copy an sshd helper to the rescue ramdisk
... which is necessary since RHEL 9.8. Resolves: RHEL-146037
This commit is contained in:
Lukáš Zaoral
parent
06a8bd7941
commit
5a159383cc
88
rear-sshd-RHEL-146037.patch
Normal file
88
rear-sshd-RHEL-146037.patch
Normal file
@ -0,0 +1,88 @@
|
||||
From 8497de2d8a029460b0e47119b0664f0d254c97ac Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Cahyna <pcahyna@redhat.com>
|
||||
Date: Thu, 14 Aug 2025 16:11:08 +0200
|
||||
Subject: [PATCH] Copy a sshd helper to the rescue ramdisk
|
||||
|
||||
Without it, sshd in the rescue ramdisk does not start on EL 10
|
||||
and aborts with
|
||||
"/usr/libexec/openssh/sshd-session does not exist or is not executable"
|
||||
|
||||
The idea is very similar to the sftp-server part of the script, but the
|
||||
implementation is deliberately different:
|
||||
- Instead of grepping a fixed known configuration file, the output of
|
||||
sshd -T is used. sshd -T prints the effective configuration on stdout.
|
||||
This way one does not need to know the path to the sshd configuration
|
||||
file, while avoiding possible issues like the one described in
|
||||
https://github.com/rear/rear/pull/1538#issuecomment-337883867
|
||||
and one also gets automatic support for more complicated setups
|
||||
with configuration snippets like on Debian,
|
||||
see its sshd_config(5) manual page:
|
||||
"Note that the Debian openssh-server package sets several options as stan-
|
||||
dard in /etc/ssh/sshd_config which are not the default in sshd(8):
|
||||
- Include /etc/ssh/sshd_config.d/*.conf
|
||||
..."
|
||||
At the same time, the command takes care of removing comments and
|
||||
assigning default values (one would not get them by grepping the
|
||||
configuration file).
|
||||
- awk is used instead of grep, allowing to match the precise value of a
|
||||
configuration option and not just the prefix, and to not rely on the
|
||||
shell to parse the output into fields.
|
||||
- The path to the helper gets added to COPY_AS_IS instead of to PROGS.
|
||||
The problem with PROGS is that it ignores the path (even if the program
|
||||
gets specified by its absolute path) and copies the program to
|
||||
/usr/bin - but sshd need the helper at exactly the same path as on the
|
||||
original system, as it invokes the helper via its full path (not
|
||||
$PATH). This behavior of PROGS is arguably something that should be
|
||||
changed and PROGS should use an absolute path as target if provided. For
|
||||
now, use COPY_AS_IS as a workaround.
|
||||
|
||||
(The sftp-server part would of course benefit from the same changes, as
|
||||
the arguments above apply to it equally. In particular, the last point
|
||||
looks fatal, as the sftp-server gets also copied to /usr/bin instead
|
||||
to its correct path, but sshd refers to it by its full path. Indeed,
|
||||
sftp to the rescue system does not work, even if ssh does:
|
||||
$ sftp root@...
|
||||
Warning: Permanently added ... to the list of known hosts.
|
||||
Connection closed.
|
||||
Connection closed
|
||||
|
||||
Similar code has been here since the beginning of the git history
|
||||
(2009), so I wonder whether the sftp part has ever worked... )
|
||||
|
||||
(cherry picked from commit 8497de2d8a029460b0e47119b0664f0d254c97ac)
|
||||
---
|
||||
usr/share/rear/rescue/default/500_ssh.sh | 20 ++++++++++++++++++++
|
||||
1 file changed, 20 insertions(+)
|
||||
|
||||
diff --git a/usr/share/rear/rescue/default/500_ssh.sh b/usr/share/rear/rescue/default/500_ssh.sh
|
||||
index 27e48742a8..60d9fbd5a4 100644
|
||||
--- a/usr/share/rear/rescue/default/500_ssh.sh
|
||||
+++ b/usr/share/rear/rescue/default/500_ssh.sh
|
||||
@@ -44,6 +44,26 @@ contains_visible_char "${copy_as_is_ssh_files[*]}" && COPY_AS_IS+=( "${copy_as_i
|
||||
# Copy the usual SSH programs into the recovery system:
|
||||
PROGS+=( ssh sshd scp sftp ssh-agent ssh-keygen )
|
||||
|
||||
+# Copy a helper needed at least on EL 10.
|
||||
+# Without it, sshd aborts with
|
||||
+# "/usr/libexec/openssh/sshd-session does not exist or is not executable".
|
||||
+# sshd -T prints the effective configuration on stdout. This way one
|
||||
+# does not need to know the path to the sshd configuration file, while
|
||||
+# avoiding possible issues like the one described in
|
||||
+# https://github.com/rear/rear/pull/1538#issuecomment-337883867
|
||||
+# and one also gets automatic support for more complicated setups
|
||||
+# with configuration snippets like on Debian,
|
||||
+# see its sshd_config(5) manual page:
|
||||
+# "Note that the Debian openssh-server package sets several options as stan-
|
||||
+# dard in /etc/ssh/sshd_config which are not the default in sshd(8):
|
||||
+# - Include /etc/ssh/sshd_config.d/*.conf
|
||||
+# ..."
|
||||
+# At the same time, the command takes care of removing comments and assigning
|
||||
+# default values (one would not get them by grepping the configuration file).
|
||||
+# The path to the helper is the value of the sshdsessionpath option.
|
||||
+local sshdsessionpath="$( sshd -T | awk '$1=="sshdsessionpath" { print $2 }' )"
|
||||
+test "$sshdsessionpath" && COPY_AS_IS+=( "$sshdsessionpath" )
|
||||
+
|
||||
# Copy a sftp-server program (e.g. /usr/lib/ssh/sftp-server) into the recovery system (if exists).
|
||||
# Because only OpenSSH >= 3.1 is supported where /etc/ssh/ is the default directory for configuration files
|
||||
# only /etc/ssh/sshd_config is inspected to grep for a sftp-server program therein
|
||||
|
||||
@ -115,6 +115,10 @@ Patch126: rear-print-disk-mapping-with-sizes-RHEL-83241.patch
|
||||
# https://github.com/rear/rear/commit/9b28f14fad26ff00a6f90b13c3e4906d85f3ae3c
|
||||
Patch127: rear-support-aarch64-uefi-RHEL-56045.patch
|
||||
|
||||
# copy an sshd helper to the rescue ramdisk, necessary on EL9.8
|
||||
# https://github.com/rear/rear/commit/bcf6669fac64d194d18b2e5360df4181002856e8
|
||||
Patch128: rear-sshd-RHEL-146037.patch
|
||||
|
||||
######################
|
||||
# downstream patches #
|
||||
######################
|
||||
|
||||
Loading…
Reference in New Issue
Block a user