssh/openssh/sshd@.service> > index 9d9965e624..dcfec8f054 100644 > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service<mailto:a/meta/recipes-connectivity/openssh/openssh/sshd@.service> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service<mailto:b/meta/recipes-connectivity/openssh/openssh/sshd@.service> > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon > After=sshdgenkeys.service > > [Service] > +Type=notify-reload > Environment="SSHD_OPTS=" > EnvironmentFile=-/etc/default/ssh > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb<https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb<https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > index 4f20616295..4680d12be5 100644 > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb<https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb<https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > @@ -24,7 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar<https://urldefense.com/v3/__http:/ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$*7BPV*7D.tar__;JSU!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZvn3QuC$> > file://run-ptest \ > file://sshd_check_keys \ > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > - file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > + file://0001-notify-systemd-on-listen-and-reload.patch \ > file://CVE-2024-6387.patch \ > " > SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" > SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"<mailto:$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket','',d)%7D$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service','',d)%7D> > > inherit autotools-brokensep ptest pkgconfig > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"<mailto:$%7B@bb.utils.contains('DISTRO_FEATURES','systemd','systemd','',d)%7D> > > # systemd-sshd-socket-mode means installing sshd.socket > # and systemd-sshd-service-mode corresponding to sshd.service > @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ > --sysconfdir=${sysconfdir}/ssh \ > --with-xauth=${bindir}/xauth \ > --disable-strip \ > - ${@bb.utils.contains('DISTRO_FEATURES<mailto:$%7b@bb.utils.contains('DISTRO_FEATURES>', 'systemd', '--with-systemd', '--without-systemd', d)} \ > " > > # musl doesn't implement wtmp/utmp and logwtmp > -- > 2.45.2 > > > > -- Best regards, José Quaresma -- Best regards, José Quaresma
Hi Qi, Chen, Qi <Qi.Chen@windriver.com> escreveu (quinta, 18/07/2024 à(s) 04:34): > Hi Jose, > > > > The changes in the patch have already done an implicit check: > > > > if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) > > return; > > > > return; > > This means if it’s not systemd who starts sshd (notify type starting), > then the function ssh_systemd_notify just does nothing. > The SYSTEMD_NOTIFY is always enabled in linux regardless of which init system is in use. I have finished the tests with sysvinit and everything looks good. Can't the timeout Khem mention. I am now building it with the systemd init manager to test. > > > I looked at the changes in the patch and the codes around it, if I > understand it correctly, in case of ‘-i’ option, sshd does not notify > systemd. So the ssd@.service should not use the notify type. > I had also seen this detail in the service, I will test it with both services sshd.service and sshd@.service to see the difference. The sshd.service runs in the foreground with '-D' and without the '-i'. I wonder if it wouldn't be better to do the same in both (with -D) and thus notify the systemd in both? Jose > > > Regards, > > Qi > > > > *From:* openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> *On Behalf Of *Jose Quaresma > *Sent:* Wednesday, July 17, 2024 6:53 PM > *To:* Chen, Qi <Qi.Chen@windriver.com> > *Cc:* Khem Raj <raj.khem@gmail.com>; > openembedded-core@lists.openembedded.org; Jose Quaresma < > jose.quaresma@foundries.io> > *Subject:* Re: [OE-core][PATCH v5 2/3] openssh: systemd notification was > implemented upstream > > > > > > > > ChenQi <Qi.Chen@windriver.com> escreveu (quarta, 17/07/2024 à(s) 10:25): > > I think the problem might be related to the "+Type=notify-reload" change > in sshd@.service. It's in inetd mode so the upstream change about > SYSTEMD_NOTIFY should have nothing to do with it. > > I also doubt if the following line should be removed from sshd.service. > > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > > Make sense. > Maybe the service changes in the patch need to be conditional on whether > or not we are using systemd. > > I'm going to try this path a little. > > > > but I am now facing some issues with testimage without the overall openssh > patch series. > > > > Jose > > > > Regards, > > Qi > > > > On 7/17/24 16:46, Jose Quaresma wrote: > > > > Khem Raj <raj.khem@gmail.com> escreveu (quarta, 17/07/2024 à(s) 07:38): > > actually I narrowed down my problem of disconnection to this patch in > the series. Earlier I thought it might be related to the openssh > upgrade patch > but reverting that still causes the problem but this patch when > reverted, the problem is gone. > > > > I will jump on this today and try to find the root cause. > > The ptest goes well in my local tests but I didn't do anything with > testimage. > I'll see if the testimage picks up something. > > > > Thanks for the feedback. > > > > Jose > > > > > On Tue, Jul 16, 2024 at 7:17 AM Jose Quaresma via > lists.openembedded.org > <https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BUuo8VXD$> > <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > > > Still side effects of the XZ backdoor. The systemd sd-notify patch > > was rejected [1] upstream and was chosen a standalone implementation > > that does not depend on libsystemd [2]. > > > > Racional [1]: > > > > License incompatibility and library bloatedness were the reasons. > > Given recent events we're never going to take a dependency on libsystemd, > > though we might implement the notification protocol ourselves if it > isn't too much work. > > > > [1] > https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 > <https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/pull/375*issuecomment-2027749729__;Iw!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BXB1d9mL$> > > [2] > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > <https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> > > > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > > > v4: > > - split update of Upstream-Status in new patches in the serie > > > > v5: > > - use the upstream solution > > > > ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ > > ...tional-support-for-systemd-sd_notify.patch | 96 -------- > > .../openssh/openssh/sshd.service | 2 +- > > .../openssh/openssh/sshd@.service | 1 + > > .../openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > | 4 +- > > 5 files changed, 228 insertions(+), 100 deletions(-) > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > delete mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > new file mode 100644 > > index 0000000000..4925c969fe > > --- /dev/null > > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch > > @@ -0,0 +1,225 @@ > > +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 > > +From: Damien Miller <djm@mindrot.org> > > +Date: Wed, 3 Apr 2024 14:40:32 +1100 > > +Subject: [PATCH] notify systemd on listen and reload > > + > > +Standalone implementation that does not depend on libsystemd. > > +With assistance from Luca Boccassi, and feedback/testing from Colin > > +Watson. bz2641 > > + > > +Upstream-Status: Backport [ > https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c > <https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bcg4kaOm$> > ] > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > +--- > > + configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > | 1 + > > + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- > > + openbsd-compat/port-linux.h | 5 ++ > > + platform.c | 11 +++++ > > + platform.h | 1 + > > + sshd.c | 2 + > > + 6 files changed, 115 insertions(+), 2 deletions(-) > > + > > +diff --git a/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > b/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > +index 82e8bb7c1..854f92b5b 100644 > > +--- a/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > ++++ b/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > +@@ -915,6 +915,7 @@ int main(void) { if > (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > > + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login > attempts]) > > + AC_DEFINE([USE_BTMP]) > > + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory > killer]) > > ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on > start/reload]) > > + inet6_default_4in6=yes > > + case `uname -r` in > > + 1.*|2.0.