[openssh]: Restore behavior of ClientAliveCountMax=0 (#12549)

* [openssh]: Restore behavior of ClientAliveCountMax=0

OpenSSH 8.2 changed the behavior of ClientAliveCountMax=0 such that
setting it to 0 disables connection-killing entirely when the connection
is idle. Revert that change.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* Remove build-dep command that should not be there

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

build_debian.sh

@@ -468,7 +468,7 @@ rm /files/etc/ssh/sshd_config/ClientAliveCountMax
 touch /files/etc/ssh/sshd_config/EmptyLineHack
 rename /files/etc/ssh/sshd_config/EmptyLineHack ""
 set /files/etc/ssh/sshd_config/ClientAliveInterval 300
-set /files/etc/ssh/sshd_config/ClientAliveCountMax 1
+set /files/etc/ssh/sshd_config/ClientAliveCountMax 0
 ins #comment before /files/etc/ssh/sshd_config/ClientAliveInterval
 set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 5 minutes"
 rm /files/etc/ssh/sshd_config/MaxAuthTries

rules/sonic-fips.mk

@@ -1,6 +1,6 @@
 # fips packages
 
-FIPS_VERSION = 0.3
+FIPS_VERSION = 0.4
 FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u3+fips
 FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u1+fips
 FIPS_PYTHON_MAIN_VERSION = 3.9

src/openssh/Makefile

@@ -23,7 +23,6 @@ ifeq ($(CROSS_BUILD_ENVIRON), y)
 	patch -p1 < ../patch/cross-compile-changes.patch
 	dpkg-buildpackage -rfakeroot -b -us -uc -a$(CONFIGURED_ARCH) -Pcross,nocheck -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
 else
-	sudo http_proxy=$(http_proxy) apt-get -y build-dep openssh
 	dpkg-buildpackage -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
 endif
 	popd

src/openssh/patch/0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch

@@ -0,0 +1,48 @@
+From 2bc575c74aa811a60682e989d07675b8e7ac8a12 Mon Sep 17 00:00:00 2001
+From: Saikrishna Arcot <sarcot@microsoft.com>
+Date: Thu, 13 Oct 2022 13:45:17 -0700
+Subject: [PATCH] Revert commit 69334996: make
+ sshd_config:ClientAliveCountMax=0 disable the connection-killing behavior
+
+SONiC (and others) use this feature to kill connections when the session
+is idle after some duration of time. OpenSSH 8.2 defined setting
+ClientAliveCountMax=0, but by doing so, broke the current use case of
+it.
+
+Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
+---
+ serverloop.c  | 3 +--
+ sshd_config.5 | 3 ---
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/serverloop.c b/serverloop.c
+index 48d936d..1b30498 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -184,8 +184,7 @@ client_alive_check(struct ssh *ssh)
+ 	int r, channel_id;
+ 
+ 	/* timeout, check to see how many we have had */
+-	if (options.client_alive_count_max > 0 &&
+-	    ssh_packet_inc_alive_timeouts(ssh) >
++	if (ssh_packet_inc_alive_timeouts(ssh) >
+ 	    options.client_alive_count_max) {
+ 		sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
+ 		logit("Timeout, client not responding from %s", remote_id);
+diff --git a/sshd_config.5 b/sshd_config.5
+index a555e7e..a5815d3 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -545,9 +545,6 @@ is set to 15, and
+ .Cm ClientAliveCountMax
+ is left at the default, unresponsive SSH clients
+ will be disconnected after approximately 45 seconds.
+-Setting a zero
+-.Cm ClientAliveCountMax
+-disables connection termination.
+ .It Cm ClientAliveInterval
+ Sets a timeout interval in seconds after which if no data has been received
+ from the client,
+-- 
+2.25.1
+

src/openssh/patch/series

@@ -1 +1,2 @@
 0001-Put-style-as-line-number-to-ssh-session-environment-.patch
+0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch