RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 09:37:34 +00:00
Code Issues Activity Actions

Ports: Make openssh server not crash during startup

Browse source 
Before, the openssh server tried to chroot. The startup always aborted
after that, as our chroot stub currently simply returns -1. Luckily we
can use unveil instead.

Furthermore the missing ssh_host_ed25519_key also prevented the server
from successfully starting.

The previous ReadMe.md entry about socketpair missing was already
resolved by #6705.
This commit is contained in:
Patrick Meyer 2022-04-29 19:08:49 +00:00 committed by Brian Gianforcaro
parent 9f3f3b0864
commit 6020364476
3 changed files with 64 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

16
Ports/openssh/ReadMe.md
View file

@ -5,4 +5,18 @@
- Assumes SSH2.0 for now. - Assumes SSH2.0 for now.
- Cannot determine compatibility flags. - Cannot determine compatibility flags.
This means there may be some weird bugs when connecting to certain SSH implementations. This means there may be some weird bugs when connecting to certain SSH implementations.
- SSHD does not work as it requires socketpair. It will start, but will crash on connection.
# Autostart SSHD
Add something like this to your sync-local.sh
```
cat <<EOF >> mnt/etc/SystemServer.ini
[SSHServer]
Executable=/usr/local/sbin/sshd
Arguments=-D
KeepAlive=1
SystemModes=text,graphical
EOF
```

3
Ports/openssh/package.sh
View file

@ -30,5 +30,8 @@ install() {
if [ ! -e "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ecdsa_key" ]; then if [ ! -e "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ecdsa_key" ]; then
ssh-keygen -f "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ecdsa_key" -C serenity -N "" -t ecdsa -b 521 ssh-keygen -f "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ecdsa_key" -C serenity -N "" -t ecdsa -b 521
fi fi
if [ ! -e "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ed25519_key" ]; then
ssh-keygen -f "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ed25519_key" -C serenity -N "" -t ed25519
fi
fi fi
} }

46
Ports/openssh/patches/unveil_privsep.patch Normal file
View file

@ -0,0 +1,46 @@
diff --git a/sshd.c b/sshd.c
index 6f8f11a..cdbc003 100644
--- a/sshd.c
+++ b/sshd.c
@@ -461,12 +461,9 @@ privsep_preauth_child(void)
/* Demote the child */
if (privsep_chroot) {
- /* Change our root directory */
- if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
- fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
- strerror(errno));
- if (chdir("/") == -1)
- fatal("chdir(\"/\"): %s", strerror(errno));
+ /* Hide the whole filesystem */
+ if (unveil(NULL, NULL) < 0)
+ fatal("unveil(NULL, NULL): %s", strerror(errno));
/* Drop our privileges */
debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
@@ -1899,25 +1896,6 @@ main(int ac, char **av)
sshkey_type(key));
}
- if (privsep_chroot) {
- struct stat st;
-
- if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
- (S_ISDIR(st.st_mode) == 0))
- fatal("Missing privilege separation directory: %s",
- _PATH_PRIVSEP_CHROOT_DIR);
-
-#ifdef HAVE_CYGWIN
- if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) &&
- (st.st_uid != getuid () ||
- (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
-#else
- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
-#endif
- fatal("%s must be owned by root and not group or "
- "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
- }
-
if (test_flag > 1) {
/*
* If no connection info was provided by -C then use