*) > > +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c > > +index 0457e28d0..df7290246 100644 > > +--- a/openbsd-compat/port-linux.c > > ++++ b/openbsd-compat/port-linux.c > > +@@ -21,16 +21,23 @@ > > + > > + #include "includes.h" > > + > > +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > > ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ > > ++ defined(SYSTEMD_NOTIFY) > > ++#include <sys/socket.h> > > ++#include <sys/un.h> > > ++ > > + #include <errno.h> > > ++#include <inttypes.h> > > + #include <stdarg.h> > > + #include <string.h> > > + #include <stdio.h> > > + #include <stdlib.h> > > ++#include <time.h> > > + > > + #include "log.h" > > + #include "xmalloc.h" > > + #include "port-linux.h" > > ++#include "misc.h" > > + > > + #ifdef WITH_SELINUX > > + #include <selinux/selinux.h> > > +@@ -310,4 +317,90 @@ oom_adjust_restore(void) > > + return; > > + } > > + #endif /* LINUX_OOM_ADJUST */ > > +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ > > ++ > > ++#ifdef SYSTEMD_NOTIFY > > ++ > > ++static void ssh_systemd_notify(const char *, ...) > > ++ __attribute__((__format__ (printf, 1, 2))) > __attribute__((__nonnull__ (1))); > > ++ > > ++static void > > ++ssh_systemd_notify(const char *fmt, ...) > > ++{ > > ++ char *s = NULL; > > ++ const char *path; > > ++ struct stat sb; > > ++ struct sockaddr_un addr; > > ++ int fd = -1; > > ++ va_list ap; > > ++ > > ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == > 0) > > ++ return; > > ++ > > ++ va_start(ap, fmt); > > ++ xvasprintf(&s, fmt, ap); > > ++ va_end(ap); > > ++ > > ++ /* Only AF_UNIX is supported, with path or abstract sockets */ > > ++ if (path[0] != '/' && path[0] != '@') { > > ++ error_f("socket \"%s\" is not compatible with AF_UNIX", > path); > > ++ goto out; > > ++ } > > ++ > > ++ if (path[0] == '/' && stat(path, &sb) != 0) { > > ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); > > ++ goto out; > > ++ } > > ++ > > ++ memset(&addr, 0, sizeof(addr)); > > ++ addr.sun_family = AF_UNIX; > > ++ if (strlcpy(addr.sun_path, path, > > ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { > > ++ error_f("socket path \"%s\" too long", path); > > ++ goto out; > > ++ } > > ++ /* Support for abstract socket */ > > ++ if (addr.sun_path[0] == '@') > > ++ addr.sun_path[0] = 0; > > ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { > > ++ error_f("socket \"%s\": %s", path, strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (connect(fd, &addr, sizeof(addr)) != 0) { > > ++ error_f("socket \"%s\" connect: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { > > ++ error_f("socket \"%s\" write: %s", path, > strerror(errno)); > > ++ goto out; > > ++ } > > ++ debug_f("socket \"%s\" notified %s", path, s); > > ++ out: > > ++ if (fd != -1) > > ++ close(fd); > > ++ free(s); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_ready(void) > > ++{ > > ++ ssh_systemd_notify("READY=1"); > > ++} > > ++ > > ++void > > ++ssh_systemd_notify_reload(void) > > ++{ > > ++ struct timespec now; > > ++ > > ++ monotime_ts(&now); > > ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { > > ++ error_f("monotime returned negative value"); > > ++ ssh_systemd_notify("RELOADING=1"); > > ++ } else { > > ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", > > ++ ((uint64_t)now.tv_sec * 1000000ULL) + > > ++ ((uint64_t)now.tv_nsec / 1000ULL)); > > ++ } > > ++} > > ++#endif /* SYSTEMD_NOTIFY */ > > ++ > > ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ > > +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h > > +index 3c22a854d..14064f87d 100644 > > +--- a/openbsd-compat/port-linux.h > > ++++ b/openbsd-compat/port-linux.h > > +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); > > + void oom_adjust_setup(void); > > + #endif > > + > > ++#ifdef SYSTEMD_NOTIFY > > ++void ssh_systemd_notify_ready(void); > > ++void ssh_systemd_notify_reload(void); > > ++#endif > > ++ > > + #endif /* ! _PORT_LINUX_H */ > > +diff --git a/platform.c b/platform.c > > +index 4fe8744ee..9cf818153 100644 > > +--- a/platform.c > > ++++ b/platform.c > > +@@ -44,6 +44,14 @@ platform_pre_listen(void) > > + #endif > > + } > > + > > ++void > > ++platform_post_listen(void) > > ++{ > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_ready(); > > ++#endif > > ++} > > ++ > > + void > > + platform_pre_fork(void) > > + { > > +@@ -55,6 +63,9 @@ platform_pre_fork(void) > > + void > > + platform_pre_restart(void) > > + { > > ++#ifdef SYSTEMD_NOTIFY > > ++ ssh_systemd_notify_reload(); > > ++#endif > > + #ifdef LINUX_OOM_ADJUST > > + oom_adjust_restore(); > > + #endif > > +diff --git a/platform.h b/platform.h > > +index 7fef8c983..5dec23276 100644 > > +--- a/platform.h > > ++++ b/platform.h > > +@@ -21,6 +21,7 @@ > > + void platform_pre_listen(void); > > + void platform_pre_fork(void); > > + void platform_pre_restart(void); > > ++void platform_post_listen(void); > > + void platform_post_fork_parent(pid_t child_pid); > > + void platform_post_fork_child(void); > > + int platform_privileged_uidswap(void); > > +diff --git a/sshd.c b/sshd.c > > +index b4f2b9742..865331b46 100644 > > +--- a/sshd.c > > ++++ b/sshd.c > > +@@ -2077,6 +2077,8 @@ main(int