[PR PATCH] openssh: use sshd_config.d for customisation

[PR PATCH] openssh: use sshd_config.d for customisation

[sgn]

[-- Attachment #1: Type: text/plain, Size: 1260 bytes --]

There is a new pull request by sgn against master on the void-packages repository

https://github.com/sgn/void-packages openssh-sshd-config
https://github.com/void-linux/void-packages/pull/45655

openssh: use sshd_config.d for customisation
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->

<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64-musl
  - armv7l
  - armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/45655.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-openssh-sshd-config-45655.patch --]
[-- Type: text/x-diff, Size: 3117 bytes --]

From 549697725012ccd368ff8f67aa63f2a36327a7a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
 <congdanhqx@gmail.com>
Date: Fri, 18 Aug 2023 20:07:21 +0700
Subject: [PATCH] openssh: use sshd_config.d for customisation

---
 srcpkgs/openssh/patches/sshd_config.patch | 37 +++++++++++++++++++++++
 srcpkgs/openssh/template                  | 12 +++-----
 2 files changed, 41 insertions(+), 8 deletions(-)
 create mode 100644 srcpkgs/openssh/patches/sshd_config.patch

diff --git a/srcpkgs/openssh/patches/sshd_config.patch b/srcpkgs/openssh/patches/sshd_config.patch
new file mode 100644
index 0000000000000..4be59e843bebc
--- /dev/null
+++ b/srcpkgs/openssh/patches/sshd_config.patch
@@ -0,0 +1,37 @@
+--- a/sshd_config
++++ b/sshd_config
+@@ -9,6 +9,7 @@
+ # OpenSSH is to specify options with their default value where
+ # possible, but leave them commented.  Uncommented options override the
+ # default value.
++Include /etc/ssh/sshd_config.d/*.conf
+ 
+ #Port 22
+ #AddressFamily any
+@@ -58,7 +59,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ #PermitEmptyPasswords no
+ 
+ # Change to no to disable s/key passwords
+-#KbdInteractiveAuthentication yes
++KbdInteractiveAuthentication no
+ 
+ # Kerberos options
+ #KerberosAuthentication no
+@@ -79,7 +80,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and KbdInteractiveAuthentication to 'no'.
+-#UsePAM no
++UsePAM yes
+ 
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes
+@@ -88,7 +89,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PermitTTY yes
+-#PrintMotd yes
++PrintMotd no
+ #PrintLastLog yes
+ #TCPKeepAlive yes
+ #PermitUserEnvironment no
diff --git a/srcpkgs/openssh/template b/srcpkgs/openssh/template
index a5c920fb10b2e..c92949cf91735 100644
--- a/srcpkgs/openssh/template
+++ b/srcpkgs/openssh/template
@@ -1,7 +1,7 @@
 # Template file for 'openssh'
 pkgname=openssh
 version=9.3p2
-revision=2
+revision=3
 build_style=gnu-configure
 configure_args="--datadir=/usr/share/openssh
  --sysconfdir=/etc/ssh --without-selinux --with-privsep-user=nobody
@@ -27,7 +27,9 @@ homepage="https://www.openssh.com"
 distfiles="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${version}.tar.gz"
 checksum=200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8
 conf_files="/etc/ssh/moduli /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/pam.d/sshd"
-make_dirs="/var/chroot/ssh 0755 root root"
+make_dirs="
+ /var/chroot/ssh 0755 root root
+ /etc/ssh/sshd_config.d 0755 root root"
 
 # Package build options
 build_options="fido2 gssapi ldns ssl"
@@ -65,12 +67,6 @@ post_install() {
 	vman contrib/ssh-copy-id.1
 	vlicense LICENCE
 
-	# configure to use PAM
-	vsed -i ${DESTDIR}/etc/ssh/sshd_config \
-		-e 's|^#\(UsePAM\) no|\1 yes|g' \
-		-e 's|^#\(KbdInteractiveAuthentication\) yes|\1 no|g' \
-		-e 's|^#\(PrintMotd\) yes|\1 no|g'
-
 	vinstall ${FILESDIR}/sshd.pam 644 etc/pam.d sshd
 	vsv sshd
 }

Re: [PR REVIEW] openssh: use sshd_config.d for customisation

[ahesford]

