mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
0d24af9381
Config snippets should be used over file overrides since targeted changes may be required in multiple recipes. Since the oe-core sshd_config file now includes /etc/ssh/sshd_config.d/*.conf, the meta-selinux configuration snippet does not require the following: * ChallengeResponseAutnetication: Replaced by KbdInteractiveAuthentication and set to "no" by default * Override default of no subsystems: This is already present * Compression, ClientAliveInterval, and ClientAliveCountMax: No changes required due to identical requirements of meta-selinux Testing process: * Pulled modified meta-selinux layer into Poky and included openssh * Built core-image-sato and ran via qemu * Verified /etc/ssh was as expected with an ssh_config.d directory with the new selinux config snippet inside * Verified system was including selinux config modification by running sshd -T Suggested-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Levi Shafter <lshafter@21sw.us> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
16 lines
704 B
Plaintext
16 lines
704 B
Plaintext
# 50-selinux.conf
|
|
#
|
|
# SELinux-specific SSHD configuration overrides
|
|
# Managed by the meta-selinux layer in OpenEmbedded
|
|
|
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
# and session processing. If this is enabled, PAM authentication will
|
|
# be allowed through the ChallengeResponseAuthentication and
|
|
# PasswordAuthentication. Depending on your PAM configuration,
|
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
|
# the setting of "PermitRootLogin without-password".
|
|
# If you just want the PAM account and session checks to run without
|
|
# PAM authentication, then enable this but set PasswordAuthentication
|
|
# and ChallengeResponseAuthentication to 'no'.
|
|
UsePAM yes
|