Upgrade openssh (#26)

* refactor(openssh): update version

* refactor(openssh): update own patches

* refactor(openssh): update alpine patches

* refactor(openssh): fix realpath function

update patch

* refactor(openssh): split patches by vendor

* docs(patches): document used patches

* fix typo

Dockerfile

@@ -3,7 +3,7 @@ MAINTAINER Erik Osterman "[email protected]"
 
 USER root
 
-ARG OPENSSH_VERSION=V_7_4_P1
+ARG OPENSSH_VERSION=V_7_8_P1
 
 RUN apk --update add linux-pam libssl1.0 shadow ca-certificates openssl && \
     update-ca-certificates && \
@@ -35,7 +35,7 @@ RUN apk --update add --virtual .build-deps build-base automake autoconf libtool
     ( git clone https://github.com/openssh/openssh-portable.git /usr/src/openssh && \
       cd /usr/src/openssh && \
       git checkout ${OPENSSH_VERSION} && \
-      find ../patches/openssh -type f -exec patch -p1 -i {} \; && \
+      find ../patches/openssh/** -type f -exec patch -p1 -i {} \; && \
       autoreconf && \
       ./configure \
           --prefix=/usr \

patches/README.md

@@ -0,0 +1,18 @@
+# OpenSSH patches
+
+OpenSSH will not compile out-of-the-box on alpine. For this reason, we use the official patches found here:
+
+- [https://git.alpinelinux.org/cgit/aports/tree/main/openssh](https://git.alpinelinux.org/cgit/aports/tree/main/openssh)
+
+We also add a couple of our own patches. 
+
+One patch ensures we have `SSH_ORIGINAL_COMMAND` available during pam auth so we can send slack notifications.  
+[original-command.diff](openssh/cloudposse/original-command.diff)
+
+The other patch obscures the version of OpenSSH. We use this to hide the SSH version so it's not announced to port-scanners.  
+[obfuscate-version.diff](openssh/cloudposse/obfuscate-version.diff)
+
+Also we modified one alpine patch related to realpath, because it is outdated.  
+[bsd-compatible-realpath.diff](openssh/cloudposse/bsd-compatible-realpath.diff)
+
+When upgrading version of OpenSSH, the patches might need to be regenerated.

patches/openssh/alpine/disable-forwarding-by-default.diff

@@ -0,0 +1,16 @@
+--- openssh-7.7p1/sshd_config.old	2018-04-02 00:38:28.000000000 -0500
++++ openssh-7.7p1/sshd_config	2018-07-29 03:08:16.340000000 -0500
+@@ -82,9 +82,10 @@
+ #UsePAM no
+
+ #AllowAgentForwarding yes
+-#AllowTcpForwarding yes
+-#GatewayPorts no
+-#X11Forwarding no
++# Feel free to re-enable these if your use case requires them.
++AllowTcpForwarding no
++GatewayPorts no
++X11Forwarding no
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PermitTTY yes

patches/openssh/openssh6.5-peaktput.diff → patches/openssh/alpine/openssh7.4-peaktput.diff

@@ -1,8 +1,6 @@
-diff --git a/progressmeter.c b/progressmeter.c
-index bbbc706..02e5d6d 100644
 --- a/progressmeter.c
 +++ b/progressmeter.c
-@@ -69,6 +69,8 @@ static char *file;		/* name of the file being transferred */
+@@ -69,6 +69,8 @@
  static off_t start_pos;		/* initial position of transfer */
  static off_t end_pos;		/* ending position of transfer */
  static off_t cur_pos;		/* transfer position as of last refresh */
@@ -11,25 +9,25 @@ index bbbc706..02e5d6d 100644
  static volatile off_t *counter;	/* progress counter */
  static long stalled;		/* how long we have been stalled */
  static int bytes_per_second;	/* current speed in bytes per second */
-@@ -129,12 +131,17 @@ refresh_progress_meter(void)
+@@ -128,12 +130,17 @@
  	int hours, minutes, seconds;
  	int i, len;
  	int file_len;
 +	off_t delta_pos;
 
  	transferred = *counter - (cur_pos ? cur_pos : start_pos);
  	cur_pos = *counter;
- 	now = monotime();
+ 	now = monotime_double();
  	bytes_left = end_pos - cur_pos;
 