[-- Attachment #1: Type: text/plain, Size: 386 bytes --]

New review comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/pull/45655#discussion_r1298459852

Comment:
```suggestion

# To avoid conflicts with the packaged configuration, specify custom options
# in drop-in files under /etc/ssh/sshd_config.d to override any defaults or
# options set below.
+Include /etc/ssh/sshd_config.d/*.conf
```

Re: [PR PATCH] [Updated] openssh: use sshd_config.d for customisation

[sgn]

[-- Attachment #1: Type: text/plain, Size: 1265 bytes --]

There is an updated pull request by sgn against master on the void-packages repository

https://github.com/sgn/void-packages openssh-sshd-config
https://github.com/void-linux/void-packages/pull/45655

openssh: use sshd_config.d for customisation
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->

<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64-musl
  - armv7l
  - armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/45655.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-openssh-sshd-config-45655.patch --]
[-- Type: text/x-diff, Size: 5799 bytes --]

From fb668d6d25040c681c16e5987e7cf2cc379e863a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
 <congdanhqx@gmail.com>
Date: Fri, 18 Aug 2023 20:07:21 +0700
Subject: [PATCH] openssh: use sshd_config.d for customisation

---
 srcpkgs/openssh/patches/config.patch          | 14 +++----
 srcpkgs/openssh/patches/ssh-musl-gssapi.patch |  4 +-
 srcpkgs/openssh/patches/sshd_config.patch     | 41 +++++++++++++++++++
 srcpkgs/openssh/patches/time_t-32-bit.patch   |  6 +--
 srcpkgs/openssh/template                      | 12 ++----
 5 files changed, 57 insertions(+), 20 deletions(-)
 create mode 100644 srcpkgs/openssh/patches/sshd_config.patch

diff --git a/srcpkgs/openssh/patches/config.patch b/srcpkgs/openssh/patches/config.patch
index abe054396261e..3375ba576d2e5 100644
--- a/srcpkgs/openssh/patches/config.patch
+++ b/srcpkgs/openssh/patches/config.patch
@@ -1,23 +1,23 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -184,6 +184,7 @@
- 	OSSH_CHECK_CFLAG_COMPILE([-Wall])
+@@ -198,6 +198,7 @@ if test "$GCC" = "yes" || test "$GCC" =
+ 	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
  	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
  	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
 +	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-function-declaration])
  	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
  	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
  	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
-@@ -1761,8 +1760,6 @@
+@@ -1973,8 +1974,6 @@ AC_CHECK_FUNCS([ \
  	strcasestr \
  	strdup \
  	strerror \
 -	strlcat \
 -	strlcpy \
  	strmode \
+ 	strndup \
  	strnlen \
- 	strnvis \
-@@ -1785,6 +1781,13 @@
+@@ -2001,6 +2000,13 @@ AC_CHECK_FUNCS([ \
  	waitpid \
  	warn \
  ])
@@ -29,5 +29,5 @@
 +], [], [], [[#include <string.h>]])
 +AC_CHECK_DECLS([reallocarray], [], [], [[#include <stdlib.h>]])
  
