diff --git a/openssh-6.6p1-redhat.patch b/openssh-6.6p1-redhat.patch new file mode 100644 index 0000000..818858a --- /dev/null +++ b/openssh-6.6p1-redhat.patch @@ -0,0 +1,147 @@ +diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config +--- openssh-7.4p1/ssh_config.redhat 2016-12-19 05:59:41.000000000 +0100 ++++ openssh-7.4p1/ssh_config 2016-12-23 13:32:00.045220402 +0100 +@@ -48,3 +48,7 @@ + # VisualHostKey no + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h ++# ++# To modify the system-wide ssh configuration, create a *.conf file under ++# /etc/ssh/ssh_config.d/ which will be automatically included below ++Include /etc/ssh/ssh_config.d/*.conf +diff -up openssh-7.4p1/ssh_config_redhat.redhat openssh-7.4p1/ssh_config_redhat +--- openssh-7.4p1/ssh_config_redhat.redhat 2016-12-23 13:32:00.045220402 +0100 ++++ openssh-7.4p1/ssh_config_redhat 2016-12-23 13:32:00.045220402 +0100 +@@ -0,0 +1,20 @@ ++# Follow system-wide Crypto Policy, if defined: ++Include /etc/crypto-policies/back-ends/openssh.config ++ ++# Uncomment this if you want to use .local domain ++# Host *.local ++# CheckHostIP no ++ ++Host * ++ GSSAPIAuthentication yes ++ ++# If this option is set to yes then remote X11 clients will have full access ++# to the original X11 display. As virtually no X11 client supports the untrusted ++# mode correctly we set this to yes. ++ ForwardX11Trusted yes ++ ++# Send locale-related environment variables ++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++ SendEnv XMODIFIERS +diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0 +--- openssh-7.4p1/sshd_config.0.redhat 2016-12-19 06:21:22.000000000 +0100 ++++ openssh-7.4p1/sshd_config.0 2016-12-23 13:32:00.045220402 +0100 +@@ -837,9 +837,9 @@ DESCRIPTION + + SyslogFacility + Gives the facility code that is used when logging messages from +- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, +- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The +- default is AUTH. ++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, ++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. ++ The default is AUTH. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages +diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5 +--- openssh-7.4p1/sshd_config.5.redhat 2016-12-19 05:59:41.000000000 +0100 ++++ openssh-7.4p1/sshd_config.5 2016-12-23 13:32:00.046220403 +0100 +@@ -1393,7 +1393,7 @@ By default no subsystems are defined. + .It Cm SyslogFacility + Gives the facility code that is used when logging messages from + .Xr sshd 8 . +-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, ++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. + .It Cm TCPKeepAlive +diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config +--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100 ++++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100 +@@ -10,21 +10,26 @@ + # possible, but leave them commented. Uncommented options override the + # default value. + ++# If you want to change the port on a SELinux system, you have to tell ++# SELinux about this change. ++# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER ++# + #Port 22 + #AddressFamily any + #ListenAddress 0.0.0.0 + #ListenAddress :: + +-#HostKey /etc/ssh/ssh_host_rsa_key ++HostKey /etc/ssh/ssh_host_rsa_key + #HostKey /etc/ssh/ssh_host_dsa_key +-#HostKey /etc/ssh/ssh_host_ecdsa_key +-#HostKey /etc/ssh/ssh_host_ed25519_key ++HostKey /etc/ssh/ssh_host_ecdsa_key ++HostKey /etc/ssh/ssh_host_ed25519_key + + # Ciphers and keying + #RekeyLimit default none + + # Logging + #SyslogFacility AUTH ++SyslogFacility AUTHPRIV + #LogLevel INFO + + # Authentication: +@@ -57,9 +62,11 @@ AuthorizedKeysFile .ssh/authorized_keys + # To disable tunneled clear text passwords, change to no here! + #PasswordAuthentication yes + #PermitEmptyPasswords no ++PasswordAuthentication yes + + # Change to no to disable s/key passwords + #ChallengeResponseAuthentication yes ++ChallengeResponseAuthentication no + + # Kerberos options + #KerberosAuthentication no +@@ -68,8 +75,8 @@ AuthorizedKeysFile .ssh/authorized_keys + #KerberosGetAFSToken no + + # GSSAPI options +-#GSSAPIAuthentication no +-#GSSAPICleanupCredentials yes ++GSSAPIAuthentication yes ++GSSAPICleanupCredentials no + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +@@ -80,12 +87,12 @@ AuthorizedKeysFile .ssh/authorized_keys + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. +-#UsePAM no ++UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes + #GatewayPorts no +-#X11Forwarding no ++X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PermitTTY yes +@@ -108,6 +115,12 @@ AuthorizedKeysFile .ssh/authorized_keys + # no default banner path + #Banner none + ++# Accept