Update the dependencies as of April 2025 (#88)

* Update the dependencies as of April 2025

* Fix PAM module is unknown error

* Update test Dockefile base image

---------

Co-authored-by: Igor Rodionov <[email protected]>

Author: felipesantiago

Dockerfile

@@ -1,17 +1,18 @@
+FROM alpine:3.21 AS base
+
 ##
 ## Base builder image
 ##
-FROM alpine:3.17 as builder
+FROM base AS builder
 
 RUN apk --update add --virtual .build-deps build-base automake autoconf libtool git linux-pam-dev zlib-dev openssl-dev wget
 
-
 ##
 ## Duo builder image
 ##
-FROM builder as duo-builder
+FROM builder AS duo-builder
 
-ARG DUO_VERSION=2.0.0
+ARG DUO_VERSION=2.0.4
 RUN wget https://dl.duosecurity.com/duo_unix-${DUO_VERSION}.tar.gz && \
     mkdir -p src && \
     tar -zxf duo_unix-${DUO_VERSION}.tar.gz --strip-components=1 -C src
@@ -23,29 +24,27 @@ RUN cd src && \
     make && \
     make install
 
-
 ##
 ## Google Authenticator PAM module builder image
 ##
-FROM builder as google-authenticator-libpam-builder
+FROM builder AS google-authenticator-libpam-builder
 
-ARG AUTHENTICATOR_LIBPAM_VERSION=1.09
+ARG AUTHENTICATOR_LIBPAM_VERSION=1.11
 RUN git clone --branch ${AUTHENTICATOR_LIBPAM_VERSION} --single-branch https://github.com/google/google-authenticator-libpam src
 
 RUN cd src && \
     ./bootstrap.sh && \
     ./configure \
-        --prefix=/dist && \
+        --prefix=/usr && \
     make && \
     make install
 
-
 ##
 ## OpenSSH Portable builder image
 ##
-FROM builder as openssh-portable-builder
+FROM builder AS openssh-portable-builder
 
-ARG OPENSSH_VERSION=V_9_3_P1
+ARG OPENSSH_VERSION=V_9_9_P2
 RUN git clone --branch ${OPENSSH_VERSION} --single-branch https://github.com/openssh/openssh-portable src
 
 COPY patches/ /patches/
@@ -57,24 +56,22 @@ RUN cd src && \
         --prefix=/dist/usr \
         --sysconfdir=/etc/ssh \
         --datadir=/dist/usr/share/openssh \
-        --libexecdir=/dist/usr/lib/ssh \
+        --libexecdir=/usr/lib/ssh \
         --mandir=/dist/usr/share/man \
         --with-pid-dir=/run \
         --with-mantype=man \
         --with-privsep-path=/var/empty \
         --with-privsep-user=sshd \
-        --with-md5-passwords \
         --with-ssl-engine \
         --disable-wtmp \
-        --with-pam=/dist/lib64/security && \
+        --with-pam=/usr/lib64/security && \
     make && \
     make install
 
-
 ##
 ## Bastion image
 ##
-FROM alpine:3.17
+FROM base
 
 LABEL maintainer="[email protected]"
 
@@ -98,10 +95,12 @@ RUN wget https://github.com/cloudposse/sudosh/releases/download/${SUDOSH_VERSION
 COPY --from=duo-builder dist/ /
 
 ## Install Google Authenticator PAM module
-COPY --from=google-authenticator-libpam-builder dist/ /
+COPY --from=google-authenticator-libpam-builder /usr /usr
 
 ## Install OpenSSH Portable
 COPY --from=openssh-portable-builder dist/ /
+COPY --from=openssh-portable-builder /usr/lib/ssh /usr/lib/ssh
+
 
 ## System
 ENV TIMEZONE="Etc/UTC" \
@@ -128,7 +127,7 @@ ENV ENFORCER_ENABLED="true" \
 ## Enable Rate Limiting
 ENV RATE_LIMIT_ENABLED="true"
 
