From 39c7929c6ec3c584d01b69c63914a1eaf9eef3ab Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Wed, 28 May 2025 08:15:27 +0200 Subject: [PATCH 1/2] openssh: disable memlocking when building with PAM support With the current OpenSSH version it can result in some crashes preventing users to log in. Upstream issue: https://bugzilla.mindrot.org/show_bug.cgi?id=3822 For reference Debian also disabled it for now: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103418 --- pkgs/tools/networking/openssh/common.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/networking/openssh/common.nix b/pkgs/tools/networking/openssh/common.nix index f50bff766f90..0188f43e6fdb 100644 --- a/pkgs/tools/networking/openssh/common.nix +++ b/pkgs/tools/networking/openssh/common.nix @@ -37,7 +37,9 @@ withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl && withSecurityKey, withPAM ? stdenv.hostPlatform.isLinux, # Attempts to mlock the entire sshd process on startup to prevent swapping. - withLinuxMemlock ? stdenv.hostPlatform.isLinux, + # Currently disabled when PAM support is enabled due to crashes + # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103418 + withLinuxMemlock ? (stdenv.hostPlatform.isLinux && !withPAM), linkOpenssl ? true, isNixos ? stdenv.hostPlatform.isLinux, }: From 42a6689a17eb69046c5bb26aa5eee0d30f017242 Mon Sep 17 00:00:00 2001 From: Morgan Jones Date: Tue, 27 May 2025 23:47:32 -0700 Subject: [PATCH 2/2] rl-2505: remove note about OpenSSH memlocking See 39c7929c6ec3c584d01b69c63914a1eaf9eef3ab for more details. --- doc/release-notes/rl-2505.section.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/release-notes/rl-2505.section.md b/doc/release-notes/rl-2505.section.md index ebd6dee23041..8a395089426d 100644 --- a/doc/release-notes/rl-2505.section.md +++ b/doc/release-notes/rl-2505.section.md @@ -28,7 +28,7 @@ - Applications linked against different Mesa versions than installed on the system should now work correctly going forward (however, applications against older Mesa, e.g. from Nixpkgs releases before 25.05, remain broken) - Packages that used to depend on Mesa for libgbm or libdri should use `libgbm` or `dri-pkgconfig-stub` as inputs, respectively -- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. Additionally, we now enable a configure option by default that attempts to lock sshd into RAM to prevent it from being swapped out, which may improve performance if the system is under memory pressure. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details. +- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details. - Emacs has been updated to 30.1. This introduces some backwards‐incompatible changes; see the NEWS for details.