/usr/lib/openssh/ssh-ldap-helper -s "$1"
exit 0
---- openssh-6.3p1/ldap-helper.c~ 2013-11-02 17:14:48.000000000 +0200
-+++ openssh-6.3p1/ldap-helper.c 2013-11-02 18:39:15.740402594 +0200
+--- openssh-6.6p1/ldap-helper.c~ 2014-05-13 17:04:22.258162978 +0300
++++ openssh-6.6p1/ldap-helper.c 2014-05-13 17:14:08.398824417 +0300
+@@ -31,6 +31,7 @@
+ #include "ldapbody.h"
+ #include <string.h>
+ #include <unistd.h>
++#include <signal.h>
+
+ static int config_debug = 0;
+ int config_exclusive_config_file = 0;
@@ -137,6 +137,8 @@
ldap_checkconfig();
ldap_do_connect();
--- /dev/null
+https://bugzilla.mindrot.org/show_bug.cgi?id=2142
+
+--- a/Makefile.in
++++ a/Makefile.in
+@@ -106,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+ sftp-server.o sftp-common.o \
+ roaming_common.o roaming_serv.o \
+ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
+- sandbox-seccomp-filter.o sandbox-capsicum.o
++ sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o
+
+ MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
+ MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
+--- a/configure.ac
++++ a/configure.ac
+@@ -2867,11 +2867,22 @@ else
+ fi
+ AC_SUBST([SSH_PRIVSEP_USER])
+
++AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [
++ #include <sys/types.h>
++ #include <seccomp.h>
++])
++if test "x$have_libseccomp_filter" = "x1" ; then
++ AC_CHECK_LIB([seccomp], [seccomp_init],
++ [LIBS="$LIBS -lseccomp"],
++ [have_libseccomp_filter=0])
++fi
++
+ if test "x$have_linux_no_new_privs" = "x1" ; then
+ AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
+ #include <sys/types.h>
+ #include <linux/seccomp.h>
+ ])
++
+ fi
+ if test "x$have_seccomp_filter" = "x1" ; then
+ AC_MSG_CHECKING([kernel for seccomp_filter support])
+@@ -2898,7 +2909,7 @@ fi
+ # Decide which sandbox style to use
+ sandbox_arg=""
+ AC_ARG_WITH([sandbox],
+- [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
++ [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, libseccomp_filter, capsicum)],
+ [
+ if test "x$withval" = "xyes" ; then
+ sandbox_arg=""
+@@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \
+ AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
+ SANDBOX_STYLE="darwin"
+ AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
++elif test "x$sandbox_arg" = "xlibseccomp_filter" || \
++ ( test -z "$sandbox_arg" && \
++ test "x$have_libseccomp_filter" = "x1" ) ; then
++ test "x$have_libseccomp_filter" != "x1" && \
++ AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host])
++ SANDBOX_STYLE="libseccomp_filter"
++ AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter])
+ elif test "x$sandbox_arg" = "xseccomp_filter" || \
+ ( test -z "$sandbox_arg" && \
+ test "x$have_seccomp_filter" = "x1" && \
+--- a/sandbox-libseccomp-filter.c
++++ a/sandbox-libseccomp-filter.c
+@@ -0,0 +1,175 @@
++/*
++ * Copyright (c) 2012 Will Drewry <wad@dataspill.org>
++ *
++ * Permission to use, copy, modify, and distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++
++#include "includes.h"
++
++#ifdef SANDBOX_LIBSECCOMP_FILTER
++
++#include <sys/types.h>
++#include <sys/resource.h>
++#include <seccomp.h>
++
++#include <errno.h>
++#include <signal.h>
++#include <stdarg.h>
++#include <stddef.h> /* for offsetof */
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++
++#include "log.h"
++#include "ssh-sandbox.h"
++#include "xmalloc.h"
++
++struct ssh_sandbox {
++ pid_t child_pid;
++};
++
++struct ssh_sandbox *
++ssh_sandbox_init(struct monitor *monitor)
++{
++ struct ssh_sandbox *box;
++
++ /*
++ * Strictly, we don't need to maintain any state here but we need
++ * to return non-NULL to satisfy the API.
++ */
++ debug3("%s: preparing libseccomp filter sandbox", __func__);
++ box = xcalloc(1, sizeof(*box));
++ box->child_pid = 0;
++
++ return box;
++}
++
++static int
++seccomp_add_secondary_archs(scmp_filter_ctx *c)
++{
++#if defined(__i386__) || defined(__x86_64__)
++ int r;
++ r = seccomp_arch_add(c, SCMP_ARCH_X86);
++ if (r < 0 && r != -EEXIST)
++ return r;
++ r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
++ if (r < 0 && r != -EEXIST)
++ return r;
++ r = seccomp_arch_add(c, SCMP_ARCH_X32);
++ if (r < 0 && r != -EEXIST)
++ return r;
++#endif
++ return 0;
++}
++
++struct scmp_action_def {
++ uint32_t action;
++ int syscall;
++};
++
++static const struct scmp_action_def preauth_insns[] = {
++ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)},
++ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)},
++ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
++ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
++ {SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)},
++ {SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)},
++#ifdef __NR_time /* not defined on EABI ARM */
++ {SCMP_ACT_ALLOW, SCMP_SYS(time)},
++#endif
++ {SCMP_ACT_ALLOW, SCMP_SYS(read)},
++ {SCMP_ACT_ALLOW, SCMP_SYS(write)},
++ {SCMP_ACT_ALLOW, SCMP_SYS(close)},
++#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
++ {SCMP_ACT_ALLOW, SCMP_SYS(shutdown)},
++#endif
++ {SCMP_ACT_ALLOW, SCMP_SYS(brk)},
++ {SCMP_ACT_ALLOW, SCMP_SYS(poll)},
++#ifdef __NR__newselect
++ {SCMP_ACT_ALLOW, SCMP_SYS(_newselect)},
++#endif
++ {SCMP_ACT_ALLOW, SCMP_SYS(select)},
++ {SCMP_ACT_ALLOW, SCMP_SYS(madvise)},
++#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
++ {SCMP_ACT_ALLOW, SCMP_SYS(mmap2)},
++#endif
++#ifdef __NR_mmap
++ {SCMP_ACT_ALLOW, SCMP_SYS(mmap)},
++#endif
++#ifdef __dietlibc__
++ {SCMP_ACT_ALLOW, SCMP_SYS(mremap)},
++ {SCMP_ACT_ALLOW, SCMP_SYS(exit)},
++#endif
++ {SCMP_ACT_ALLOW, SCMP_SYS(munmap)},
++ {SCMP_ACT_ALLOW, SCMP_SYS(exit_group)},
++#ifdef __NR_rt_sigprocmask
++ {SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)},
++#else
++ {SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)},
++#endif
++ {0, 0}
++};
++
++
++void
++ssh_sandbox_child(struct ssh_sandbox *box)
++{
++ scmp_filter_ctx *seccomp;
++ struct rlimit rl_zero;
++ const struct scmp_action_def *insn;
++ int r;
++
++ /* Set rlimits for completeness if possible. */
++ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
++ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
++ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
++ __func__, strerror(errno));
++ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
++ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
++ __func__, strerror(errno));
++ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
++ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
++ __func__, strerror(errno));
++
++ seccomp = seccomp_init(SCMP_ACT_KILL);
++ if (!seccomp)
++ fatal("%s:libseccomp activation failed", __func__);
++ if (seccomp_add_secondary_archs(seccomp))
++ fatal("%s:libseccomp secondary arch setup failed", __func__);
++
++ for (insn = preauth_insns; insn->action; insn++) {
++ if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0)
++ fatal("%s:libseccomp rule failed", __func__);
++ }
++
++ if ((r = seccomp_load(seccomp)) < 0)
++ fatal("%s:libseccomp unable to load filter %d", __func__, r);
++
++ seccomp_release(seccomp);
++}
++
++void
++ssh_sandbox_parent_finish(struct ssh_sandbox *box)
++{
++ free(box);
++ debug3("%s: finished", __func__);
++}
++
++void
++ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
++{
++ box->child_pid = child_pid;
++}
++
++#endif /* SANDBOX_LIBSECCOMP_FILTER */
/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
#define M_CP_STROPT(n) do {\
@@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o)
- dump_cfg_fmtint(sUseDNS, o->use_dns);
- dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+ dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
/* string arguments */
.Sh SYNOPSIS
.Nm ssh
.Bk -words
--.Op Fl 1246AaCfgKkMNnqsTtVvXxYy
-+.Op Fl 1246AaBCfgKkMNnqsTtVvXxYy
+-.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
++.Op Fl 1246AaBCfGgKkMNnqsTtVvXxYy
