Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-misc
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc')
-rw-r--r--net-misc/openssh/files/sshd.service.115
-rw-r--r--net-misc/openssh/files/sshd_at.service.18
-rw-r--r--net-misc/openssh/openssh-9.2_p1-r1.ebuild (renamed from net-misc/openssh/openssh-9.2_p1.ebuild)21
3 files changed, 35 insertions, 9 deletions
diff --git a/net-misc/openssh/files/sshd.service.1 b/net-misc/openssh/files/sshd.service.1
new file mode 100644
index 000000000000..a541164cd7f2
--- /dev/null
+++ b/net-misc/openssh/files/sshd.service.1
@@ -0,0 +1,15 @@
+[Unit]
+Description=OpenSSH server daemon
+After=network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/bin/ssh-keygen -A
+ExecStart=/usr/sbin/sshd -D -e
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+OOMPolicy=continue
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openssh/files/sshd_at.service.1 b/net-misc/openssh/files/sshd_at.service.1
new file mode 100644
index 000000000000..e43a457994f4
--- /dev/null
+++ b/net-misc/openssh/files/sshd_at.service.1
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+After=auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i -e
+StandardInput=socket
+StandardError=journal
diff --git a/net-misc/openssh/openssh-9.2_p1.ebuild b/net-misc/openssh/openssh-9.2_p1-r1.ebuild
index 9fa1599bd620..8a348bd91862 100644
--- a/net-misc/openssh/openssh-9.2_p1.ebuild
+++ b/net-misc/openssh/openssh-9.2_p1-r1.ebuild
@@ -1,7 +1,7 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
-EAPI=7
+EAPI=8
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
@@ -269,10 +269,6 @@ src_prepare() {
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
- sed -i \
- -e "/#UseLogin no/d" \
- "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
eapply_user #473004
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
@@ -282,8 +278,6 @@ src_prepare() {
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
@@ -443,8 +437,9 @@ src_install() {
dodir /etc/skel/.ssh
rmdir "${ED}"/var/empty || die
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+ systemd_dounit "${FILESDIR}"/sshd.socket
+ systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
+ systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
}
pkg_preinst() {
@@ -492,6 +487,14 @@ pkg_postinst() {
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
+ if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
+ ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
+ ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
+ ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
+ ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
+ ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
+ ewarn "set 'Restart=no' in your sshd unit file."
+ fi
done
if [[ -n ${show_ssl_warning} ]]; then