-## Tolerate 5 consecutive fairues
+## Tolerate 5 consecutive failures
 ENV RATE_LIMIT_MAX_FAILURES="5"
 ## Lock accounts out for 300 seconds (5 minutes) after repeated failures
 ENV RATE_LIMIT_LOCKOUT_TIME="300"

patches/openssh/alpine/disable-fzero-call-used-regs-used-on-ppc64le.patch

@@ -0,0 +1,48 @@
+From 2b340fc84c292db1272ae4b3a7eb85a3de223ddd Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <[email protected]>
+Date: Tue, 2 Jul 2024 10:00:38 +0900
+Subject: [PATCH] disable -fzero-call-used-regs=used on ppc64le
+
+This fails as follow for some files:
+packet.c: In function 'ssh_packet_log_type':
+packet.c:1158:1: sorry, unimplemented: argument 'used' is not supported for '-fzero-call-used-regs' on this target
+ 1158 | }
+      | ^
+make: *** [Makefile:203: packet.o] Error 1
+
+This had previously been an issue on an older version as well and the
+"fix" at the time was to make the detection function more likely to
+trigger that behaviour, but that was apparently not enough so just
+disable at configure level.
+
+Link: https://issues.guix.gnu.org/68212
+---
+ configure.ac | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 5a865f8e1b07..4f99ad35a3ce 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -237,10 +237,14 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
+ 	# https://github.com/llvm/llvm-project/issues/59242
+ 	# clang 17 has a different bug that causes an ICE when using this
+ 	# flag at all (https://bugzilla.mindrot.org/show_bug.cgi?id=3629)
+-	case "$CLANG_VER" in
+-	apple-15*) OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
+-	17*)	;;
+-	*)	OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
++	case "$host" in
++	"powerpc64le"*) ;; # skip on ppc64le
++	*)
++		case "$CLANG_VER" in
++		apple-15*) OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
++		17*)	;;
++		*)	OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
++		esac
+ 	esac
+ 	OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
+     fi
+-- 
+2.39.2
+

patches/openssh/alpine/fix-utmp.patch

@@ -23,12 +23,3 @@ diff -rNU3 openssh-9.0p1.old/loginrec.c openssh-9.0p1/loginrec.c
  # ifdef HAVE_HOST_IN_UTMPX
  	strncpy(utx->ut_host, li->hostname,
  	    MIN_SIZEOF(utx->ut_host, li->hostname));
-@@ -787,7 +787,7 @@
- 	if (li->hostaddr.sa.sa_family == AF_INET)
- 		utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
- # endif
--# ifdef HAVE_ADDR_V6_IN_UTMP
-+# ifdef HAVE_ADDR_V6_IN_UTMPX
- 	/* this is just a 128-bit IPv6 address */
- 	if (li->hostaddr.sa.sa_family == AF_INET6) {
- 		sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);

patches/openssh/alpine/fix-verify-dns-segfault.patch

@@ -0,0 +1,26 @@
+--- a/ssh_config
++++ b/ssh_config
+@@ -17,6 +17,10 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
++# Include configuration snippets before processing this file to allow the
++# snippets to override directives set in this file.
++Include /etc/ssh/ssh_config.d/*.conf
++
+ # Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
+--- a/sshd_config
++++ b/sshd_config
+@@ -10,6 +10,10 @@
+ # possible, but leave them commented.  Uncommented options override the
+ # default value.
+ 
++# Include configuration snippets before processing this file to allow the
++# snippets to override directives set in this file.
++Include /etc/ssh/sshd_config.d/*.conf
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0

patches/openssh/alpine/gss-serv.c.patch

@@ -0,0 +1,25 @@
+From 561a9fd3abf044b5dfafd4852097c1bccc8e98bb Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <[email protected]>
+Date: Mon, 1 Jul 2024 18:19:12 +0900
+Subject: [PATCH] allow using a different sshd-session flavor
+
+---
+ Makefile.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index e1b77ebc6495..df745d80863b 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -24,7 +24,7 @@ SSH_PROGRAM=@bindir@/ssh
+ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+-SSHD_SESSION=$(libexecdir)/sshd-session
++SSHD_SESSION=$(libexecdir)/sshd-session$(SSHD_SESSION_FLAVOR)
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+--
+2.39.2
+

patches/openssh/alpine/include-config-dir.patch

@@ -1,12 +1,12 @@
 diff --git a/version.h b/version.h
-index 69e76e63..9cc63293 100644
+index 9bd910a64..6760b7b1b 100644
 --- a/version.h
 +++ b/version.h
 @@ -1,6 +1,6 @@
- /* $OpenBSD: version.h,v 1.97 2023/03/15 21:19:57 djm Exp $ */
+ /* $OpenBSD: version.h,v 1.103 2024/09/19 22:17:44 djm Exp $ */
 
--#define SSH_VERSION	"OpenSSH_9.3"
+-#define SSH_VERSION	"OpenSSH_9.9"
 +#define SSH_VERSION	"SERVER"
 
- #define SSH_PORTABLE	"p1"
+ #define SSH_PORTABLE	"p2"
  #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE

patches/openssh/alpine/sftp-interactive.patch

@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM alpine:3.21
 
 RUN apk add \
 	openssh-client \