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Oo Ar bind_address : Oc Ns Ar port
usage(void)
{
fprintf(stderr,
--"usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-+"usage: ssh [-1246AaBCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
+-"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
++"usage: ssh [-1246AaBCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
" [-F configfile] [-I pkcs11] [-i identity_file]\n"
" [-L [bind_address:]port:host:hostport] [-Q protocol_feature]\n"
again:
while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
-- "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-+ "ABCD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
++ "ABCD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
options.protocol = SSH_PROTO_1;
# Conditional build:
%bcond_without audit # sshd audit support
%bcond_with gnome # with gnome-askpass (GNOME 1.x) utility
-%bcond_without gtk # with GTK+ (2.x)
+%bcond_without gtk # without GTK+ (2.x)
%bcond_without ldap # with ldap support
%bcond_without libedit # without libedit (editline/history support in sftp client)
%bcond_without kerberos5 # without kerberos5 support
%bcond_without selinux # build without SELinux support
+%bcond_without libseccomp # use libseccomp for seccomp privsep (requires 3.5 kernel)
%bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often)
%bcond_without tests
# gtk2-based gnome-askpass means no gnome1-based
%{?with_gtk:%undefine with_gnome}
-%define pam_ver 1:1.1.5-5
+%ifnarch x32
+# libseccomp requires 3.5 kernel, avoid such requirement where possible (non-x32 arches)
+%undefine with_libseccomp
+%endif
+
+%define sandbox %{?with_libseccomp:lib}seccomp_filter
+
+%ifarch x32
+%{!?with_libseccomp:%error openssh seccomp implementation is broken! do not disable libseccomp on x32}
+%endif
+
+%define pam_ver 1:1.1.8-5
Summary: OpenSSH free Secure Shell (SSH) implementation
Summary(de.UTF-8): OpenSSH - freie Implementation der Secure Shell (SSH)
Summary(es.UTF-8): Implementación libre de SSH
Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
Name: openssh
-Version: 6.7p1
-Release: 5
+Version: 6.8p1
+Release: 1
Epoch: 2
License: BSD
Group: Applications/Networking
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5: 3246aa79317b1d23cae783a3bf8275d6
+# Source0-md5: 08f72de6751acfbd0892b5f003922701
Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5: 66943d481cc422512b537bcc2c7400d1
Source2: %{name}d.init
Source5: ssh-agent.sh
Source6: ssh-agent.conf
Source7: %{name}-lpk.schema
-Source9: sshd.service
-Source10: sshd-keygen
+Source8: sshd-keygen
Patch0: %{name}-no_libnsl.patch
Patch2: %{name}-pam_misc.patch
Patch3: %{name}-sigpipe.patch
# http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree
Patch4: %{name}-ldap.patch
Patch5: %{name}-ldap-fixes.patch
-Patch8: ldap.conf.patch
-Patch6: %{name}-config.patch
-Patch7: ldap-helper-sigpipe.patch
-
+Patch6: ldap.conf.patch
+Patch7: %{name}-config.patch
+Patch8: ldap-helper-sigpipe.patch
# High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
# http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
Patch9: %{name}-5.2p1-hpn13v6.diff
Patch10: %{name}-include.patch
Patch11: %{name}-chroot.patch
-# ssh-vulnkey-compat.patch from debian sources
Patch12: %{name}-vulnkey-compat.patch
Patch13: %{name}-kuserok.patch
Patch14: %{name}-bind.patch
Patch15: %{name}-disable_ldap.patch
+Patch16: libseccomp-sandbox.patch
URL: http://www.openssh.com/portable.html
BuildRequires: %{__perl}
-%{?with_tests:BuildRequires: %{name}-server}
%{?with_audit:BuildRequires: audit-libs-devel}
BuildRequires: autoconf >= 2.50
BuildRequires: automake
%{?with_gtk:BuildRequires: gtk+2-devel}
%{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7}
%{?with_libedit:BuildRequires: libedit-devel}
+BuildRequires: libseccomp-devel
%{?with_selinux:BuildRequires: libselinux-devel}
-BuildRequires: libwrap-devel
%{?with_ldap:BuildRequires: openldap-devel}
BuildRequires: openssl-devel >= 0.9.8f
BuildRequires: pam-devel
BuildRequires: rpmbuild(macros) >= 1.627
BuildRequires: sed >= 4.0
BuildRequires: zlib-devel >= 1.2.3
+%if %{with tests} && 0%(id -u sshd >/dev/null 2>&1; echo $?)
