Google Git
Sign in
fuchsia / third_party / openssh-portable / refs/heads/main^! / .
commit2bd4843129271474d07cb826d70cb97c3eee6774[log] [tgz]
authorCasey Dahlin <sadmac@google.com>Tue Apr 23 00:14:08 2024 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Apr 24 00:16:02 2024 +0000
treebd14ca8178e6b1e41d5fde54f668882f1b9703a5
parent9907b3ed5b59b21688ba5c17eb0d550d82e4be40 [diff]
[sshd_config] Add a separate config for eng builds

Bug: b/327015808
Change-Id: I7611d4f8b763c125e670828cf377ef08295280b0
Reviewed-on: https://fuchsia-review.googlesource.com/c/third_party/openssh-portable/+/1035175
Fuchsia-Auto-Submit: Casey Dahlin <sadmac@google.com>
Reviewed-by: Steven Grady <slgrady@google.com>
Commit-Queue: Casey Dahlin <sadmac@google.com>

diff --git a/fuchsia/sshd_config_eng b/fuchsia/sshd_config_eng
new file mode 100644
index 0000000..562cf20
--- /dev/null
+++ b/fuchsia/sshd_config_eng

@@ -0,0 +1,42 @@
+HostKey /data/ssh/ssh_host_ed25519_key
+
+LogLevel INFO
+
+# Zero or more authorized_keys files may be present under different scenarios:
+#   /data - authorized_keys are typically read from here when running on hardware, copied into minfs
+#           during the paving process.
+#   /boot - authorized_keys should only present be in bootfs when running Fuchsia in an emulator.
+#   /config/data/authorized_keys - This file is not expected to be present on standard builds, only
+#           on those that need to inject keys for special circumstances, such as when being tested
+#           from automated infrastructure.
+#           See go/fuchsia-ssh-for-testing for more informaton on that.
+#
+# These are combined since the sshd will only use the first AuthorizedKeysFile line.
+AuthorizedKeysFile /data/ssh/authorized_keys /boot/data/ssh/authorized_keys /config/data/authorized_keys
+
+# Enable SSH using Certificate Authority-issued SSH credentials.  These are not expected to be
+# present in most builds, and products will add keys to this location in config-data to enable this
+# feature.
+TrustedUserCAKeys /config/data/ssh_ca_pub_keys
+
+# This is an opion specific to the Fuchsia fork which disables validation of the "valid_after" field
+# of CA-signed ssh key certificates, so that ssh can be used when the current time has not been able
+# to be synced with, and the system is using the backstop time.
+IgnoreValidAfter yes
+
+# We disallow password authentication completely (it's unsupported irrespective of this
+# configuration), so all auth is key-based. Bump the MaxAuthTries limit to accommodate users with
+# many keys added to their SSH agent.
+PasswordAuthentication no
+MaxAuthTries 20
+MaxSessions 20
+
+Protocol 2
+TCPKeepAlive yes
+ClientAliveInterval 1
+ClientAliveCountMax 20
+
+Subsystem sftp /pkg/bin/sftp-server
+Subsystem sl4f /pkg/bin/sl4f-server
+
+AcceptEnv FFX_DAEMON_ABI_REVISION