 +	delta_pos = cur_pos - last_pos;
-+	if (delta_pos > max_delta_pos) 
++	if (delta_pos > max_delta_pos)
 +		max_delta_pos = delta_pos;
 +
  	if (bytes_left > 0)
  		elapsed = now - last_update;
  	else {
-@@ -159,7 +166,7 @@ refresh_progress_meter(void)
+@@ -158,7 +165,7 @@
 
  	/* filename */
  	buf[0] = '\0';
@@ -38,7 +36,7 @@ index bbbc706..02e5d6d 100644
  	if (file_len > 0) {
  		len = snprintf(buf, file_len + 1, "\r%s", file);
  		if (len < 0)
-@@ -189,6 +196,15 @@ refresh_progress_meter(void)
+@@ -188,6 +195,15 @@
  	    (off_t)bytes_per_second);
  	strlcat(buf, "/s ", win_size);
 
@@ -54,7 +52,7 @@ index bbbc706..02e5d6d 100644
  	/* ETA */
  	if (!transferred)
  		stalled += elapsed;
-@@ -225,6 +241,7 @@ refresh_progress_meter(void)
+@@ -224,6 +240,7 @@
 
  	atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
  	last_update = now;

patches/openssh/cloudposse/bsd-compatible-realpath.diff

@@ -0,0 +1,197 @@
+diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
+index f5c833bf..e2ccf20e 100644
+--- a/openbsd-compat/openbsd-compat.h
+diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
+index f5c833bf..e2ccf20e 100644
+--- a/openbsd-compat/openbsd-compat.h
++++ b/openbsd-compat/openbsd-compat.h
+@@ -80,17 +80,7 @@ void *reallocarray(void *, size_t, size_t);
+ void *recallocarray(void *, size_t, size_t, size_t);
+ #endif
+
+-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
+-/*
+- * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the
+- * compat version.
+- */
+-# ifdef BROKEN_REALPATH
+-#  define realpath(x, y) _ssh_compat_realpath(x, y)
+-# endif
+-
+-char *realpath(const char *path, char *resolved);
+-#endif
++char *ssh_realpath(const char *path, char *resolved);
+
+ #ifndef HAVE_RRESVPORT_AF
+ int rresvport_af(int *alport, sa_family_t af);
+diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c
+index a2f090e5..979e3a8e 100644
+--- a/openbsd-compat/realpath.c
++++ b/openbsd-compat/realpath.c
+@@ -31,7 +31,7 @@
+
+ #include "includes.h"
+
+-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
++#if 1
+
+ #include <sys/types.h>
+ #include <sys/param.h>
+@@ -58,7 +58,7 @@
+  * in which case the path which caused trouble is left in (resolved).
+  */
+ char *
+-realpath(const char *path, char *resolved)
++ssh_realpath(const char *path, char *resolved)
+ {
+        struct stat sb;
+        char *p, *q, *s;
+diff --git a/sftp-server.c b/sftp-server.c
+index ab1b063f..2e06b384 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -1158,7 +1158,7 @@ process_realpath(u_int32_t id)
+        }
+        debug3("request %u: realpath", id);
+        verbose("realpath \"%s\"", path);
+-       if (realpath(path, resolvedname) == NULL) {
++       if (ssh_realpath(path, resolvedname) == NULL) {
+
+Aliaksandr_Babai@EPBYGROW0276 MINGW64 ~/workspace/openssh-portable (master)
+$ git diff
+diff --git a/configure.ac b/configure.ac
+index 83e53075..80e71183 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2029,7 +2029,7 @@ AC_CHECK_FUNCS([setresgid], [
+        )
+ ])
+
+-AC_CHECK_FUNCS([realpath], [
++AC_CHECK_FUNCS([ssh_realpath], [
+        dnl the sftp v3 spec says SSH_FXP_REALPATH will "canonicalize any given
+        dnl path name", however some implementations of realpath (and some
+        dnl versions of the POSIX spec) do not work on non-existent files,
+@@ -2042,7 +2042,7 @@ AC_CHECK_FUNCS([realpath], [
+ #include <errno.h>
+                ]], [[
+                char buf[PATH_MAX];
+-               if (realpath("/opensshnonexistentfilename1234", buf) == NULL)
++               if (ssh_realpath("/opensshnonexistentfilename1234", buf) == NULL)
+                        if (errno == ENOENT)
+                                exit(1);
+                exit(0);
+diff --git a/misc.c b/misc.c
+index ae4d29b8..edd4226a 100644
+--- a/misc.c
++++ b/misc.c
+@@ -1770,7 +1770,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+        int comparehome = 0;
+        struct stat st;
+
+-       if (realpath(name, buf) == NULL) {
++       if (ssh_realpath(name, buf) == NULL) {