+BuildRequires: %{name}-server
+%endif
+%if %{with tests} && %{with libseccomp}
+# libseccomp based sandbox requires NO_NEW_PRIVS prctl flag
+BuildRequires: uname(release) >= 3.5
+%endif
Requires: zlib >= 1.2.3
Requires: filesystem >= 3.0-11
Requires: pam >= %{pam_ver}
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: pam >= %{pam_ver}
Requires: rc-scripts >= 0.4.3.0
+%{?with_libseccomp:Requires: uname(release) >= 3.5}
Requires: util-linux
%{?with_ldap:Suggests: %{name}-server-ldap}
Suggests: /bin/login
%patch3 -p1
%patch4 -p1
%patch5 -p1
-%patch8 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
%{?with_hpn:%patch9 -p1}
%patch10 -p1
%patch11 -p1
-# do we really need to drag this old/obsolete patch?
%patch12 -p1
-# code changed in upstream, needs baggins verification
%patch13 -p1
%patch14 -p1
%{!?with_ldap:%patch15 -p1}
+%{?with_libseccomp:%patch16 -p1}
# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile*
grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \
%{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,'
+# prevent being ovewritten by aclocal calls
+mv aclocal.m4 acinclude.m4
+
%build
cp /usr/share/automake/config.sub .
%{__aclocal}
%{__autoconf}
%{__autoheader}
-CPPFLAGS="-DCHROOT"
+CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99"
%configure \
PERL=%{__perl} \
--disable-strip \
--with-pam \
--with-pid-dir=%{_localstatedir}/run \
--with-privsep-path=%{_privsepdir} \
- --with-sandbox=seccomp_filter \
+ --with-privsep-user=sshd \
%{?with_selinux:--with-selinux} \
+ --with-sandbox=%{sandbox} \
--with-xauth=%{_bindir}/xauth
echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h
%{__make}
-%{?with_tests:%{__make} tests}
+%{?with_tests:%{__make} -j1 tests}
cd contrib
%if %{with gnome}
%install
rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{init,pam.d,rc.d/init.d,sysconfig,security,env.d}} \
+install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \
$RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir}}
install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d}
bzip2 -dc %{SOURCE1} | tar xf - -C $RPM_BUILD_ROOT%{_mandir}
-cp -p %{SOURCE3} sshd.pam
-install -p %{SOURCE2} sshd.init
-
-%if %{without audit}
-# remove recording user's login uid to the process attribute
-%{__sed} -i -e '/pam_loginuid.so/d' sshd.pam
-%endif
-
-install -p sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
-cp -p sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -p %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
+cp -p %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sshd
cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd
cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d
-ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
+ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}
cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir}
-cp -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
+install -p %{SOURCE8} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
+
+%{__sed} -i -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \
+ $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd \
+ $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
%if %{with gnome}
install -p contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
#SSH_ASKPASS="%{_libexecdir}/ssh-askpass"
EOF
+%if %{without audit}
+# remove recording user's login uid to the process attribute
+%{__sed} -i -e '/pam_loginuid.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd
+%endif
+
%{__rm} $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages
%{?with_ldap:%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf}
# Source function library
. /etc/rc.d/init.d/functions
-upstart_controlled --except init configtest
-
# Get network config
. /etc/sysconfig/network
}
ssh_gen_keys() {
- # generate new keys with empty passwords if they do not exist
- if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
- /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N '' >&2
- chmod 600 /etc/ssh/ssh_host_key
