bump(main/openssh): 10.0p2

[TomJo2000]

• closes Auto update failing for openssh #24223

This PR updates openssh to version 10.0p1

Important

Essential package PR checklist:

• Builds locally
• Builds on CI
• Tested on device (Fairphone 5, Android 14, AArch64)
• Package completeness/integrity checked
• Checked dynamic linking against all dependencies

This release removes the code responsible for the
user authentication phase of the protocol from the per-
connection sshd-session binary to a new sshd-auth binary.
Splitting this code into a separate binary ensures that the
crucial pre-authentication attack surface has an entirely
disjoint address space from the code used for the rest of the
connection. It also yields a small runtime memory saving as the
authentication code will be unloaded after the authentication
phase completes. This change should be largely invisible to
users, though some log messages may now come from "sshd-auth"
instead of "sshd-session". Downstream distributors of OpenSSH
will need to package the sshd-auth binary.

https://www.openssh.com/releasenotes.html#10.0p1

I have amended the Makefile.in.patch to have sshd-auth link against termux-auth.
sshd itself shouldn't need to link against termux-auth anymore, however this will require further validation.

[TomJo2000]

10.0p2 is identical to 10.0p1, I am honestly not sure why upstream released it as a separate release.

https://github.com/openssh/openssh-portable/releases/tag/V_10_0_P2

[TomJo2000]

Okay, so SSH works for the most part.
But I can't get password based login working.
It's quite possible that that's an issue with my config.

Didn't catch that issue initially since I always use keybased auth.

Edit: And of course it instantly starts working as soon as I try to troubleshoot it.

Edit 2: I'm pretty sure I just had to restart sshd.

[TomJo2000]

ssh, sshd, ssh-agent, ssh-add, ssh-keygen, ssh-keyscan, ssh-copy-id, scp, sftp, mosh and rsync are all working as expected with OpenSSH 10.0p2.

[TomJo2000]

There is some additional housekeeping I'd like to add into this PR.

• We currently ship a couple additional wrapper scripts in $PREFIX/bin with OpenSSH
  • source-ssh-agent
  • scpa
  • sftpa
  • ssha
    These provide a band aid solution for enabling SSH agent support and haven't been touched in 4 to 6 years.
    I would like to drop these in favor of recommending runit and the ssh-agent service shipped with our openssh package since version 9.9p1-5.
• ssh-copy-id as shipped in our openssh package is based on a 5+ year old version of the script from Ubuntu 20.04, I would like to suggest that we include this from upstream instead and simply patch it as needed.
• $PREFIX/libexec files.
  The files at $PREFIX/libexec/{ssh-keysign,ssh-pkcs11-helper,ssh-sk-helper,sshd-auth,sshd-session,sftp-server}
  are currently in the top directory of $PREFIX/libexec, I propose we move these into $PREFIX/libexec/ssh, most packages with files in libexec have their own subdirectories.

[TomJo2000]

CC: @fornwall regarding the removal of the old agent wrapper scripts.
(git blame says you were involved in introducing them)

[fornwall]

regarding the removal of the old agent wrapper scripts

I think it makes sense to remove them as you say (I don't use them myself, and usage is probably really low?).

If things like that should be kept (not saying they should), they probably belong to a separate package.

[TomJo2000]

Alright this turned into a full on build script rewrite.
To summarize:

• I moved up termux_pkg_auto_update() since it's usually the first function under the control variables.
• Added termux-services to the TERMUX_PKG_RECOMMENDS and added a informational section to the postinst script.
• Made the $TERMUX_ON_DEVICE_BUILD less janky.
• Made it so ssh-copy-id is installed from src/contrib and get patched as needed in place.
• Made the manpage checks (OpenSSH lacks manpages #1538) more robust and added missing man pages to the check.
  • and added checks for openssh-sftp-server's man pages
• Moved the sftp.1 man page to the openssh-sftp-server subpackage.
• Turned the embedded postinst script into a bracegroup so it's a single write.
• Removed the old "with agent" wrapper scripts and vendored copy of ssh-copy-id.
• Fixed shellcheck complaints and improved quoting all around.

I can split this up into multiple commits if wanted.

[TomJo2000]

I will go ahead and merge this shortly.
I'd like to get openssh updated before the CI gets filled up with Libxml2 related rebuilds.

[TomJo2000]

And then I forgot to do it before the libxml2 rebuilds.
Classic.

Merging the openssh update now.

[xandris]

regarding the removal of the old agent wrapper scripts

I think it makes sense to remove them as you say (I don't use them myself, and usage is probably really low?).

If things like that should be kept (not saying they should), they probably belong to a separate package.

quite a surprising start to my sunday morning. the service equivalent is nicer so im not complaining. the wiki still talks about the wrapper scripts so i had to find this pr to figure out what happened

[TomJo2000]

quite a surprising start to my sunday morning. the service equivalent is nicer so im not complaining. the wiki still talks about the wrapper scripts so i had to find this pr to figure out what happened

Sorry about that.
I don't have access to change the wiki article unfortunately.
We're currently working on migrating the Wiki to the new github pages site once that is ready, but for now it's kind of in limbo.

[agnostic-apollo]

You can comment changes required to wiki in MediaWiki format and I can change them.

[TomJo2000]

You can comment changes required to wiki in MediaWiki format and I can change them.

I've never actually written anything in MediaWiki format.
But I can look into that later if you haven't done it yourself by then.

[agnostic-apollo]

It's this. I have only written in it couple of times and don't really like it, I prefer markdown. I don't really have the time to write content currently or even look into what's changed.

https://www.mediawiki.org/wiki/Help:Formatting