From 60203644766360ca04ac8a6c94b725bb2eaebc7e Mon Sep 17 00:00:00 2001 From: Patrick Meyer Date: Fri, 29 Apr 2022 19:08:49 +0000 Subject: [PATCH] Ports: Make openssh server not crash during startup Before, the openssh server tried to chroot. The startup always aborted after that, as our chroot stub currently simply returns -1. Luckily we can use unveil instead. Furthermore the missing ssh_host_ed25519_key also prevented the server from successfully starting. The previous ReadMe.md entry about socketpair missing was already resolved by #6705. --- Ports/openssh/ReadMe.md | 16 +++++++- Ports/openssh/package.sh | 3 ++ Ports/openssh/patches/unveil_privsep.patch | 46 ++++++++++++++++++++++ 3 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 Ports/openssh/patches/unveil_privsep.patch diff --git a/Ports/openssh/ReadMe.md b/Ports/openssh/ReadMe.md index 3db1efbdc7..628e1f8ea3 100644 --- a/Ports/openssh/ReadMe.md +++ b/Ports/openssh/ReadMe.md @@ -5,4 +5,18 @@ - Assumes SSH2.0 for now. - Cannot determine compatibility flags. This means there may be some weird bugs when connecting to certain SSH implementations. -- SSHD does not work as it requires socketpair. It will start, but will crash on connection. + +# Autostart SSHD + +Add something like this to your sync-local.sh + +``` +cat <> mnt/etc/SystemServer.ini + +[SSHServer] +Executable=/usr/local/sbin/sshd +Arguments=-D +KeepAlive=1 +SystemModes=text,graphical +EOF +``` \ No newline at end of file diff --git a/Ports/openssh/package.sh b/Ports/openssh/package.sh index 0d9821a58f..b40278d4c9 100755 --- a/Ports/openssh/package.sh +++ b/Ports/openssh/package.sh @@ -30,5 +30,8 @@ install() { if [ ! -e "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ecdsa_key" ]; then ssh-keygen -f "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ecdsa_key" -C serenity -N "" -t ecdsa -b 521 fi + if [ ! -e "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ed25519_key" ]; then + ssh-keygen -f "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ed25519_key" -C serenity -N "" -t ed25519 + fi fi } diff --git a/Ports/openssh/patches/unveil_privsep.patch b/Ports/openssh/patches/unveil_privsep.patch new file mode 100644 index 0000000000..31cda9a4ae --- /dev/null +++ b/Ports/openssh/patches/unveil_privsep.patch @@ -0,0 +1,46 @@ +diff --git a/sshd.c b/sshd.c +index 6f8f11a..cdbc003 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -461,12 +461,9 @@ privsep_preauth_child(void) + + /* Demote the child */ + if (privsep_chroot) { +- /* Change our root directory */ +- if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) +- fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, +- strerror(errno)); +- if (chdir("/") == -1) +- fatal("chdir(\"/\"): %s", strerror(errno)); ++ /* Hide the whole filesystem */ ++ if (unveil(NULL, NULL) < 0) ++ fatal("unveil(NULL, NULL): %s", strerror(errno)); + + /* Drop our privileges */ + debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, +@@ -1899,25 +1896,6 @@ main(int ac, char **av) + sshkey_type(key)); + } + +- if (privsep_chroot) { +- struct stat st; +- +- if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || +- (S_ISDIR(st.st_mode) == 0)) +- fatal("Missing privilege separation directory: %s", +- _PATH_PRIVSEP_CHROOT_DIR); +- +-#ifdef HAVE_CYGWIN +- if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) && +- (st.st_uid != getuid () || +- (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) +-#else +- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) +-#endif +- fatal("%s must be owned by root and not group or " +- "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); +- } +- + if (test_flag > 1) { + /* + * If no connection info was provided by -C then use