net-misc/openssh: update systemd units

- Systemd unit file now sets:
  + OOMPolicy=continue
  + Restart=on-failure
  + RestartSec=42s
- Removed `After=syslog.target` from sshd unit files
- Remove obsolete substitutions

Closes: https://bugs.gentoo.org/892784
Closes: https://github.com/gentoo/gentoo/pull/29386
Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>

3 files changed, 35 insertions, 9 deletions

diff --git a/net-misc/openssh/files/sshd.service.1 b/net-misc/openssh/files/sshd.service.1
new file mode 100644
index 000000000000..a541164cd7f2
--- /dev/null
+++ b/net-misc/openssh/files/sshd.service.1
@@ -0,0 +1,15 @@
+[Unit]
+Description=OpenSSH server daemon
+After=network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/bin/ssh-keygen -A
+ExecStart=/usr/sbin/sshd -D -e
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+OOMPolicy=continue
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openssh/files/sshd_at.service.1 b/net-misc/openssh/files/sshd_at.service.1
new file mode 100644
index 000000000000..e43a457994f4
--- /dev/null
+++ b/net-misc/openssh/files/sshd_at.service.1
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+After=auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i -e
+StandardInput=socket
+StandardError=journal
diff --git a/net-misc/openssh/openssh-9.2_p1.ebuild b/net-misc/openssh/openssh-9.2_p1-r1.ebuild
index 9fa1599bd620..8a348bd91862 100644
--- a/net-misc/openssh/openssh-9.2_p1.ebuild
+++ b/net-misc/openssh/openssh-9.2_p1-r1.ebuild
@@ -1,7 +1,7 @@
 # Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
 inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
 
@@ -269,10 +269,6 @@ src_prepare() {
 			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
 	fi
 
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
 	eapply_user #473004
 
 	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
@@ -282,8 +278,6 @@ src_prepare() {
 	tc-export PKG_CONFIG
 	local sed_args=(
 		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
 		# Disable fortify flags ... our gcc does this for us
 		-e 's:-D_FORTIFY_SOURCE=2::'
 	)
@@ -443,8 +437,9 @@ src_install() {
 	dodir /etc/skel/.ssh
 	rmdir "${ED}"/var/empty || die
 
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+	systemd_dounit "${FILESDIR}"/sshd.socket
+	systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
+	systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
 }
 
 pkg_preinst() {
@@ -492,6 +487,14 @@ pkg_postinst() {
 			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
 			ewarn "connection is generally safe."
 		fi
+		if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
+			ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
+			ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
+			ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
+			ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
+			ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
+			ewarn "set 'Restart=no' in your sshd unit file."
+		fi
 	done
 
 	if [[ -n ${show_ssl_warning} ]]; then