Updating all dependencies to latest versions as of 2023 (#70)

* updating to alpine 3.17 and openssh 9.3p1

* update to Duo 2.0.0

* update to google-authenticator-libpam 1.09

* update to sudosh 0.3.0

Dockerfile

@@ -1,17 +1,17 @@
 ##
 ## Base builder image
 ##
-FROM alpine:3.8 as builder
+FROM alpine:3.17 as builder
 
-RUN apk --update add --virtual .build-deps build-base automake autoconf libtool git linux-pam-dev openssl-dev wget
+RUN apk --update add --virtual .build-deps build-base automake autoconf libtool git linux-pam-dev zlib-dev openssl-dev wget
 
 
 ##
 ## Duo builder image
 ##
 FROM builder as duo-builder
 
-ARG DUO_VERSION=1.10.5
+ARG DUO_VERSION=2.0.0
 RUN wget https://dl.duosecurity.com/duo_unix-${DUO_VERSION}.tar.gz && \
     mkdir -p src && \
     tar -zxf duo_unix-${DUO_VERSION}.tar.gz --strip-components=1 -C src
@@ -29,7 +29,7 @@ RUN cd src && \
 ##
 FROM builder as google-authenticator-libpam-builder
 
-ARG AUTHENTICATOR_LIBPAM_VERSION=1.05
+ARG AUTHENTICATOR_LIBPAM_VERSION=1.09
 RUN git clone --branch ${AUTHENTICATOR_LIBPAM_VERSION} --single-branch https://github.com/google/google-authenticator-libpam src
 
 RUN cd src && \
@@ -45,7 +45,7 @@ RUN cd src && \
 ##
 FROM builder as openssh-portable-builder
 
-ARG OPENSSH_VERSION=V_7_8_P1
+ARG OPENSSH_VERSION=V_9_3_P1
 RUN git clone --branch ${OPENSSH_VERSION} --single-branch https://github.com/openssh/openssh-portable src
 
 COPY patches/ /patches/
@@ -74,7 +74,7 @@ RUN cd src && \
 ##
 ## Bastion image
 ##
-FROM alpine:3.8
+FROM alpine:3.17
 
 LABEL maintainer="erik@cloudposse.com"
 
@@ -87,10 +87,10 @@ RUN apk --update add curl drill groff util-linux bash xauth gettext openssl-dev
     rm -f /usr/bin/ssh-keyscan && \
     touch /var/log/lastlog && \
     mkdir -p /var/run/sshd && \
-    mv /etc/profile.d/color_prompt /etc/profile.d/color_prompt.sh
+    ln -s /etc/profile.d/color_prompt.sh.disabled /etc/profile.d/color_prompt.sh
 
 ## Install sudosh
-ENV SUDOSH_VERSION=0.1.3
+ENV SUDOSH_VERSION=0.3.0
 RUN wget https://github.com/cloudposse/sudosh/releases/download/${SUDOSH_VERSION}/sudosh_linux_386 -O /usr/bin/sudosh && \
     chmod 755 /usr/bin/sudosh
 

patches/README.md

@@ -16,3 +16,11 @@ Also we modified one alpine patch related to realpath, because it is outdated.
 [bsd-compatible-realpath.diff](openssh/cloudposse/bsd-compatible-realpath.diff)
 
 When upgrading version of OpenSSH, the patches might need to be regenerated.
+
+
+## Dev Cheatsheet for Regenerating OpenSSH Patches
+
+```
+git clone --single-branch https://gitlab.alpinelinux.org/alpine/aports.git tmp
+cp tmp/main/openssh/*.patch patches/openssh/alpine/
+```

patches/openssh/alpine/avoid-redefined-warnings-when-building-with-utmps.patch

@@ -0,0 +1,16 @@
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Wed, 15 Dec 2021 22:37:42 +0100
+Subject: [PATCH] Avoid redefined warnings when building with utmps
+
+--- a/includes.h
++++ b/includes.h
+@@ -62,6 +62,9 @@
+ #endif
+
+ #ifdef HAVE_UTMP_H
++/* _PATH_UTMP and _PATH_WTMP are defined both in paths.h and utmps/utmp.h. */
++#  undef _PATH_UTMP
++#  undef _PATH_WTMP
+ #  include <utmp.h>
+ #endif
+ #ifdef HAVE_UTMPX_H

patches/openssh/alpine/default-internal-sftp.patch

@@ -0,0 +1,14 @@
+set the default sftp to internal.
+this is better than the extra one, because it requires no extra support files
+with ChrootDirectory, and it does not fork so it is faster.
+--- a/sshd_config
++++ b/sshd_config
+@@ -107,7 +107,7 @@
+ #Banner none
+
+ # override default of no subsystems
+-Subsystem	sftp	/usr/libexec/sftp-server
++Subsystem	sftp	internal-sftp
+
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs

patches/openssh/alpine/disable-forwarding-by-default.diff → patches/openssh/alpine/disable-forwarding-by-default.patch

