Ports: Make openssh server not crash during startup

Before, the openssh server tried to chroot. The startup always aborted after that, as our chroot stub currently simply returns -1. Luckily we can use unveil instead. Furthermore the missing ssh_host_ed25519_key also prevented the server from successfully starting. The previous ReadMe.md entry about socketpair missing was already resolved by #6705.
Author: https://github.com/HerrSpace Commit: https://github.com/SerenityOS/serenity/commit/6020364476 Pull-request: https://github.com/SerenityOS/serenity/pull/13846
2024-12-04 05:20:30 +00:00 · 2022-04-29 19:08:49 +00:00 · 2022-04-29 19:08:49 +00:00 · 6020364476 · 2024-07-18 05:01:22 +09:00
commit 6020364476
parent 9f3f3b0864
3 changed files with 64 additions and 1 deletions
--- a/Ports/openssh/ReadMe.md
+++ b/Ports/openssh/ReadMe.md
@ -5,4 +5,18 @@
 - Assumes SSH2.0 for now.
 - Cannot determine compatibility flags.
  This means there may be some weird bugs when connecting to certain SSH implementations.
- SSHD does not work as it requires socketpair. It will start, but will crash on connection.
+
+# Autostart SSHD
+
+Add something like this to your sync-local.sh
+
+```
+cat <<EOF >> mnt/etc/SystemServer.ini
+
+[SSHServer]
+Executable=/usr/local/sbin/sshd
+Arguments=-D
+KeepAlive=1
+SystemModes=text,graphical
+EOF
+```
--- a/Ports/openssh/package.sh
+++ b/Ports/openssh/package.sh
@ -30,5 +30,8 @@ install() {
        if [ ! -e "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ecdsa_key" ]; then
            ssh-keygen -f "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ecdsa_key" -C serenity -N "" -t ecdsa -b 521
        fi
+        if [ ! -e "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ed25519_key" ]; then
+            ssh-keygen -f "${SERENITY_INSTALL_ROOT}/etc/ssh/ssh_host_ed25519_key" -C serenity -N "" -t ed25519
+        fi
    fi
 }
--- a/Ports/openssh/patches/unveil_privsep.patch
+++ b/Ports/openssh/patches/unveil_privsep.patch
@ -0,0 +1,46 @@
+diff --git a/sshd.c b/sshd.c
+index 6f8f11a..cdbc003 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -461,12 +461,9 @@ privsep_preauth_child(void)
+ 
+ 	/* Demote the child */
+ 	if (privsep_chroot) {
+-		/* Change our root directory */
+-		if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
+-			fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
+-			    strerror(errno));
+-		if (chdir("/") == -1)
+-			fatal("chdir(\"/\"): %s", strerror(errno));
+		/* Hide the whole filesystem */
+		if (unveil(NULL, NULL) < 0)
+			fatal("unveil(NULL, NULL): %s", strerror(errno));
+ 
+ 		/* Drop our privileges */
+ 		debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
+@@ -1899,25 +1896,6 @@ main(int ac, char **av)
+ 		    sshkey_type(key));
+ 	}
+ 
+-	if (privsep_chroot) {
+-		struct stat st;
+-
+-		if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
+-		    (S_ISDIR(st.st_mode) == 0))
+-			fatal("Missing privilege separation directory: %s",
+-			    _PATH_PRIVSEP_CHROOT_DIR);
+-
+-#ifdef HAVE_CYGWIN
+-		if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) &&
+-		    (st.st_uid != getuid () ||
+-		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
+-#else
+-		if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+-#endif
+-			fatal("%s must be owned by root and not group or "
+-			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
+-	}
+-
+ 	if (test_flag > 1) {
+ 		/*
+ 		 * If no connection info was provided by -C then use