From patchwork Thu Jun 11 09:14:04 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Norbert Lange <nolange79@gmail.com>
X-Patchwork-Id: 1307388
X-Patchwork-Delegate: thomas.petazzoni@free-electrons.com
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net
 (client-ip=140.211.166.137; helo=fraxinus.osuosl.org;
 envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=LQIFcUhi;
	dkim-atps=neutral
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49jJ8k6jTtz9sRN
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Thu, 11 Jun 2020 19:14:46 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 6487E879ED;
	Thu, 11 Jun 2020 09:14:44 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id zR51qguUJpW0; Thu, 11 Jun 2020 09:14:42 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 601CE879EF;
	Thu, 11 Jun 2020 09:14:42 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by ash.osuosl.org (Postfix) with ESMTP id 84E6E1BF869
 for <buildroot@lists.busybox.net>; Thu, 11 Jun 2020 09:14:41 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by whitealder.osuosl.org (Postfix) with ESMTP id 80664886BD
 for <buildroot@lists.busybox.net>; Thu, 11 Jun 2020 09:14:41 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id W8hK1KryVrBs for <buildroot@lists.busybox.net>;
 Thu, 11 Jun 2020 09:14:40 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-ej1-f67.google.com (mail-ej1-f67.google.com
 [209.85.218.67])
 by whitealder.osuosl.org (Postfix) with ESMTPS id 0C470886BF
 for <buildroot@buildroot.org>; Thu, 11 Jun 2020 09:14:40 +0000 (UTC)
Received: by mail-ej1-f67.google.com with SMTP id mb16so5720813ejb.4
 for <buildroot@buildroot.org>; Thu, 11 Jun 2020 02:14:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=EckLt+M2zzZoMA1pTLzvbwJeAYqbgrf6Oiaq4h0JrUQ=;
 b=LQIFcUhizdtjOMQzeY+qr2pOQVA5pNmDBC0dDhRGJFtl25pVIh8QfLCwTfbr4WJaod
 MGfw1LB4pVuOWeplYzSUMxoLY52JiqFa7zrnUIFpQdBRERfRNYNSCi2GeTLTEKA5O1YK
 7WGPlrZsI2mCWhA8nObMffBqYl1JxFCCdHLOdPAyLvW+v2mzYA4f8hBGCWlv9rjwwMW3
 XGZauS3wqyPKKvBXFzWugjPNDxuY6fEkBqBmYZpmVR/OJZ5bNK3wVDetZbh+a7/3xuzT
 73xjp8IYJ8hmUdZ6cuXBbYYSgQIk5yV4LaM2gbSa2ikli/NK7pZxE6JKu3QdHc5A7Rgo
 9IeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=EckLt+M2zzZoMA1pTLzvbwJeAYqbgrf6Oiaq4h0JrUQ=;
 b=uGy0APQLO8N9w90ZRie7GKPofOow6k3pomGPM1qxfNXJLmLwLY5LaIBe416Ln0mlqc
 b8zCynQxiBgH3wLdQQZ82edK+0GjR7xiABpSY3zYcPm/bPejsSdvC8j8pi2A6EP3s8MF
 kNlEcQKOf48UFD23eps8OAzwIZwVSnKZNAeHgs2nqDwkHgs//AgshKfxej+XapHbvdPA
 RpfFAG8f7Gqb7mYJzWga4ojukiJB0CZ7eirMAj6Zjn3cbKBxt4qLLtOb00wxre3/AUu6
 QF/s7PPSDOmUaonBaEf+uHUFw/37UvOeDs54rGgMo6ZzFTko4kk1TPp7NixoIsc/FNo2
 Fdnw==
X-Gm-Message-State: AOAM530qNkhMY7c6Opw3uKFGwG1MyWhd3uX+/q7Y98ZHWU8+OsM3blLL
 k4ifhgjonDXn5DQfnadyUTAnkgtJVXo=
X-Google-Smtp-Source: 
 ABdhPJwcgjHNDuGzVZGhsHOfrcK4wa/9ktjxTB/06KgIt4dy+ILlMzIRy6t2k6c3H7hRMXwR9b3GuA==
X-Received: by 2002:a17:906:d93c:: with SMTP id
 rn28mr7857791ejb.190.1591866878069;
 Thu, 11 Jun 2020 02:14:38 -0700 (PDT)
Received: from localhost.localdomain (84-114-45-16.cable.dynamic.surfer.at.
 [84.114.45.16])
 by smtp.gmail.com with ESMTPSA id ck11sm1541678ejb.41.2020.06.11.02.14.37
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 11 Jun 2020 02:14:37 -0700 (PDT)
From: Norbert Lange <nolange79@gmail.com>
To: buildroot@buildroot.org
Date: Thu, 11 Jun 2020 11:14:04 +0200
Message-Id: <20200611091407.12688-2-nolange79@gmail.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200611091407.12688-1-nolange79@gmail.com>
References: <20200611091407.12688-1-nolange79@gmail.com>
MIME-Version: 1.0
Subject: [Buildroot] [PATCH v2 1/3] package/openssh: improve integration for
 systemd
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Norbert Lange <nolange79@gmail.com>, jeremy.rosen@smile.fr
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

the openssh daemon is not suited for systemd's simple
service type. dependend services should only start
when sshd is ready to accept connections.

A patch is added from debian to allow openssh
to communicate this state.

Restarts are prevented if the reason is a faulty
config file (errocode 255).

The "user confinement directory" is changed to
'/run/sshd' which is automatically managed by systemd.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Reviewed-by: Jérémy ROSEN <jeremy.rosen@smile.fr>
---
 package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++
 package/openssh/openssh.mk                 | 14 +++-
 package/openssh/sshd-sysusers.conf         |  2 +-
 package/openssh/sshd.service               | 13 +++-
 4 files changed, 109 insertions(+), 4 deletions(-)
 create mode 100644 package/openssh/00-systemd-readiness.patch

diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch
new file mode 100644
index 0000000000..be3b6b0074
--- /dev/null
+++ b/package/openssh/00-systemd-readiness.patch
@@ -0,0 +1,84 @@
+From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
+From: Michael Biebl <biebl@debian.org>
+Date: Mon, 21 Dec 2015 16:08:47 +0000
+Subject: Add systemd readiness notification support
+
+Bug-Debian: https://bugs.debian.org/778913
+Forwarded: no
+Last-Update: 2017-08-22
+
+Patch-Name: systemd-readiness.patch
+---
+ configure.ac | 24 ++++++++++++++++++++++++
+ sshd.c       |  9 +++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index e894db9fc..c119d6fd1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
+ AC_SUBST([GSSLIBS])
+ AC_SUBST([K5LIBS])
+
++# Check whether user wants systemd support
++SYSTEMD_MSG="no"
++AC_ARG_WITH(systemd,
++	[  --with-systemd          Enable systemd support],
++	[ if test "x$withval" != "xno" ; then
++		AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
++		if test "$PKGCONFIG" != "no"; then
++			AC_MSG_CHECKING([for libsystemd])
++			if $PKGCONFIG --exists libsystemd; then
++				SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
++				SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
++				CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
++				SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
++				AC_MSG_RESULT([yes])
++				AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
++				SYSTEMD_MSG="yes"
++			else
++				AC_MSG_RESULT([no])
++			fi
++		fi
++	fi ]
++)
++
+ # Looking for programs, paths and files
+
+ PRIVSEP_PATH=/var/empty
+@@ -5305,6 +5328,7 @@ echo "                   libldns support: $LDNS_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
+ echo "           Solaris project support: $SP_MSG"
+ echo "         Solaris privilege support: $SPP_MSG"
++echo "                   systemd support: $SYSTEMD_MSG"
+ echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
+ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+ echo "                  BSD Auth support: $BSD_AUTH_MSG"
+diff --git a/sshd.c b/sshd.c
+index 4e8ff0662..5e7679a33 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -85,6 +85,10 @@
+ #include <prot.h>
+ #endif
+
++#ifdef HAVE_SYSTEMD
++#include <systemd/sd-daemon.h>
++#endif
++
+ #include "xmalloc.h"
+ #include "ssh.h"
+ #include "ssh2.h"
+@@ -1951,6 +1955,11 @@ main(int ac, char **av)
+ 			}
+ 		}
+
++#ifdef HAVE_SYSTEMD
++		/* Signal systemd that we are ready to accept connections */
++		sd_notify(0, "READY=1");
++#endif
++
+ 		/* Accept a connection and return in a forked child */
+ 		server_accept_loop(&sock_in, &sock_out,
+ 		    &newsock, config_s);
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 64ac22181b..3e0a85ae2e 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
 	LD="$(TARGET_CC)" \
 	LDFLAGS="$(TARGET_CFLAGS)" \
 	LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
+OPENSSH_AUTORECONF = YES
 OPENSSH_CONF_OPTS = \
 	--sysconfdir=/etc/ssh \
 	--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
@@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
 	--disable-wtmpx \
 	--disable-strip
 
+ifeq ($(BR2_PACKAGE_SYSTEMD),y)
+OPENSSH_DEPENDENCIES = systemd
+
+OPENSSH_CONF_OPTS += \
+	--with-privsep-path=/run/sshd \
+	--with-pid-dir=/run \
+	--with-systemd
+
+else
+
 define OPENSSH_PERMISSIONS
 	/var/empty d 755 root root - - - - -
 endef
+endif
 
 ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
 OPENSSH_CONF_OPTS += --without-pie
@@ -74,7 +86,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
 endef
 else
 define OPENSSH_USERS
-	sshd -1 sshd -1 * /var/empty - - SSH drop priv user
+	sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
 endef
 endif
 
diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf
index ac77aec065..303d0dbb63 100644
--- a/package/openssh/sshd-sysusers.conf
+++ b/package/openssh/sshd-sysusers.conf
@@ -1 +1 @@
-u sshd - "SSH drop priv user" /var/empty
+u sshd - "SSH drop priv user" /run/sshd
diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
index b5e96b3a25..715bd3f7eb 100644
--- a/package/openssh/sshd.service
+++ b/package/openssh/sshd.service
@@ -1,11 +1,20 @@
 [Unit]
 Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target auditd.service
 
 [Service]
 ExecStartPre=/usr/bin/ssh-keygen -A
-ExecStart=/usr/sbin/sshd -D -e
+ExecStartPre=/usr/sbin/sshd -t
+ExecStart=/usr/sbin/sshd -D
+ExecReload=/usr/sbin/sshd -t
 ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory=sshd
+RuntimeDirectoryMode=0755
 
 [Install]
 WantedBy=multi-user.target