+                snprintf(err, errlen, "realpath %s failed: %s", name,
+                    strerror(errno));
+                return -1;
+diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
+index f5c833bf..e2ccf20e 100644
+--- a/openbsd-compat/openbsd-compat.h
++++ b/openbsd-compat/openbsd-compat.h
+@@ -80,17 +80,7 @@ void *reallocarray(void *, size_t, size_t);
+ void *recallocarray(void *, size_t, size_t, size_t);
+ #endif
+
+-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
+-/*
+- * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the
+- * compat version.
+- */
+-# ifdef BROKEN_REALPATH
+-#  define realpath(x, y) _ssh_compat_realpath(x, y)
+-# endif
+-
+-char *realpath(const char *path, char *resolved);
+-#endif
++char *ssh_realpath(const char *path, char *resolved);
+
+ #ifndef HAVE_RRESVPORT_AF
+ int rresvport_af(int *alport, sa_family_t af);
+diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c
+index a2f090e5..453540a5 100644
+--- a/openbsd-compat/realpath.c
++++ b/openbsd-compat/realpath.c
+@@ -31,7 +31,7 @@
+
+ #include "includes.h"
+
+-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
++#if 1
+
+ #include <sys/types.h>
+ #include <sys/param.h>
+@@ -51,14 +51,14 @@
+ /* A slightly modified copy of this file exists in libexec/ld.so */
+
+ /*
+- * char *realpath(const char *path, char resolved[PATH_MAX]);
++ * char *ssh_realpath(const char *path, char resolved[PATH_MAX]);
+  *
+  * Find the real name of path, by removing all ".", ".." and symlink
+  * components.  Returns (resolved) on success, or (NULL) on failure,
+  * in which case the path which caused trouble is left in (resolved).
+  */
+ char *
+-realpath(const char *path, char *resolved)
++ssh_realpath(const char *path, char *resolved)
+ {
+        struct stat sb;
+        char *p, *q, *s;
+diff --git a/regress/check-perm.c b/regress/check-perm.c
+index dac307d2..eb6a006e 100644
+--- a/regress/check-perm.c
++++ b/regress/check-perm.c
+@@ -99,7 +99,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
+        int comparehome = 0;
+        struct stat st;
+
+-       if (realpath(name, buf) == NULL) {
++       if (ssh_realpath(name, buf) == NULL) {
+                snprintf(err, errlen, "realpath %s failed: %s", name,
+                    strerror(errno));
+                return -1;
+diff --git a/sftp-server.c b/sftp-server.c
+index ab1b063f..2e06b384 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -1158,7 +1158,7 @@ process_realpath(u_int32_t id)
+        }
+        debug3("request %u: realpath", id);
+        verbose("realpath \"%s\"", path);
+-       if (realpath(path, resolvedname) == NULL) {
++       if (ssh_realpath(path, resolvedname) == NULL) {
+                send_status(id, errno_to_portable(errno));
+        } else {
+                Stat s;
+diff --git a/ssh-agent.c b/ssh-agent.c
+index d8a8260f..6050ff1a 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -585,7 +585,7 @@ process_add_smartcard_key(SocketEntry *e)
+                        goto send;
+                }
+        }
+-       if (realpath(provider, canonical_provider) == NULL) {
++       if (ssh_realpath(provider, canonical_provider) == NULL) {
+                verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+                    provider, strerror(errno));
+                goto send;
+@@ -638,7 +638,7 @@ process_remove_smartcard_key(SocketEntry *e)
+        }
+        free(pin);
+
+-       if (realpath(provider, canonical_provider) == NULL) {
++       if (ssh_realpath(provider, canonical_provider) == NULL) {
+                verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+                    provider, strerror(errno));
+                goto send;

patches/openssh/cloudposse/obfuscate-version.diff

@@ -0,0 +1,12 @@
+diff --git a/version.h b/version.h
+index f1bbf00f..502661dc 100644
+--- a/version.h
++++ b/version.h
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.82 2018/07/03 11:42:12 djm Exp $ */
+
+-#define SSH_VERSION    "OpenSSH_7.8"
++#define SSH_VERSION    "SERVER"
+
+ #define SSH_PORTABLE   "p1"
+ #define SSH_RELEASE    SSH_VERSION SSH_PORTABLE