From 54ca8b1071ec74b0822593998c5688167b1ac49d Mon Sep 17 00:00:00 2001 From: Marcin Krol Date: Wed, 6 May 2015 10:11:27 +0000 Subject: [PATCH] - updated to 6.8p1, merged PLD changes --- ldap-helper-sigpipe.patch | 12 +- libseccomp-sandbox.patch | 239 ++++++++++++++++++++++++++++++++++++++ openssh-kuserok.patch | 4 +- openssh-sigpipe.patch | 12 +- openssh.spec | 87 ++++++++------ opensshd.init | 31 +---- opensshd.pamd | 4 +- sshd-keygen | 43 +++---- sshd.service | 14 --- 9 files changed, 332 insertions(+), 114 deletions(-) create mode 100644 libseccomp-sandbox.patch delete mode 100644 sshd.service diff --git a/ldap-helper-sigpipe.patch b/ldap-helper-sigpipe.patch index 7c51100..cfa2018 100644 --- a/ldap-helper-sigpipe.patch +++ b/ldap-helper-sigpipe.patch @@ -81,8 +81,16 @@ script. i don't like this solution, but it makes the problem go away: /usr/lib/openssh/ssh-ldap-helper -s "$1" exit 0 ---- openssh-6.3p1/ldap-helper.c~ 2013-11-02 17:14:48.000000000 +0200 -+++ openssh-6.3p1/ldap-helper.c 2013-11-02 18:39:15.740402594 +0200 +--- openssh-6.6p1/ldap-helper.c~ 2014-05-13 17:04:22.258162978 +0300 ++++ openssh-6.6p1/ldap-helper.c 2014-05-13 17:14:08.398824417 +0300 +@@ -31,6 +31,7 @@ + #include "ldapbody.h" + #include + #include ++#include + + static int config_debug = 0; + int config_exclusive_config_file = 0; @@ -137,6 +137,8 @@ ldap_checkconfig(); ldap_do_connect(); diff --git a/libseccomp-sandbox.patch b/libseccomp-sandbox.patch new file mode 100644 index 0000000..abed09f --- /dev/null +++ b/libseccomp-sandbox.patch @@ -0,0 +1,239 @@ +https://bugzilla.mindrot.org/show_bug.cgi?id=2142 + +--- a/Makefile.in ++++ a/Makefile.in +@@ -106,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + sftp-server.o sftp-common.o \ + roaming_common.o roaming_serv.o \ + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ +- sandbox-seccomp-filter.o sandbox-capsicum.o ++ sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o + + MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out + MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 +--- a/configure.ac ++++ a/configure.ac +@@ -2867,11 +2867,22 @@ else + fi + AC_SUBST([SSH_PRIVSEP_USER]) + ++AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [ ++ #include ++ #include ++]) ++if test "x$have_libseccomp_filter" = "x1" ; then ++ AC_CHECK_LIB([seccomp], [seccomp_init], ++ [LIBS="$LIBS -lseccomp"], ++ [have_libseccomp_filter=0]) ++fi ++ + if test "x$have_linux_no_new_privs" = "x1" ; then + AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ + #include + #include + ]) ++ + fi + if test "x$have_seccomp_filter" = "x1" ; then + AC_MSG_CHECKING([kernel for seccomp_filter support]) +@@ -2898,7 +2909,7 @@ fi + # Decide which sandbox style to use + sandbox_arg="" + AC_ARG_WITH([sandbox], +- [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)], ++ [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, libseccomp_filter, capsicum)], + [ + if test "x$withval" = "xyes" ; then + sandbox_arg="" +@@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \ + AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) + SANDBOX_STYLE="darwin" + AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) ++elif test "x$sandbox_arg" = "xlibseccomp_filter" || \ ++ ( test -z "$sandbox_arg" && \ ++ test "x$have_libseccomp_filter" = "x1" ) ; then ++ test "x$have_libseccomp_filter" != "x1" && \ ++ AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host]) ++ SANDBOX_STYLE="libseccomp_filter" ++ AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter]) + elif test "x$sandbox_arg" = "xseccomp_filter" || \ + ( test -z "$sandbox_arg" && \ + test "x$have_seccomp_filter" = "x1" && \ +--- a/sandbox-libseccomp-filter.c ++++ a/sandbox-libseccomp-filter.c +@@ -0,0 +1,175 @@ ++/* ++ * Copyright (c) 2012 Will Drewry ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ */ ++ ++#include "includes.h" ++ ++#ifdef SANDBOX_LIBSECCOMP_FILTER ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include /* for offsetof */ ++#include ++#include ++#include ++#include ++ ++#include "log.h" ++#include "ssh-sandbox.h" ++#include "xmalloc.h" ++ ++struct ssh_sandbox { ++ pid_t child_pid; ++}; ++ ++struct ssh_sandbox * ++ssh_sandbox_init(struct monitor *monitor) ++{ ++ struct ssh_sandbox *box; ++ ++ /* ++ * Strictly, we don't need to maintain any state here but we need ++ * to return non-NULL to satisfy the API. ++ */ ++ debug3("%s: preparing libseccomp filter sandbox", __func__); ++ box = xcalloc(1, sizeof(*box)); ++ box->child_pid = 0; ++ ++ return box; ++} ++ ++static int ++seccomp_add_secondary_archs(scmp_filter_ctx *c) ++{ ++#if defined(__i386__) || defined(__x86_64__) ++ int r; ++ r = seccomp_arch_add(c, SCMP_ARCH_X86); ++ if (r < 0 && r != -EEXIST) ++ return r; ++ r = seccomp_arch_add(c, SCMP_ARCH_X86_64); ++ if (r < 0 && r != -EEXIST) ++ return r; ++ r = seccomp_arch_add(c, SCMP_ARCH_X32); ++ if (r < 0 && r != -EEXIST) ++ return r; ++#endif ++ return 0; ++} ++ ++struct scmp_action_def { ++ uint32_t action; ++ int syscall; ++}; ++ ++static const struct scmp_action_def preauth_insns[] = { ++ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)}, ++ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)}, ++#ifdef __NR_time /* not defined on EABI ARM */ ++ {SCMP_ACT_ALLOW, SCMP_SYS(time)}, ++#endif ++ {SCMP_ACT_ALLOW, SCMP_SYS(read)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(write)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(close)}, ++#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ ++ {SCMP_ACT_ALLOW, SCMP_SYS(shutdown)}, ++#endif ++ {SCMP_ACT_ALLOW, SCMP_SYS(brk)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(poll)}, ++#ifdef __NR__newselect ++ {SCMP_ACT_ALLOW, SCMP_SYS(_newselect)}, ++#endif ++ {SCMP_ACT_ALLOW, SCMP_SYS(select)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(madvise)}, ++#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ ++ {SCMP_ACT_ALLOW, SCMP_SYS(mmap2)}, ++#endif ++#ifdef __NR_mmap ++ {SCMP_ACT_ALLOW, SCMP_SYS(mmap)}, ++#endif ++#ifdef __dietlibc__ ++ {SCMP_ACT_ALLOW, SCMP_SYS(mremap)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(exit)}, ++#endif ++ {SCMP_ACT_ALLOW, SCMP_SYS(munmap)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(exit_group)}, ++#ifdef __NR_rt_sigprocmask ++ {SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)}, ++#else ++ {SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)}, ++#endif ++ {0, 0} ++}; ++ ++ ++void ++ssh_sandbox_child(struct ssh_sandbox *box) ++{ ++ scmp_filter_ctx *seccomp; ++ struct rlimit rl_zero; ++ const struct scmp_action_def *insn; ++ int r; ++ ++ /* Set rlimits for completeness if possible. */ ++ rl_zero.rlim_cur = rl_zero.rlim_max = 0; ++ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) ++ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", ++ __func__, strerror(errno)); ++ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) ++ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", ++ __func__, strerror(errno)); ++ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) ++ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", ++ __func__, strerror(errno)); ++ ++ seccomp = seccomp_init(SCMP_ACT_KILL); ++ if (!seccomp) ++ fatal("%s:libseccomp activation failed", __func__); ++ if (seccomp_add_secondary_archs(seccomp)) ++ fatal("%s:libseccomp secondary arch setup failed", __func__); ++ ++ for (insn = preauth_insns; insn->action; insn++) { ++ if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0) ++ fatal("%s:libseccomp rule failed", __func__); ++ } ++ ++ if ((r = seccomp_load(seccomp)) < 0) ++ fatal("%s:libseccomp unable to load filter %d", __func__, r); ++ ++ seccomp_release(seccomp); ++} ++ ++void ++ssh_sandbox_parent_finish(struct ssh_sandbox *box) ++{ ++ free(box); ++ debug3("%s: finished", __func__); ++} ++ ++void ++ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) ++{ ++ box->child_pid = child_pid; ++} ++ ++#endif /* SANDBOX_LIBSECCOMP_FILTER */ diff --git a/openssh-kuserok.patch b/openssh-kuserok.patch index c221dce..6955b88 100644 --- a/openssh-kuserok.patch +++ b/openssh-kuserok.patch @@ -114,9 +114,9 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ #define M_CP_STROPT(n) do {\ @@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o) - dump_cfg_fmtint(sUseDNS, o->use_dns); - dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); + dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); + dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); /* string arguments */ diff --git a/openssh-sigpipe.patch b/openssh-sigpipe.patch index 67631f7..78d72b7 100644 --- a/openssh-sigpipe.patch +++ b/openssh-sigpipe.patch @@ -37,8 +37,8 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 .Sh SYNOPSIS .Nm ssh .Bk -words --.Op Fl 1246AaCfgKkMNnqsTtVvXxYy -+.Op Fl 1246AaBCfgKkMNnqsTtVvXxYy +-.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy ++.Op Fl 1246AaBCfGgKkMNnqsTtVvXxYy .