locale-related environment variables ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++AcceptEnv XMODIFIERS ++ + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server + diff --git a/openssh-7.5p1-redhat.patch b/openssh-7.5p1-redhat.patch deleted file mode 100644 index cd0971a..0000000 --- a/openssh-7.5p1-redhat.patch +++ /dev/null @@ -1,153 +0,0 @@ -diff -up openssh-7.5p1/ssh_config.redhat openssh-7.5p1/ssh_config ---- openssh-7.5p1/ssh_config.redhat 2017-03-20 03:39:27.000000000 +0100 -+++ openssh-7.5p1/ssh_config 2017-07-11 13:05:42.728031520 +0200 -@@ -48,3 +48,7 @@ - # VisualHostKey no - # ProxyCommand ssh -q -W %h:%p gateway.example.com - # RekeyLimit 1G 1h -+# -+# To modify the system-wide ssh configuration, create a *.conf file under -+# /etc/ssh/ssh_config.d/ which will be automatically included below -+Include /etc/ssh/ssh_config.d/*.conf -diff -up openssh-7.5p1/ssh_config_redhat.redhat openssh-7.5p1/ssh_config_redhat ---- openssh-7.5p1/ssh_config_redhat.redhat 2017-07-11 13:05:42.728031520 +0200 -+++ openssh-7.5p1/ssh_config_redhat 2017-07-11 13:05:42.728031520 +0200 -@@ -0,0 +1,20 @@ -+# Follow system-wide Crypto Policy, if defined: -+Include /etc/crypto-policies/back-ends/openssh.config -+ -+# Uncomment this if you want to use .local domain -+# Host *.local -+# CheckHostIP no -+ -+Host * -+ GSSAPIAuthentication yes -+ -+# If this option is set to yes then remote X11 clients will have full access -+# to the original X11 display. As virtually no X11 client supports the untrusted -+# mode correctly we set this to yes. -+ ForwardX11Trusted yes -+ -+# Send locale-related environment variables -+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+ SendEnv XMODIFIERS -diff -up openssh-7.5p1/sshd_config.0.redhat openssh-7.5p1/sshd_config.0 ---- openssh-7.5p1/sshd_config.0.redhat 2017-03-20 10:52:56.000000000 +0100 -+++ openssh-7.5p1/sshd_config.0 2017-07-11 13:05:42.728031520 +0200 -@@ -850,9 +850,9 @@ DESCRIPTION - - SyslogFacility - Gives the facility code that is used when logging messages from -- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, -- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The -- default is AUTH. -+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, -+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. -+ The default is AUTH. - - TCPKeepAlive - Specifies whether the system should send TCP keepalive messages -diff -up openssh-7.5p1/sshd_config.5.redhat openssh-7.5p1/sshd_config.5 ---- openssh-7.5p1/sshd_config.5.redhat 2017-03-20 03:39:27.000000000 +0100 -+++ openssh-7.5p1/sshd_config.5 2017-07-11 13:05:42.728031520 +0200 -@@ -1413,7 +1413,7 @@ By default no subsystems are defined. - .It Cm SyslogFacility - Gives the facility code that is used when logging messages from - .Xr sshd 8 . --The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, - LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. - The default is AUTH. - .It Cm TCPKeepAlive -diff -up openssh-7.5p1/sshd_config.redhat openssh-7.5p1/sshd_config ---- openssh-7.5p1/sshd_config.redhat 2017-03-20 03:39:27.000000000 +0100 -+++ openssh-7.5p1/sshd_config 2017-07-11 13:10:44.967594004 +0200 -@@ -10,21 +10,32 @@ - # possible, but leave them commented. Uncommented options override the - # default value. - -+# If you want to change the port on a SELinux system, you have to tell -+# SELinux about this change. -+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER -+# - #Port 22 - #AddressFamily any - #ListenAddress 0.0.0.0 - #ListenAddress :: - --#HostKey /etc/ssh/ssh_host_rsa_key -+HostKey /etc/ssh/ssh_host_rsa_key - #HostKey /etc/ssh/ssh_host_dsa_key --#HostKey /etc/ssh/ssh_host_ecdsa_key --#HostKey /etc/ssh/ssh_host_ed25519_key -+HostKey /etc/ssh/ssh_host_ecdsa_key -+HostKey /etc/ssh/ssh_host_ed25519_key - - # Ciphers and keying - #RekeyLimit default none - -+# System-wide Crypto policies: -+# The following macro will get expanded to the system-wide crypto policy -+# defaults. For more information, see manual page for update-crypto-policies(8). -+# To manually overwrite options defined here, write them BEFORE this block -+#{INCLUDE_CRYPTO_POLICY}# -+ - # Logging - #SyslogFacility AUTH -+SyslogFacility AUTHPRIV - #LogLevel INFO - - # Authentication: -@@ -57,9 +68,11 @@ AuthorizedKeysFile .ssh/authorized_keys - # To disable tunneled clear text passwords, change to no here! - #PasswordAuthentication yes - #PermitEmptyPasswords no -+PasswordAuthentication yes - - # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes -+ChallengeResponseAuthentication no - - # Kerberos options - #KerberosAuthentication no -@@ -68,8 +81,8 @@ AuthorizedKeysFile .ssh/authorized_keys - #KerberosGetAFSToken no - - # GSSAPI options --#GSSAPIAuthentication no --#GSSAPICleanupCredentials yes -+GSSAPIAuthentication yes -+GSSAPICleanupCredentials no - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -@@ -80,12 +93,12 @@ AuthorizedKeysFile .ssh/authorized_keys - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. --#UsePAM no -+UsePAM yes - - #AllowAgentForwarding yes - #AllowTcpForwarding yes - #GatewayPorts no --#X11Forwarding no -+X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PermitTTY yes -@@ -107,6 +120,12 @@ AuthorizedKeysFile .ssh/authorized_keys - # no default banner path - #Banner none - -+# Accept locale-related environment variables -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+AcceptEnv XMODIFIERS -+ - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server - diff --git a/openssh.spec b/openssh.spec index 2dac563..cf9b442 100644 --- a/openssh.spec +++ b/openssh.spec @@ -90,7 +90,6 @@ Source12: sshd-keygen@.service Source13: sshd-keygen Source14: sshd.tmpfiles Source15: sshd-keygen.target -Source16: sshd-pre.sh # Internal debug Patch0: openssh-5.9p1-wIm.patch @@ -156,7 +155,7 @@ Patch702: openssh-5.1p1-askpass-progress.patch #https://bugzilla.redhat.com/show_bug.cgi?id=198332 Patch703: openssh-4.3p2-askpass-grab-info.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) -Patch707: openssh-7.5p1-redhat.patch +Patch707: openssh-6.6p1-redhat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) Patch708: openssh-6.6p1-entropy.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) @@ -598,7 +597,6 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd -mkdir -p -m755 $RPM_BUILD_ROOT/run/openssh make install DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf @@ -617,7 +615,6 @@ install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen -install -m744 %{SOURCE16} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-pre install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf @@ -706,12 +703,10 @@ getent passwd sshd >/dev/null || \ %if ! %{rescue} %files server %dir %attr(0711,root,root) %{_var}/empty/sshd -%dir %attr(0755,root,root) /run/openssh %attr(0755,root,root) %{_sbindir}/sshd %attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen -%attr(0755,root,root) %{_libexecdir}/openssh/sshd-pre %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* %attr(0644,root,root) %{_mandir}/man5/moduli.5* %attr(0644,root,root) %{_mandir}/man8/sshd.8* diff --git a/sshd-pre.sh b/sshd-pre.sh deleted file mode 100644 index 985426b..0000000 --- a/sshd-pre.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -# simple helper script, which substitutes a token in configuration file with -# system wide crypto policy, if installed. If not, this script just copies the -# configuration file to the runtime file, that will be used by the SSHD daemon. - -SSHD_CONFIG="/etc/ssh/sshd_config" -SSHD_CONFIG_RUNTIME="/run/openssh/sshd_config" -CRYPTO_POLICIES="/etc/crypto-policies/back-ends/openssh.config" - -if [ ! -f "$CRYPTO_POLICIES" ]; then - # if not installed, copy just the template - # (to overwrite potential old policy) - cat "$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME" -else - # do the substitution. - sed -e '/#{INCLUDE_CRYPTO_POLICY}#/ {' -e "r $CRYPTO_POLICIES" -e 'd' -e '}' \ - "$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME" -fi - -# XXX should be taken care of in SELinux somehow -# set reasonable label if it gets the default (do not overwrite fixed) -ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME - -# makes sure we have sane permissions as the original file has. -chmod 600 $SSHD_CONFIG_RUNTIME - -# reload the service if requested -if [ "$1" = "reload" ]; then - /bin/kill -HUP $2 -fi diff --git a/sshd.service b/sshd.service index 46222f0..e8afb86 100644 --- a/sshd.service +++ b/sshd.service @@ -7,9 +7,8 @@ Wants=sshd-keygen.target [Service] Type=notify EnvironmentFile=-/etc/sysconfig/sshd -ExecStartPre=/usr/libexec/openssh/sshd-pre -ExecStart=/usr/sbin/sshd -D $OPTIONS -f /run/openssh/sshd_config -ExecReload=/usr/libexec/openssh/sshd-pre reload $MAINPID +ExecStart=/usr/sbin/sshd -D $OPTIONS +ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartSec=42s diff --git a/sshd.tmpfiles b/sshd.tmpfiles index 586c7e3..c35a2b8 100644 --- a/sshd.tmpfiles +++ b/sshd.tmpfiles @@ -1,2 +1 @@ d /var/empty/sshd 711 root root - -d /run/openssh 755 root root - diff --git a/sshd@.service b/sshd@.service index c95a3cb..196c555 100644 --- a/sshd@.service +++ b/sshd@.service @@ -6,6 +6,5 @@ After=sshd-keygen.target [Service] EnvironmentFile=-/etc/sysconfig/sshd -ExecStartPre=/usr/libexec/openssh/sshd-pre -ExecStart=-/usr/sbin/sshd -i $OPTIONS -f /run/openssh/sshd_config +ExecStart=-/usr/sbin/sshd -i $OPTIONS StandardInput=socket