@@ -2,7 +2,7 @@
 +++ openssh-7.7p1/sshd_config	2018-07-29 03:08:16.340000000 -0500
 @@ -82,9 +82,10 @@
  #UsePAM no
-
+ 
  #AllowAgentForwarding yes
 -#AllowTcpForwarding yes
 -#GatewayPorts no

patches/openssh/alpine/fix-utmp.patch

@@ -0,0 +1,34 @@
+diff -rNU3 openssh-9.0p1.old/loginrec.c openssh-9.0p1/loginrec.c
+--- openssh-9.0p1.old/loginrec.c	2022-04-06 02:47:48.000000000 +0200
++++ openssh-9.0p1/loginrec.c	2022-07-11 14:59:44.848827188 +0200
+@@ -763,10 +763,6 @@
+ 	set_utmpx_time(li, utx);
+ 	utx->ut_pid = li->pid;
+
+-	/* strncpy(): Don't necessarily want null termination */
+-	strncpy(utx->ut_user, li->username,
+-	    MIN_SIZEOF(utx->ut_user, li->username));
+-
+ 	if (li->type == LTYPE_LOGOUT)
+ 		return;
+
+@@ -775,6 +771,10 @@
+ 	 * for logouts.
+ 	 */
+
++	/* strncpy(): Don't necessarily want null termination */
++	strncpy(utx->ut_user, li->username,
++	    MIN_SIZEOF(utx->ut_user, li->username));
++
+ # ifdef HAVE_HOST_IN_UTMPX
+ 	strncpy(utx->ut_host, li->hostname,
+ 	    MIN_SIZEOF(utx->ut_host, li->hostname));
+@@ -787,7 +787,7 @@
+ 	if (li->hostaddr.sa.sa_family == AF_INET)
+ 		utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
+ # endif
+-# ifdef HAVE_ADDR_V6_IN_UTMP
++# ifdef HAVE_ADDR_V6_IN_UTMPX
+ 	/* this is just a 128-bit IPv6 address */
+ 	if (li->hostaddr.sa.sa_family == AF_INET6) {
+ 		sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);

patches/openssh/alpine/fix-verify-dns-segfault.patch

@@ -0,0 +1,57 @@
+Handle case when answer=NULL due to zero answers
+
+diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
+index dc6fe05..28622b5 100644
+--- a/openbsd-compat/getrrsetbyname.c
++++ b/openbsd-compat/getrrsetbyname.c
+@@ -268,7 +268,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
+ 	}
+ 	rrset->rri_rdclass = response->query->class;
+ 	rrset->rri_rdtype = response->query->type;
+-	rrset->rri_ttl = response->answer->ttl;
++	rrset->rri_ttl = response->answer ? response->answer->ttl : 0;
+ 	rrset->rri_nrdatas = response->header.ancount;
+
+ #ifdef HAVE_HEADER_AD
+@@ -276,6 +276,17 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
+ 	if (response->header.ad == 1)
+ 		rrset->rri_flags |= RRSET_VALIDATED;
+ #endif
++	/* allocate memory for signatures */
++	if (rrset->rri_nsigs > 0) {
++		rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
++		if (rrset->rri_sigs == NULL) {
++			result = ERRSET_NOMEMORY;
++			goto fail;
++		}
++	}
++
++	if (response->answer == NULL || response->header.ancount == 0)
++		goto done;
+
+ 	/* copy name from answer section */
+ 	rrset->rri_name = strdup(response->answer->name);
+@@ -298,15 +309,6 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
+ 		goto fail;
+ 	}
+
+-	/* allocate memory for signatures */
+-	if (rrset->rri_nsigs > 0) {
+-		rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
+-		if (rrset->rri_sigs == NULL) {
+-			result = ERRSET_NOMEMORY;
+-			goto fail;
+-		}
+-	}
+-
+ 	/* copy answers & signatures */
+ 	for (rr = response->answer, index_ans = 0, index_sig = 0;
+ 	    rr; rr = rr->next) {
+@@ -334,6 +336,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
+ 	}
+ 	free_dns_response(response);
+
++done:
+ 	*res = rrset;
+ 	return (ERRSET_SUCCESS);
+

patches/openssh/alpine/gss-serv.c.patch

@@ -0,0 +1,15 @@
+Author: Milan P. Stanić <mps@arvanta.net>
+Date:   Fri Mar 4 14:53:04 2022 +0000
+
+include sys/param.h to fix missing #define MAXHOSTNAMELEN
+
+--- a/gss-serv.c	2022-03-04 14:40:34.947952759 +0000
++++ b/gss-serv.c	2022-03-04 14:40:50.448023670 +0000
+@@ -29,6 +29,7 @@
+ #ifdef GSSAPI
+
+ #include <sys/types.h>
++#include <sys/param.h>
+
+ #include <stdarg.h>
+ #include <string.h>

patches/openssh/alpine/sftp-interactive.diff → patches/openssh/alpine/sftp-interactive.patch

@@ -2,7 +2,7 @@
 +++ b/sftp.c	2014-10-24 10:35:22.329199875 +0500
 @@ -2076,8 +2076,10 @@
  		signal(SIGINT, SIG_IGN);
-
+ 
  		if (el == NULL) {
 -			if (interactive)
 +			if (interactive) {