ac, char **av) > > + ssh_signal(SIGTERM, sigterm_handler); > > + ssh_signal(SIGQUIT, sigterm_handler); > > + > > ++ platform_post_listen(); > > ++ > > + /* > > + * Write out the pid file after the sigterm handler > > + * is setup and the listen sockets are bound > > +-- > > +2.45.2 > > + > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > deleted file mode 100644 > > index f079d936a4..0000000000 > > --- > a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch > > +++ /dev/null > > @@ -1,96 +0,0 @@ > > -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 > > -From: Matt Jolly <Matt.Jolly@footclan.ninja> > <Matt.Jolly@footclan.ninja> > > -Date: Thu, 2 Feb 2023 21:05:40 +1100 > > -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` > > - > > -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> > > -patch based on Jakub Jelen's <jjelen@redhat.com> original patch > > - > > -Upstream-Status: Submitted [ > https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56 > <https://urldefense.com/v3/__https:/github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfwiLKAT$> > ] > > - > > -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> > > ---- > > - configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > | 24 ++++++++++++++++++++++++ > > - sshd.c | 13 +++++++++++++ > > - 2 files changed, 37 insertions(+) > > - > > -diff --git a/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > b/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -index 82e8bb7..d1145d3 100644 > > ---- a/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -+++ b/configure.ac > <https://urldefense.com/v3/__http:/configure.ac__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZPaE51L$> > > -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) > > - AC_SUBST([K5LIBS]) > > - AC_SUBST([CHANNELLIBS]) > > - > > -+# Check whether user wants systemd support > > -+SYSTEMD_MSG="no" > > -+AC_ARG_WITH(systemd, > > -+ [ --with-systemd Enable systemd support], > > -+ [ if test "x$withval" != "xno" ; then > > -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > > -+ if test "$PKGCONFIG" != "no"; then > > -+ AC_MSG_CHECKING([for libsystemd]) > > -+ if $PKGCONFIG --exists libsystemd; then > > -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags > libsystemd` > > -+ SYSTEMD_LIBS=`$PKGCONFIG --libs > libsystemd` > > -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > > -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > > -+ AC_MSG_RESULT([yes]) > > -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if > you want systemd support.]) > > -+ SYSTEMD_MSG="yes" > > -+ else > > -+ AC_MSG_RESULT([no]) > > -+ fi > > -+ fi > > -+ fi ] > > -+) > > -+ > > - # Looking for programs, paths and files > > - > > - PRIVSEP_PATH=/var/empty > > -@@ -5688,6 +5711,7 @@ echo " libldns support: > $LDNS_MSG" > > - echo " Solaris process contract support: $SPC_MSG" > > - echo " Solaris project support: $SP_MSG" > > - echo " Solaris privilege support: $SPP_MSG" > > -+echo " systemd support: $SYSTEMD_MSG" > > - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > > - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > > - echo " BSD Auth support: $BSD_AUTH_MSG" > > -diff --git a/sshd.c b/sshd.c > > -index b4f2b97..6820a41 100644 > > ---- a/sshd.c > > -+++ b/sshd.c > > -@@ -88,6 +88,10 @@ > > - #include <prot.h> > > - #endif > > - > > -+#ifdef HAVE_SYSTEMD > > -+#include <systemd/sd-daemon.h> > > -+#endif > > -+ > > - #include "xmalloc.h" > > - #include "ssh.h" > > - #include "ssh2.h" > > -@@ -308,6 +312,10 @@ static void > > - sighup_restart(void) > > - { > > - logit("Received SIGHUP; restarting."); > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are reloading */ > > -+ sd_notify(0, "RELOADING=1"); > > -+#endif > > - if (options.pid_file != NULL) > > - unlink(options.pid_file); > > - platform_pre_restart(); > > -@@ -2093,6 +2101,11 @@ main(int ac, char **av) > > - } > > - } > > - > > -+#ifdef HAVE_SYSTEMD > > -+ /* Signal systemd that we are ready to accept > connections */ > > -+ sd_notify(0, "READY=1"); > > -+#endif > > -+ > > - /* Accept a connection and return in a forked child */ > > - server_accept_loop(&sock_in, &sock_out, > > - &newsock, config_s); > > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service > b/meta/recipes-connectivity/openssh/openssh/sshd.service > > index 3e570ab1e5..c71fff1cc1 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service > > @@ -5,11 +5,11 @@ After=sshdgenkeys.service > > After=nss-user-lookup.target > <https://urldefense.com/v3/__http:/nss-user-lookup.target__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BfffE4_Q$> > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd > > ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS > > -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID > > KillMode=process > > Restart=on-failure > > RestartSec=42s > > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service > b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > index 9d9965e624..dcfec8f054 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service > > @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon > > After=sshdgenkeys.service > > > > [Service] > > +Type=notify-reload > > Environment="SSHD_OPTS=" > > EnvironmentFile=-/etc/default/ssh > > ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > index 4f20616295..4680d12be5 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > <https://urldefense.com/v3/__http:/openssh_9.7p1.bb__;!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8Bamvaj4m$> > > @@ -24,7 +24,7 @@ SRC_URI = " > http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > <https://urldefense.com/v3/__http:/ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$*7BPV*7D.tar__;JSU!!AjveYdw8EvQ!dyDMDTQfmXOSDtp_OINCHZKvb_Jx8re27vm6ogUDwMTZlQz2eu2WGexbqUYAYEPhX7AfK0o33vSBIxkkcgx8BZvn3QuC$> > > file://run-ptest \ > > file://sshd_check_keys \ > > > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > > - > file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > > + file://0001-notify-systemd-on-listen-and-reload.patch \ > > file://CVE-2024-6387.patch \ > > " > > SRC_URI[sha256sum] = > "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" > > @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" > > SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', > '', d)} > ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', > '', d)}" > <$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket','',d)%7D$%7B@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service','',d)%7D> > > > > inherit autotools-brokensep ptest pkgconfig > > -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > 'systemd', '', d)}" > <$%7B@bb.utils.contains('DISTRO_FEATURES','systemd','systemd','',d)%7D> > > > > # systemd-sshd-socket-mode means installing sshd.socket > > # and systemd-sshd-service-mode corresponding to sshd.service > > @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ > > --sysconfdir=${sysconfdir}/ssh \ > > --with-xauth=${bindir}/xauth \ > > --disable-strip \ > > - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', > '--with-systemd', '--without-systemd', d)} \ > > " > > > > # musl doesn't implement wtmp/utmp and logwtmp > > -- > > 2.45.2 > > > > > > > > > > > > > -- > > Best regards, > > > José Quaresma > > > > > > > > > > > > > -- > > Best regards, > > > José Quaresma >
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch new file mode 100644 index 0000000000..4925c969fe --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch @@ -0,0 +1,225 @@ +From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Wed, 3 Apr 2024 14:40:32 +1100 +Subject: [PATCH] notify systemd on listen and reload + +Standalone implementation that does not depend on libsystemd. +With assistance from Luca Boccassi, and feedback/testing from Colin +Watson. bz2641 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c] + +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> +--- + configure.ac | 1 + + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- + openbsd-compat/port-linux.h | 5 ++ + platform.c | 11 +++++ + platform.h | 1 + + sshd.c | 2 + + 6 files changed, 115 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 82e8bb7c1..854f92b5b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) + AC_DEFINE([USE_BTMP]) + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) + inet6_default_4in6=yes + case `uname -r` in + 1.*|2.0.*) +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 0457e28d0..df7290246 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -21,16 +21,23 @@ + + #include "includes.h" + +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ ++ defined(SYSTEMD_NOTIFY) ++#include <sys/socket.h> ++#include <sys/un.h> ++ + #include <errno.h> ++#include <inttypes.h> + #include <stdarg.h> + #include <string.h> + #include <stdio.h> + #include <stdlib.h> ++#include <time.h> + + #include "log.h" + #include "xmalloc.h" + #include "port-linux.h" ++#include "misc.h" + + #ifdef WITH_SELINUX + #include <selinux/selinux.h> +@@ -310,4 +317,90 @@ oom_adjust_restore(void) + return; + } + #endif /* LINUX_OOM_ADJUST */ +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ ++ ++#ifdef SYSTEMD_NOTIFY ++ ++static void ssh_systemd_notify(const char *, ...) ++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); ++ ++static void ++ssh_systemd_notify(const char *fmt, ...) ++{ ++ char *s = NULL; ++ const char *path; ++ struct stat sb; ++ struct sockaddr_un addr; ++ int fd = -1; ++ va_list ap; ++ ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) ++ return; ++ ++ va_start(ap, fmt); ++ xvasprintf(&s, fmt, ap); ++ va_end(ap); ++ ++ /* Only AF_UNIX is supported, with path or abstract sockets */ ++ if (path[0] != '/' && path[0] != '@') { ++ error_f("socket \"%s\" is not compatible with AF_UNIX", path); ++ goto out; ++ } ++ ++ if (path[0] == '/' && stat(path, &sb) != 0) { ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); ++ goto out; ++ } ++ ++ memset(&addr, 0, sizeof(addr)); ++ addr.sun_family = AF_UNIX; ++ if (strlcpy(addr.sun_path, path, ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { ++ error_f("socket path \"%s\" too long", path); ++ goto out; ++ } ++ /* Support for abstract socket */ ++ if (addr.sun_path[0] == '@') ++ addr.sun_path[0] = 0; ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { ++ error_f("socket \"%s\": %s", path, strerror(errno)); ++ goto out; ++ } ++ if (connect(fd, &addr, sizeof(addr)) != 0) { ++ error_f("socket \"%s\" connect: %s", path, strerror(errno)); ++ goto out; ++ } ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { ++ error_f("socket \"%s\" write: %s", path, strerror(errno)); ++ goto out; ++ } ++ debug_f("socket \"%s\" notified %s", path, s); ++ out: ++ if (fd != -1) ++ close(fd); ++ free(s); ++} ++ ++void ++ssh_systemd_notify_ready(void) ++{ ++ ssh_systemd_notify("READY=1"); ++} ++ ++void ++ssh_systemd_notify_reload(void) ++{ ++ struct timespec now; ++ ++ monotime_ts(&now); ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { ++ error_f("monotime returned negative value"); ++ ssh_systemd_notify("RELOADING=1"); ++ } else { ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", ++ ((uint64_t)now.tv_sec * 1000000ULL) + ++ ((uint64_t)now.tv_nsec / 1000ULL)); ++ } ++} ++#endif /* SYSTEMD_NOTIFY */ ++ ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index 3c22a854d..14064f87d 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); + void oom_adjust_setup(void); + #endif + ++#ifdef SYSTEMD_NOTIFY ++void ssh_systemd_notify_ready(void); ++void ssh_systemd_notify_reload(void); ++#endif ++ + #endif /* ! _PORT_LINUX_H */ +diff --git a/platform.c b/platform.c +index 4fe8744ee..9cf818153 100644 +--- a/platform.c ++++ b/platform.c +@@ -44,6 +44,14 @@ platform_pre_listen(void) + #endif + } + ++void ++platform_post_listen(void) ++{ ++#ifdef SYSTEMD_NOTIFY ++ ssh_systemd_notify_ready(); ++#endif ++} ++ + void + platform_pre_fork(void) + { +@@ -55,6 +63,9 @@ platform_pre_fork(void) + void + platform_pre_restart(void) + { ++#ifdef SYSTEMD_NOTIFY ++ ssh_systemd_notify_reload(); ++#endif + #ifdef LINUX_OOM_ADJUST + oom_adjust_restore(); + #endif +diff --git a/platform.h b/platform.h +index 7fef8c983..5dec23276 100644 +--- a/platform.h ++++ b/platform.h +@@ -21,6 +21,7 @@ + void platform_pre_listen(void); + void platform_pre_fork(void); + void platform_pre_restart(void); ++void platform_post_listen(void); + void platform_post_fork_parent(pid_t child_pid); + void platform_post_fork_child(void); + int platform_privileged_uidswap(void); +diff --git a/sshd.c b/sshd.c +index b4f2b9742..865331b46 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2077,6 +2077,8 @@ main(int ac, char **av) + ssh_signal(SIGTERM, sigterm_handler); + ssh_signal(SIGQUIT, sigterm_handler); + ++ platform_post_listen(); ++ + /* + * Write out the pid file after the sigterm handler + * is setup and the listen sockets are bound +-- +2.45.2 + diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch deleted file mode 100644 index f079d936a4..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch +++ /dev/null @@ -1,96 +0,0 @@ -From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 -From: Matt Jolly <Matt.Jolly@footclan.ninja> -Date: Thu, 2 Feb 2023 21:05:40 +1100 -Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` - -This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> -patch based on Jakub Jelen's <jjelen@redhat.com> original patch - -Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56] - -Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> ---- - configure.ac | 24 ++++++++++++++++++++++++ - sshd.c | 13 +++++++++++++ - 2 files changed, 37 insertions(+) - -diff --git a/configure.ac b/configure.ac -index 82e8bb7..d1145d3 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) - AC_SUBST([K5LIBS]) - AC_SUBST([CHANNELLIBS]) - -+# Check whether user wants systemd support -+SYSTEMD_MSG="no" -+AC_ARG_WITH(systemd, -+ [ --with-systemd Enable systemd support], -+ [ if test "x$withval" != "xno" ; then -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) -+ if test "$PKGCONFIG" != "no"; then -+ AC_MSG_CHECKING([for libsystemd]) -+ if $PKGCONFIG --exists libsystemd; then -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" -+ AC_MSG_RESULT([yes]) -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) -+ SYSTEMD_MSG="yes" -+ else -+ AC_MSG_RESULT([no]) -+ fi -+ fi -+ fi ] -+) -+ - # Looking for programs, paths and files - - PRIVSEP_PATH=/var/empty -@@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG" - echo " Solaris process contract support: $SPC_MSG" - echo " Solaris project support: $SP_MSG" - echo " Solaris privilege support: $SPP_MSG" -+echo " systemd support: $SYSTEMD_MSG" - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" - echo " BSD Auth support: $BSD_AUTH_MSG" -diff --git a/sshd.c b/sshd.c -index b4f2b97..6820a41 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -88,6 +88,10 @@ - #include <prot.h> - #endif - -+#ifdef HAVE_SYSTEMD -+#include <systemd/sd-daemon.h> -+#endif -+ - #include "xmalloc.h" - #include "ssh.h" - #include "ssh2.h" -@@ -308,6 +312,10 @@ static void - sighup_restart(void) - { - logit("Received SIGHUP; restarting."); -+#ifdef HAVE_SYSTEMD -+ /* Signal systemd that we are reloading */ -+ sd_notify(0, "RELOADING=1"); -+#endif - if (options.pid_file != NULL) - unlink(options.pid_file); - platform_pre_restart(); -@@ -2093,6 +2101,11 @@ main(int ac, char **av) - } - } - -+#ifdef HAVE_SYSTEMD -+ /* Signal systemd that we are ready to accept connections */ -+ sd_notify(0, "READY=1"); -+#endif -+ - /* Accept a connection and return in a forked child */ - server_accept_loop(&sock_in, &sock_out, - &newsock, config_s); diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service index 3e570ab1e5..c71fff1cc1 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd.service +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service @@ -5,11 +5,11 @@ After=sshdgenkeys.service After=nss-user-lookup.target [Service] +Type=notify-reload Environment="SSHD_OPTS=" EnvironmentFile=-/etc/default/ssh ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartSec=42s diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service index 9d9965e624..dcfec8f054 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service @@ -3,6 +3,7 @@ Description=OpenSSH Per-Connection Daemon After=sshdgenkeys.service [Service] +Type=notify-reload Environment="SSHD_OPTS=" EnvironmentFile=-/etc/default/ssh ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb index 4f20616295..4680d12be5 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb @@ -24,7 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://run-ptest \ file://sshd_check_keys \ file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ - file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ + file://0001-notify-systemd-on-listen-and-reload.patch \ file://CVE-2024-6387.patch \ " SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" @@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}" inherit autotools-brokensep ptest pkgconfig -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" # systemd-sshd-socket-mode means installing sshd.socket # and systemd-sshd-service-mode corresponding to sshd.service @@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ --sysconfdir=${sysconfdir}/ssh \ --with-xauth=${bindir}/xauth \ --disable-strip \ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \ " # musl doesn't implement wtmp/utmp and logwtmp
Still side effects of the XZ backdoor. The systemd sd-notify patch was rejected [1] upstream and was chosen a standalone implementation that does not depend on libsystemd [2]. Racional [1]: License incompatibility and library bloatedness were the reasons. Given recent events we're never going to take a dependency on libsystemd, though we might implement the notification protocol ourselves if it isn't too much work. [1] https://github.com/openssh/openssh-portable/pull/375#issuecomment-2027749729 [2] https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> --- v4: - split update of Upstream-Status in new patches in the serie v5: - use the upstream solution ...-notify-systemd-on-listen-and-reload.patch | 225 ++++++++++++++++++ ...tional-support-for-systemd-sd_notify.patch | 96 -------- .../openssh/openssh/sshd.service | 2 +- .../openssh/openssh/sshd@.service | 1 + .../openssh/openssh_9.7p1.bb | 4 +- 5 files changed, 228 insertions(+), 100 deletions(-) create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch delete mode 100644 meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch