| Message ID | bb24ee8c-b074-4b54-be64-2d1a09e5359f@elder-tomes.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-selinux] openssh: use config snippet instead of file | expand |
On 7/31/25 04:43, Levi Shafter wrote: > Config snippets should be used over file overrides since targeted > changes may be required in multiple recipes. > > Since the oe-core sshd_config file now includes > /etc/ssh/sshd_config.d/*.conf, the meta-selinux configuration snippet > does not require the following: > > * ChallengeResponseAutnetication: Replaced by > KbdInteractiveAuthentication and set to "no" by default > > * Override default of no subsystems: This is already present > > * Compression, ClientAliveInterval, and ClientAliveCountMax: No changes > required due to identical requirements of meta-selinux > > Testing process: > > * Pulled modified meta-selinux layer into Poky and included openssh > > * Built core-image-sato and ran via qemu > > * Verified /etc/ssh was as expected with an ssh_config.d directory with > the new selinux config snippet inside > > * Verified system was including selinux config modification by running > sshd -T > > Suggested-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> > Signed-off-by: Levi Shafter <lshafter@21sw.us> > --- > Sponsor: 21SoftWare LLC > > v2: Install config snippet to sshd_config.d > v1: https://lists.yoctoproject.org/g/yocto-patches/message/1818 > > .../openssh/files/sshd_config | 118 ------------------ > .../files/sshd_config.d/50-selinux.conf | 15 +++ > .../openssh/openssh_selinux.inc | 12 ++ > 3 files changed, 27 insertions(+), 118 deletions(-) > delete mode 100644 recipes-connectivity/openssh/files/sshd_config > create mode 100644 > recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf > > diff --git a/recipes-connectivity/openssh/files/sshd_config > b/recipes-connectivity/openssh/files/sshd_config > deleted file mode 100644 > index 1c33ad0..0000000 > --- a/recipes-connectivity/openssh/files/sshd_config > +++ /dev/null > @@ -1,118 +0,0 @@ > -# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ > - > -# This is the sshd server system-wide configuration file. See > -# sshd_config(5) for more information. > - > -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin > - > -# The strategy used for options in the default sshd_config shipped with > -# OpenSSH is to specify options with their default value where > -# possible, but leave them commented. Uncommented options override the > -# default value. > - > -#Port 22 > -#AddressFamily any > -#ListenAddress 0.0.0.0 > -#ListenAddress :: > - > -#HostKey /etc/ssh/ssh_host_rsa_key > -#HostKey /etc/ssh/ssh_host_ecdsa_key > -#HostKey /etc/ssh/ssh_host_ed25519_key > - > -# Ciphers and keying > -#RekeyLimit default none > - > -# Logging > -#SyslogFacility AUTH > -#LogLevel INFO > - > -# Authentication: > - > -#LoginGraceTime 2m > -#PermitRootLogin prohibit-password > -#StrictModes yes > -#MaxAuthTries 6 > -#MaxSessions 10 > - > -#PubkeyAuthentication yes > - > -# The default is to check both .ssh/authorized_keys and > .ssh/authorized_keys2 > -# but this is overridden so installations will only check > .ssh/authorized_keys > -#AuthorizedKeysFile .ssh/authorized_keys > - > -#AuthorizedPrincipalsFile none > - > -#AuthorizedKeysCommand none > -#AuthorizedKeysCommandUser nobody > - > -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > -#HostbasedAuthentication no > -# Change to yes if you don't trust ~/.ssh/known_hosts for > -# HostbasedAuthentication > -#IgnoreUserKnownHosts no > -# Don't read the user's ~/.rhosts and ~/.shosts files > -#IgnoreRhosts yes > - > -# To disable tunneled clear text passwords, change to no here! > -#PasswordAuthentication yes > -#PermitEmptyPasswords no > - > -# Change to yes to enable challenge-response passwords (beware issues with > -# some PAM modules and threads) > -ChallengeResponseAuthentication no > - > -# Kerberos options > -#KerberosAuthentication no > -#KerberosOrLocalPasswd yes > -#KerberosTicketCleanup yes > -#KerberosGetAFSToken no > - > -# GSSAPI options > -#GSSAPIAuthentication no > -#GSSAPICleanupCredentials yes > - > -# Set this to 'yes' to enable PAM authentication, account processing, > -# and session processing. If this is enabled, PAM authentication will > -# be allowed through the ChallengeResponseAuthentication and > -# PasswordAuthentication. Depending on your PAM configuration, > -# PAM authentication via ChallengeResponseAuthentication may bypass > -# the setting of "PermitRootLogin without-password". > -# If you just want the PAM account and session checks to run without > -# PAM authentication, then enable this but set PasswordAuthentication > -# and ChallengeResponseAuthentication to 'no'. > -UsePAM yes > - > -#AllowAgentForwarding yes > -#AllowTcpForwarding yes > -#GatewayPorts no > -#X11Forwarding no > -#X11DisplayOffset 10 > -#X11UseLocalhost yes > -#PermitTTY yes > -#PrintMotd yes > -#PrintLastLog yes > -#TCPKeepAlive yes > -#UseLogin no > -#PermitUserEnvironment no > -Compression no > -ClientAliveInterval 15 > -ClientAliveCountMax 4 > -#UseDNS no > -#PidFile /var/run/sshd.pid > -#MaxStartups 10:30:100 > -#PermitTunnel no > -#ChrootDirectory none > -#VersionAddendum none > - > -# no default banner path > -#Banner none > - > -# override default of no subsystems > -Subsystem sftp /usr/libexec/sftp-server > - > -# Example of overriding settings on a per-user basis > -#Match User anoncvs > -# X11Forwarding no > -# AllowTcpForwarding no > -# PermitTTY no > -# ForceCommand cvs server > diff --git > a/recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf > b/recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf > new file mode 100644 > index 0000000..775a24d > --- /dev/null > +++ b/recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf There's no need to create a sshd_config.d subdirectory. Simply place 50-selinux.conf in the files directory. > @@ -0,0 +1,15 @@ > +# 50-selinux.conf > +# > +# SELinux-specific SSHD configuration overrides > +# Managed by the meta-selinux layer in OpenEmbedded > + > +# Set this to 'yes' to enable PAM authentication, account processing, > +# and session processing. If this is enabled, PAM authentication will > +# be allowed through the ChallengeResponseAuthentication and > +# PasswordAuthentication. Depending on your PAM configuration, > +# PAM authentication via ChallengeResponseAuthentication may bypass > +# the setting of "PermitRootLogin without-password". > +# If you just want the PAM account and session checks to run without > +# PAM authentication, then enable this but set PasswordAuthentication > +# and ChallengeResponseAuthentication to 'no'. > +UsePAM yes > diff --git a/recipes-connectivity/openssh/openssh_selinux.inc > b/recipes-connectivity/openssh/openssh_selinux.inc > index 07c25c5..259753d 100644 > --- a/recipes-connectivity/openssh/openssh_selinux.inc > +++ b/recipes-connectivity/openssh/openssh_selinux.inc > @@ -2,5 +2,17 @@ inherit enable-selinux enable-audit > > FILESEXTRAPATHS:prepend := "${THISDIR}/files:" > > +SRC_URI += " \ > + file://50-selinux.conf \ > +" > + > +do_install:append() { > + install -d ${D}${sysconfdir}/ssh/sshd_config.d > + install -m 0644 ${WORKDIR}/sources-unpack/50-selinux.conf \ Use ${UNPACKDIR} instead of ${WORKDIR}/sources-unpack. > + ${D}${sysconfdir}/ssh/sshd_config.d/ > +} > + > +FILES:${PN} += "${sysconfdir}/ssh/sshd_config.d/50-selinux.conf" This file should be packaged into ${PN}-sshd instead of ${PN}. //Yi > + > PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux" > PACKAGECONFIG[audit] = "--with-audit=linux,--without-audit,audit"
diff --git a/recipes-connectivity/openssh/files/sshd_config b/recipes-connectivity/openssh/files/sshd_config deleted file mode 100644 index 1c33ad0..0000000 --- a/recipes-connectivity/openssh/files/sshd_config +++ /dev/null @@ -1,118 +0,0 @@ -# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin prohibit-password -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -#AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#PermitUserEnvironment no -Compression no -ClientAliveInterval 15 -ClientAliveCountMax 4 -#UseDNS no -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server diff --git a/recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf b/recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf new file mode 100644 index 0000000..775a24d --- /dev/null +++ b/recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf @@ -0,0 +1,15 @@ +# 50-selinux.conf +# +# SELinux-specific SSHD configuration overrides +# Managed by the meta-selinux layer in OpenEmbedded + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes diff --git a/recipes-connectivity/openssh/openssh_selinux.inc b/recipes-connectivity/openssh/openssh_selinux.inc index 07c25c5..259753d 100644 --- a/recipes-connectivity/openssh/openssh_selinux.inc +++ b/recipes-connectivity/openssh/openssh_selinux.inc @@ -2,5 +2,17 @@ inherit enable-selinux enable-audit FILESEXTRAPATHS:prepend := "${THISDIR}/files:" +SRC_URI += " \ + file://50-selinux.conf \ +" + +do_install:append() { + install -d ${D}${sysconfdir}/ssh/sshd_config.d + install -m 0644 ${WORKDIR}/sources-unpack/50-selinux.conf \ + ${D}${sysconfdir}/ssh/sshd_config.d/ +} + +FILES:${PN} += "${sysconfdir}/ssh/sshd_config.d/50-selinux.conf" + PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux" PACKAGECONFIG[audit] = "--with-audit=linux,--without-audit,audit"
Config snippets should be used over file overrides since targeted changes may be required in multiple recipes. Since the oe-core sshd_config file now includes /etc/ssh/sshd_config.d/*.conf, the meta-selinux configuration snippet does not require the following: * ChallengeResponseAutnetication: Replaced by KbdInteractiveAuthentication and set to "no" by default * Override default of no subsystems: This is already present * Compression, ClientAliveInterval, and ClientAliveCountMax: No changes required due to identical requirements of meta-selinux Testing process: * Pulled modified meta-selinux layer into Poky and included openssh * Built core-image-sato and ran via qemu * Verified /etc/ssh was as expected with an ssh_config.d directory with the new selinux config snippet inside * Verified system was including selinux config modification by running sshd -T Suggested-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Levi Shafter <lshafter@21sw.us> --- Sponsor: 21SoftWare LLC v2: Install config snippet to sshd_config.d v1: https://lists.yoctoproject.org/g/yocto-patches/message/1818 .../openssh/files/sshd_config | 118 ------------------ .../files/sshd_config.d/50-selinux.conf | 15 +++ .../openssh/openssh_selinux.inc | 12 ++ 3 files changed, 27 insertions(+), 118 deletions(-) delete mode 100644 recipes-connectivity/openssh/files/sshd_config create mode 100644 recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf