diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 073391ffdbbc..80659f19c597 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -264,8 +264,7 @@ in StandardInput = "socket"; } else { Restart = "always"; - Type = "forking"; - PIDFile = "/run/sshd.pid"; + Type = "simple"; }); }; @@ -322,8 +321,6 @@ in services.openssh.extraConfig = mkOrder 0 '' - PidFile /run/sshd.pid - Protocol 2 UsePAM yes diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 390363b88e21..291544996889 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -35,6 +35,18 @@ in { ]; }; + server_lazy = + { config, pkgs, ... }: + + { + services.openssh = { enable = true; startWhenNeeded = true; }; + security.pam.services.sshd.limits = + [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; + users.extraUsers.root.openssh.authorizedKeys.keys = [ + snakeOilPublicKey + ]; + }; + client = { config, pkgs, ... }: { }; @@ -50,6 +62,8 @@ in { subtest "manual-authkey", sub { $server->succeed("mkdir -m 700 /root/.ssh"); $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys"); + $server_lazy->succeed("mkdir -m 700 /root/.ssh"); + $server_lazy->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys"); $client->succeed("mkdir -m 700 /root/.ssh"); $client->copyFileFromHost("key", "/root/.ssh/id_ed25519"); @@ -58,6 +72,10 @@ in { $client->waitForUnit("network.target"); $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2"); $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024"); + + $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2"); + $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024"); + }; subtest "configured-authkey", sub { @@ -66,6 +84,11 @@ in { $client->succeed("ssh -o UserKnownHostsFile=/dev/null" . " -o StrictHostKeyChecking=no -i privkey.snakeoil" . " server true"); + + $client->succeed("ssh -o UserKnownHostsFile=/dev/null" . + " -o StrictHostKeyChecking=no -i privkey.snakeoil" . + " server_lazy true"); + }; ''; }) diff --git a/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch b/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch deleted file mode 100644 index 665eff864530..000000000000 --- a/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff --git a/kex.c b/kex.c -index 50c7a0f..823668b 100644 ---- a/kex.c -+++ b/kex.c -@@ -419,6 +419,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt) - ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); - if ((r = sshpkt_get_end(ssh)) != 0) - return r; -+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) -+ return r; - kex->done = 1; - sshbuf_reset(kex->peer); - /* sshbuf_reset(kex->my); */ -diff --git a/packet.c b/packet.c -index d6dad2d..f96566b 100644 ---- a/packet.c -+++ b/packet.c -@@ -38,7 +38,7 @@ - */ - - #include "includes.h" -- -+ - #include /* MIN roundup */ - #include - #include "openbsd-compat/sys-queue.h" -@@ -1907,9 +1907,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - return r; - return SSH_ERR_PROTOCOL_ERROR; - } -- if (*typep == SSH2_MSG_NEWKEYS) -- r = ssh_set_newkeys(ssh, MODE_IN); -- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) -+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) - r = ssh_packet_enable_delayed_compress(ssh); - else - r = 0; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 064f68947b80..1c66900c06b7 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -19,8 +19,10 @@ let # **please** update this patch when you update to a new openssh release. gssapiSrc = fetchpatch { - url = "https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/plain/debian/patches/gssapi.patch?id=477bb7636238c106f8cd7c868a8c0c5eabcfb3db"; - sha256 = "1kcx2rw6z7y591vr60ww2m2civ0cx6f6awdpi66p1sric9b65si3"; + name = "openssh-gssapi.patch"; + url = "https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/plain/debian" + + "/patches/gssapi.patch?id=255b8554a50b5c75fca63f76b1ac837c0d4fb7aa"; + sha256 = "0yg9iq7vb2fkvy36ar0jxk29pkw0h3dhv5vn8qncc3pgwx3617n2"; }; in @@ -29,11 +31,11 @@ stdenv.mkDerivation rec { # Please ensure that openssh_with_kerberos still builds when # bumping the version here! name = "openssh-${version}"; - version = "7.3p1"; + version = "7.4p1"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; - sha256 = "1k5y1wi29d47cgizbryxrhc1fbjsba2x8l5mqfa9b9nadnd9iyrz"; + sha256 = "1l8r3x4fr2kb6xm95s7kjdif1wp6f94d4kljh4qjj9109shw87qv"; }; prePatch = optionalString hpnSupport @@ -44,13 +46,11 @@ stdenv.mkDerivation rec { patches = [ - ./RH-1380296-NEWKEYS-null-pointer-deref.patch ./locale_archive.patch ./fix-host-key-algorithms-plus.patch # See discussion in https://github.com/NixOS/nixpkgs/pull/16966 ./dont_create_privsep_path.patch - ./fix-CVE-2016-8858.patch ] ++ optional withGssapiPatches gssapiSrc; diff --git a/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch b/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch deleted file mode 100644 index e526161083c0..000000000000 --- a/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -u -r1.126 -r1.127 ---- ssh/kex.c 2016/09/28 21:44:52 1.126 -+++ ssh/kex.c 2016/10/10 19:28:48 1.127 -@@ -461,6 +461,7 @@ - if (kex == NULL) - return SSH_ERR_INVALID_ARGUMENT; - -+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); - ptr = sshpkt_ptr(ssh, &dlen); - if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) - return r;