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec .Op Fl D Oo Ar bind_address : Oc Ns Ar port @@ -69,8 +69,8 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 usage(void) { fprintf(stderr, --"usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" -+"usage: ssh [-1246AaBCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +-"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" ++"usage: ssh [-1246AaBCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" " [-F configfile] [-I pkcs11] [-i identity_file]\n" " [-L [bind_address:]port:host:hostport] [-Q protocol_feature]\n" @@ -78,8 +78,8 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 again: while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" -- "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { -+ "ABCD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { +- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { ++ "ABCD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; diff --git a/openssh.spec b/openssh.spec index 88c7a3f..0192683 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,18 +6,30 @@ # Conditional build: %bcond_without audit # sshd audit support %bcond_with gnome # with gnome-askpass (GNOME 1.x) utility -%bcond_without gtk # with GTK+ (2.x) +%bcond_without gtk # without GTK+ (2.x) %bcond_without ldap # with ldap support %bcond_without libedit # without libedit (editline/history support in sftp client) %bcond_without kerberos5 # without kerberos5 support %bcond_without selinux # build without SELinux support +%bcond_without libseccomp # use libseccomp for seccomp privsep (requires 3.5 kernel) %bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often) %bcond_without tests # gtk2-based gnome-askpass means no gnome1-based %{?with_gtk:%undefine with_gnome} -%define pam_ver 1:1.1.5-5 +%ifnarch x32 +# libseccomp requires 3.5 kernel, avoid such requirement where possible (non-x32 arches) +%undefine with_libseccomp +%endif + +%define sandbox %{?with_libseccomp:lib}seccomp_filter + +%ifarch x32 +%{!?with_libseccomp:%error openssh seccomp implementation is broken! do not disable libseccomp on x32} +%endif + +%define pam_ver 1:1.1.8-5 Summary: OpenSSH free Secure Shell (SSH) implementation Summary(de.UTF-8): OpenSSH - freie Implementation der Secure Shell (SSH) Summary(es.UTF-8): Implementación libre de SSH @@ -29,13 +41,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 6.7p1 -Release: 5 +Version: 6.8p1 +Release: 1 Epoch: 2 License: BSD Group: Applications/Networking Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 3246aa79317b1d23cae783a3bf8275d6 +# Source0-md5: 08f72de6751acfbd0892b5f003922701 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -44,31 +56,28 @@ Source4: %{name}.sysconfig Source5: ssh-agent.sh Source6: ssh-agent.conf Source7: %{name}-lpk.schema -Source9: sshd.service -Source10: sshd-keygen +Source8: sshd-keygen Patch0: %{name}-no_libnsl.patch Patch2: %{name}-pam_misc.patch Patch3: %{name}-sigpipe.patch # http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree Patch4: %{name}-ldap.patch Patch5: %{name}-ldap-fixes.patch -Patch8: ldap.conf.patch -Patch6: %{name}-config.patch -Patch7: ldap-helper-sigpipe.patch - +Patch6: ldap.conf.patch +Patch7: %{name}-config.patch +Patch8: ldap-helper-sigpipe.patch # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/ # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz Patch9: %{name}-5.2p1-hpn13v6.diff Patch10: %{name}-include.patch Patch11: %{name}-chroot.patch -# ssh-vulnkey-compat.patch from debian sources Patch12: %{name}-vulnkey-compat.patch Patch13: %{name}-kuserok.patch Patch14: %{name}-bind.patch Patch15: %{name}-disable_ldap.patch +Patch16: libseccomp-sandbox.patch URL: http://www.openssh.com/portable.html BuildRequires: %{__perl} -%{?with_tests:BuildRequires: %{name}-server} %{?with_audit:BuildRequires: audit-libs-devel} BuildRequires: autoconf >= 2.50 BuildRequires: automake @@ -76,8 +85,8 @@ BuildRequires: automake %{?with_gtk:BuildRequires: gtk+2-devel} %{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7} %{?with_libedit:BuildRequires: libedit-devel} +BuildRequires: libseccomp-devel %{?with_selinux:BuildRequires: libselinux-devel} -BuildRequires: libwrap-devel %{?with_ldap:BuildRequires: openldap-devel} BuildRequires: openssl-devel >= 0.9.8f BuildRequires: pam-devel @@ -86,6 +95,13 @@ BuildRequires: rpm >= 4.4.9-56 BuildRequires: rpmbuild(macros) >= 1.627 BuildRequires: sed >= 4.0 BuildRequires: zlib-devel >= 1.2.3 +%if %{with tests} && 0%(id -u sshd >/dev/null 2>&1; echo $?) +BuildRequires: %{name}-server +%endif +%if %{with tests} && %{with libseccomp} +# libseccomp based sandbox requires NO_NEW_PRIVS prctl flag +BuildRequires: uname(release) >= 3.5 +%endif Requires: zlib >= 1.2.3 Requires: filesystem >= 3.0-11 Requires: pam >= %{pam_ver} @@ -336,6 +352,7 @@ Requires(pre): /usr/sbin/useradd Requires: %{name} = %{epoch}:%{version}-%{release} Requires: pam >= %{pam_ver} Requires: rc-scripts >= 0.4.3.0 +%{?with_libseccomp:Requires: uname(release) >= 3.5} Requires: util-linux %{?with_ldap:Suggests: %{name}-server-ldap} Suggests: /bin/login @@ -505,19 +522,18 @@ openldap-a. %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch8 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %{?with_hpn:%patch9 -p1} %patch10 -p1 %patch11 -p1 -# do we really need to drag this old/obsolete patch? %patch12 -p1 -# code changed in upstream, needs baggins verification %patch13 -p1 %patch14 -p1 %{!?with_ldap:%patch15 -p1} +%{?with_libseccomp:%patch16 -p1} # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile* @@ -525,12 +541,15 @@ sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile* grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \ %{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,' +# prevent being ovewritten by aclocal calls +mv aclocal.m4 acinclude.m4 + %build cp /usr/share/automake/config.sub . %{__aclocal} %{__autoconf} %{__autoheader} -CPPFLAGS="-DCHROOT" +CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" %configure \ PERL=%{__perl} \ --disable-strip \ @@ -547,15 +566,16 @@ CPPFLAGS="-DCHROOT" --with-pam \ --with-pid-dir=%{_localstatedir}/run \ --with-privsep-path=%{_privsepdir} \ - --with-sandbox=seccomp_filter \ + --with-privsep-user=sshd \ %{?with_selinux:--with-selinux} \ + --with-sandbox=%{sandbox} \ --with-xauth=%{_bindir}/xauth echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h %{__make} -%{?with_tests:%{__make} tests} +%{?with_tests:%{__make} -j1 tests} cd contrib %if %{with gnome} @@ -569,7 +589,7 @@ cd contrib %install rm -rf $RPM_BUILD_ROOT -install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{init,pam.d,rc.d/init.d,sysconfig,security,env.d}} \ +install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \ $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir}} install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d} @@ -578,23 +598,19 @@ install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d} bzip2 -dc %{SOURCE1} | tar xf - -C $RPM_BUILD_ROOT%{_mandir} -cp -p %{SOURCE3} sshd.pam -install -p %{SOURCE2} sshd.init - -%if %{without audit} -# remove recording user's login uid to the process attribute -%{__sed} -i -e '/pam_loginuid.so/d' sshd.pam -%endif - -install -p sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd -cp -p sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +install -p %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd +cp -p %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sshd cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d -ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh +ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir} cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir} -cp -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen +install -p %{SOURCE8} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen + +%{__sed} -i -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \ + $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd \ + $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen %if %{with gnome} install -p contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass @@ -624,6 +640,11 @@ cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS #SSH_ASKPASS="%{_libexecdir}/ssh-askpass" EOF +%if %{without audit} +# remove recording user's login uid to the process attribute +%{__sed} -i -e '/pam_loginuid.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd +%endif + %{__rm} $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages %{?with_ldap:%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf} diff --git a/opensshd.init b/opensshd.init index a00a9da..9e76029 100755 --- a/opensshd.init +++ b/opensshd.init @@ -11,8 +11,6 @@ # Source function library . /etc/rc.d/init.d/functions -upstart_controlled --except init configtest - # Get network config . /etc/sysconfig/network @@ -46,37 +44,12 @@ checkconfig() { } ssh_gen_keys() { - # generate new keys with empty passwords if they do not exist - if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then - /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N '' >&2 - chmod 600 /etc/ssh/ssh_host_key - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_key - fi - if [ ! -f /etc/ssh/ssh_host_rsa_key -o ! -s /etc/ssh/ssh_host_rsa_key ]; then - /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2 - chmod 600 /etc/ssh/ssh_host_rsa_key - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_rsa_key - fi - if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then - /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2 - chmod 600 /etc/ssh/ssh_host_dsa_key - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_dsa_key - fi - if [ ! -f /etc/ssh/ssh_host_ecdsa_key -o ! -s /etc/ssh/ssh_host_ecdsa_key ]; then - /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' >&2 - chmod 600 /etc/ssh/ssh_host_ecdsa_key - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_ecdsa_key - fi # ecdsa - if [ ! -f /etc/ssh/ssh_host_ed25519_key -o ! -s /etc/ssh/ssh_host_ed25519_key ]; then - /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' >&2 - chmod 600 /etc/ssh/ssh_host_ed25519_key - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_ed25519_key - fi # ed25519 + @@LIBEXECDIR@@/sshd-keygen } start() { # Check if the service is already running? - if [ -f /var/lock/subsys/sshd ]; then + if status --pidfile $PIDFILE sshd >/dev/null; then msg_already_running "OpenSSH" return fi diff --git a/opensshd.pamd b/opensshd.pamd index 1dd3461..56665be 100644 --- a/opensshd.pamd +++ b/opensshd.pamd @@ -1,12 +1,14 @@ #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/security/blacklist.sshd onerr=succeed auth include system-auth +auth include postlogin account required pam_shells.so account required pam_nologin.so -account required pam_access.so +account required pam_access.so account include system-auth password include system-auth session required pam_loginuid.so session optional pam_keyinit.so force revoke session include system-auth +session include postlogin session optional pam_mail.so diff --git a/sshd-keygen b/sshd-keygen index 2294994..c6205e6 100644 --- a/sshd-keygen +++ b/sshd-keygen @@ -3,31 +3,20 @@ # Get service config [ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd -# generate new keys with empty passwords if they do not exist -if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then - /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N '' >&2 - chmod 600 /etc/ssh/ssh_host_key - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_key -fi -if [ ! -f /etc/ssh/ssh_host_rsa_key -o ! -s /etc/ssh/ssh_host_rsa_key ]; then - /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2 - chmod 600 /etc/ssh/ssh_host_rsa_key - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_rsa_key -fi -if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then - /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2 - chmod 600 /etc/ssh/ssh_host_dsa_key - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_dsa_key -fi -if [ ! -f /etc/ssh/ssh_host_ecdsa_key -o ! -s /etc/ssh/ssh_host_ecdsa_key ]; then - /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' >&2 - chmod 600 /etc/ssh/ssh_host_ecdsa_key - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_ecdsa_key -fi # ecdsa -if [ ! -f /etc/ssh/ssh_host_ed25519_key -o ! -s /etc/ssh/ssh_host_ed25519_key ]; then - /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' >&2 - chmod 600 /etc/ssh/ssh_host_ed25519_key - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/ssh/ssh_host_ed25519_key -fi # ed25519 +# generate new key with empty password if it does not exist +ssh_gen_key() { + local type="$1" keyfile="$2" + + test -s $keyfile && return -exit 0 + /usr/bin/ssh-keygen -t $type -f $keyfile -N '' >&2 + chmod 600 $keyfile + [ -x /sbin/restorecon ] && /sbin/restorecon $keyfile +} + +# generate new keys with empty passwords if they do not exist +ssh_gen_key rsa1 /etc/ssh/ssh_host_key +ssh_gen_key rsa /etc/ssh/ssh_host_rsa_key +ssh_gen_key dsa /etc/ssh/ssh_host_dsa_key +ssh_gen_key ecdsa /etc/ssh/ssh_host_ecdsa_key +ssh_gen_key ed25519 /etc/ssh/ssh_host_ed25519_key diff --git a/sshd.service b/sshd.service deleted file mode 100644 index 04e4505..0000000 --- a/sshd.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=OpenSSH server daemon -After=syslog.target network.target auditd.service - -[Service] -EnvironmentFile=-/etc/sysconfig/sshd -ExecStartPre=@@LIBEXECDIR@@/sshd-keygen -ExecStart=/usr/sbin/sshd -D $OPTIONS -ExecReload=/bin/kill -HUP $MAINPID -KillMode=process -Restart=always - -[Install] -WantedBy=multi-user.target -- 2.52.0