- dnl Wide character support.
- AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
+ AC_CHECK_DECLS([bzero, memmem])
+ 
diff --git a/srcpkgs/openssh/patches/ssh-musl-gssapi.patch b/srcpkgs/openssh/patches/ssh-musl-gssapi.patch
index a0ac6dceb08f2..2a3947c170fe0 100644
--- a/srcpkgs/openssh/patches/ssh-musl-gssapi.patch
+++ b/srcpkgs/openssh/patches/ssh-musl-gssapi.patch
@@ -1,5 +1,5 @@
---- a/gss-serv.c	2022-10-03 16:51:42.000000000 +0200
-+++ b/gss-serv.c	2022-11-09 13:28:59.124968270 +0100
+--- a/gss-serv.c
++++ b/gss-serv.c
 @@ -33,6 +33,7 @@
  #include <stdarg.h>
  #include <string.h>
diff --git a/srcpkgs/openssh/patches/sshd_config.patch b/srcpkgs/openssh/patches/sshd_config.patch
new file mode 100644
index 0000000000000..aa87fdc677bde
--- /dev/null
+++ b/srcpkgs/openssh/patches/sshd_config.patch
@@ -0,0 +1,41 @@
+--- a/sshd_config
++++ b/sshd_config
+@@ -10,6 +10,11 @@
+ # possible, but leave them commented.  Uncommented options override the
+ # default value.
+ 
++# To avoid conflicts with the packaged configuration, specify custom options
++# in drop-in files under /etc/ssh/sshd_config.d to override any defaults or
++# options set below.
++Include /etc/ssh/sshd_config.d/*.conf
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
+@@ -58,7 +63,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ #PermitEmptyPasswords no
+ 
+ # Change to no to disable s/key passwords
+-#KbdInteractiveAuthentication yes
++KbdInteractiveAuthentication no
+ 
+ # Kerberos options
+ #KerberosAuthentication no
+@@ -79,7 +84,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and KbdInteractiveAuthentication to 'no'.
+-#UsePAM no
++UsePAM yes
+ 
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes
+@@ -88,7 +93,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PermitTTY yes
+-#PrintMotd yes
++PrintMotd no
+ #PrintLastLog yes
+ #TCPKeepAlive yes
+ #PermitUserEnvironment no
diff --git a/srcpkgs/openssh/patches/time_t-32-bit.patch b/srcpkgs/openssh/patches/time_t-32-bit.patch
index 8c11f3714ec68..f70e260ac98ff 100644
--- a/srcpkgs/openssh/patches/time_t-32-bit.patch
+++ b/srcpkgs/openssh/patches/time_t-32-bit.patch
@@ -1,6 +1,6 @@
---- openssh-9.2p1.orig/channels.c
-+++ openssh-9.2p1/channels.c
-@@ -2558,7 +2558,7 @@ channel_handler(struct ssh *ssh, int tab
+--- a/channels.c
++++ b/channels.c
+@@ -2566,7 +2566,7 @@ channel_handler(struct ssh *ssh, int tab
  			if (table == CHAN_PRE &&
  			    c->type == SSH_CHANNEL_OPEN &&
  			    c->inactive_deadline != 0 && c->lastused != 0 &&
diff --git a/srcpkgs/openssh/template b/srcpkgs/openssh/template
index a5c920fb10b2e..c92949cf91735 100644
--- a/srcpkgs/openssh/template
+++ b/srcpkgs/openssh/template
@@ -1,7 +1,7 @@
 # Template file for 'openssh'
 pkgname=openssh
 version=9.3p2
-revision=2
+revision=3
 build_style=gnu-configure
 configure_args="--datadir=/usr/share/openssh
  --sysconfdir=/etc/ssh --without-selinux --with-privsep-user=nobody
@@ -27,7 +27,9 @@ homepage="https://www.openssh.com"
 distfiles="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${version}.tar.gz"
 checksum=200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8
 conf_files="/etc/ssh/moduli /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/pam.d/sshd"
-make_dirs="/var/chroot/ssh 0755 root root"
+make_dirs="
+ /var/chroot/ssh 0755 root root
+ /etc/ssh/sshd_config.d 0755 root root"
 
 # Package build options
 build_options="fido2 gssapi ldns ssl"
@@ -65,12 +67,6 @@ post_install() {
 	vman contrib/ssh-copy-id.1
 	vlicense LICENCE
 
-	# configure to use PAM
-	vsed -i ${DESTDIR}/etc/ssh/sshd_config \
-		-e 's|^#\(UsePAM\) no|\1 yes|g' \
-		-e 's|^#\(KbdInteractiveAuthentication\) yes|\1 no|g' \
-		-e 's|^#\(PrintMotd\) yes|\1 no|g'
-
 	vinstall ${FILESDIR}/sshd.pam 644 etc/pam.d sshd
 	vsv sshd
 }

Re: [PR PATCH] [Merged]: openssh: use sshd_config.d for customisation

[leahneukirchen]

[-- Attachment #1: Type: text/plain, Size: 1105 bytes --]

There's a merged pull request on the void-packages repository

openssh: use sshd_config.d for customisation
https://github.com/void-linux/void-packages/pull/45655

Description:
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->

<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64-musl
  - armv7l
  - armv6l-musl
-->