What systemd dependencies? :-)
# readlink /proc/1/exe /sbin && dpkg -S /sbin/init && cat
/etc/debian_version && more /etc/apt/preferences.d/* | cat
/usr/sbin/init
usr/sbin
sysvinit-core: /sbin/init
12.10
::::::::::::::
/etc/apt/preferences.d/98init
::::::::::::::
Explanation: Avoid unintended installation of systemd-sysv.
Explanation: init can be provided by: systemd-sysv | sysvinit-core
Package: systemd-sysv
Pin: version *
Pin-Priority: -1
::::::::::::::
/etc/apt/preferences.d/99init
::::::::::::::
Explanation: Avoid unintended installation of systemd
Explanation: Note that systemd doesn't require systemd-sysv (systemd's
Explanation: init system).
Package: systemd
Pin: version *
Pin-Priority: -1
#
On Fri, Apr 11, 2025 at 11:12 AM Marc SCHAEFER <schae...@alphanet.ch> wrote:
>
> Hello,
>
> systemd dependancies that are activated on a Debian system imply a lot
> of library injections into sshd, much more than the stock OpenBSD ssh.
>
> To avoid this, there seem to be two approaches:
>
> - remove those dependancies (see below)
>
> - confine the impact of those dependancies, as proposed
> by some developpers, in having those dependancies confined
> (not examined here)
>
> To solve this, I could use a Bastion host with a limited, non Debian,
> OS, or I could recompile the OpenSSH package on Debian with options
> disabled.
>
> Doing the latter, I have much more dependancies (**)
>
> 4d3
> < libcom_err.so.2
> 9,18d7
> < libgcrypt.so.20
> < libgpg-error.so.0
> < libgssapi_krb5.so.2
> < libk5crypto.so.3
> < libkeyutils.so.1
> < libkrb5.so.3
> < libkrb5support.so.0
> < liblz4.so.1
> < liblzma.so.5
> < libnsl.so.2
> 22,23d10
> < libresolv.so.2
> < librt.so.1
> 25,26d11
> < libsystemd.so.0
> < libtirpc.so.3
> 28d12
> < libwrap.so.0
> 30d13
> < libzstd.so.1
>
> What do you think about this approach?
>
> Thank you for your comments.
>
>
> (*) on Debian bullseye:
>
> mkdir /tmp/tt
> cd /tmp/tt
>
> apt-get source openssh
>
> cd openssh-8.4p1/
>
> # openbsd-doc does not apply cleanly after
> sed -i
> '/^systemd-readiness.patch/d;/^restore-tcp-wrappers.patch/d;/^openbsd-docs.patch/d'
> debian/patches/series
> rm
> debian/patches/{systemd-readiness.patch,restore-tcp-wrappers.patch,openbsd-docs.patch}
>
> patch debian/rules <<'EOF'
>
> schaefer@reliant:/tmp/tt/openssh-8.4p1$ diff -uP debian/rules.ORIG
> debian/rules
> --- debian/rules.ORIG 2025-04-11 19:35:13.568132105 +0200
> +++ debian/rules 2025-04-11 19:37:01.355078815 +0200
> @@ -73,20 +73,16 @@
> confflags_udeb := $(confflags)
>
> # Options specific to the deb build.
> -confflags += --with-tcp-wrappers
> confflags += --with-pam
> confflags += --with-libedit
> -confflags += --with-kerberos5=/usr
> confflags += --with-ssl-engine
> ifeq ($(DEB_HOST_ARCH_OS),linux)
> confflags += --with-selinux
> confflags += --with-audit=linux
> -confflags += --with-systemd
> confflags += --with-security-key-builtin
> endif
>
> -# The deb build wants xauth; the udeb build doesn't.
> -confflags += --with-xauth=/usr/bin/xauth
> +confflags += --without-xauth
> confflags_udeb += --without-xauth
>
> # Default paths. The udeb build has /usr/games removed.
> EOF
>
> # -b: avoid source package creation, changelog, etc
> dpkg-buildpackage -b -rfakeroot -us -uc
>
>
> (**) demo:
>
> mkdir /tmp/tt2
> cd /tmp/tt2
>
> dpkg-deb -x ../tt/openssh-server_*.deb .
>
> diff <(ldd /usr/sbin/sshd | awk '{print $1;}' | sort) <(ldd usr/sbin/sshd |
> awk '{print $1;}' | sort)
>