- [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_key
- fi
- if [ ! -f /etc/ssh/ssh_host_rsa_key -o ! -s /etc/ssh/ssh_host_rsa_key ]; then
- /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2
- chmod 600 /etc/ssh/ssh_host_rsa_key
- [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_rsa_key
- fi
- if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
- /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2
- chmod 600 /etc/ssh/ssh_host_dsa_key
- [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_dsa_key
- fi
- if [ ! -f /etc/ssh/ssh_host_ecdsa_key -o ! -s /etc/ssh/ssh_host_ecdsa_key ]; then
- /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' >&2
- chmod 600 /etc/ssh/ssh_host_ecdsa_key
- [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_ecdsa_key
- fi # ecdsa
- if [ ! -f /etc/ssh/ssh_host_ed25519_key -o ! -s /etc/ssh/ssh_host_ed25519_key ]; then
- /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' >&2
- chmod 600 /etc/ssh/ssh_host_ed25519_key
- [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_ed25519_key
- fi # ed25519
+ @@LIBEXECDIR@@/sshd-keygen
}
start() {
# Check if the service is already running?
- if [ -f /var/lock/subsys/sshd ]; then
+ if status --pidfile $PIDFILE sshd >/dev/null; then
msg_already_running "OpenSSH"
return
fi
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/security/blacklist.sshd onerr=succeed
auth include system-auth
+auth include postlogin
account required pam_shells.so
account required pam_nologin.so
-account required pam_access.so
+account required pam_access.so
account include system-auth
password include system-auth
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
+session include postlogin
session optional pam_mail.so
# Get service config
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
-# generate new keys with empty passwords if they do not exist
-if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
- /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N '' >&2
- chmod 600 /etc/ssh/ssh_host_key
- [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_key
-fi
-if [ ! -f /etc/ssh/ssh_host_rsa_key -o ! -s /etc/ssh/ssh_host_rsa_key ]; then
- /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2
- chmod 600 /etc/ssh/ssh_host_rsa_key
- [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_rsa_key
-fi
-if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
- /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2
- chmod 600 /etc/ssh/ssh_host_dsa_key
- [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_dsa_key
-fi
-if [ ! -f /etc/ssh/ssh_host_ecdsa_key -o ! -s /etc/ssh/ssh_host_ecdsa_key ]; then
- /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' >&2
- chmod 600 /etc/ssh/ssh_host_ecdsa_key
- [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_ecdsa_key
-fi # ecdsa
-if [ ! -f /etc/ssh/ssh_host_ed25519_key -o ! -s /etc/ssh/ssh_host_ed25519_key ]; then
- /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' >&2
- chmod 600 /etc/ssh/ssh_host_ed25519_key
- [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_ed25519_key
-fi # ed25519
+# generate new key with empty password if it does not exist
+ssh_gen_key() {
+ local type="$1" keyfile="$2"
+
+ test -s $keyfile && return
-exit 0
+ /usr/bin/ssh-keygen -t $type -f $keyfile -N '' >&2
+ chmod 600 $keyfile
+ [ -x /sbin/restorecon ] && /sbin/restorecon $keyfile
+}
+
+# generate new keys with empty passwords if they do not exist
+ssh_gen_key rsa1 /etc/ssh/ssh_host_key
+ssh_gen_key rsa /etc/ssh/ssh_host_rsa_key
+ssh_gen_key dsa /etc/ssh/ssh_host_dsa_key
+ssh_gen_key ecdsa /etc/ssh/ssh_host_ecdsa_key
+ssh_gen_key ed25519 /etc/ssh/ssh_host_ed25519_key
+++ /dev/null
-[Unit]
-Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
-
-[Service]
-EnvironmentFile=-/etc/sysconfig/sshd
-ExecStartPre=@@LIBEXECDIR@@/sshd-keygen
-ExecStart=/usr/sbin/sshd -D $OPTIONS
-ExecReload=/bin/kill -HUP $MAINPID
-KillMode=process
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
TLD / packages / openssh.git / commitdiff