diff --git a/openssh-6.6p1-redhat.patch b/openssh-7.5p1-redhat.patch similarity index 71% rename from openssh-6.6p1-redhat.patch rename to openssh-7.5p1-redhat.patch index 818858a..cd0971a 100644 --- a/openssh-6.6p1-redhat.patch +++ b/openssh-7.5p1-redhat.patch @@ -1,6 +1,6 @@ -diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config ---- openssh-7.4p1/ssh_config.redhat 2016-12-19 05:59:41.000000000 +0100 -+++ openssh-7.4p1/ssh_config 2016-12-23 13:32:00.045220402 +0100 +diff -up openssh-7.5p1/ssh_config.redhat openssh-7.5p1/ssh_config +--- openssh-7.5p1/ssh_config.redhat 2017-03-20 03:39:27.000000000 +0100 ++++ openssh-7.5p1/ssh_config 2017-07-11 13:05:42.728031520 +0200 @@ -48,3 +48,7 @@ # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com @@ -9,9 +9,9 @@ diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config +# To modify the system-wide ssh configuration, create a *.conf file under +# /etc/ssh/ssh_config.d/ which will be automatically included below +Include /etc/ssh/ssh_config.d/*.conf -diff -up openssh-7.4p1/ssh_config_redhat.redhat openssh-7.4p1/ssh_config_redhat ---- openssh-7.4p1/ssh_config_redhat.redhat 2016-12-23 13:32:00.045220402 +0100 -+++ openssh-7.4p1/ssh_config_redhat 2016-12-23 13:32:00.045220402 +0100 +diff -up openssh-7.5p1/ssh_config_redhat.redhat openssh-7.5p1/ssh_config_redhat +--- openssh-7.5p1/ssh_config_redhat.redhat 2017-07-11 13:05:42.728031520 +0200 ++++ openssh-7.5p1/ssh_config_redhat 2017-07-11 13:05:42.728031520 +0200 @@ -0,0 +1,20 @@ +# Follow system-wide Crypto Policy, if defined: +Include /etc/crypto-policies/back-ends/openssh.config @@ -33,10 +33,10 @@ diff -up openssh-7.4p1/ssh_config_redhat.redhat openssh-7.4p1/ssh_config_redhat + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS -diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0 ---- openssh-7.4p1/sshd_config.0.redhat 2016-12-19 06:21:22.000000000 +0100 -+++ openssh-7.4p1/sshd_config.0 2016-12-23 13:32:00.045220402 +0100 -@@ -837,9 +837,9 @@ DESCRIPTION +diff -up openssh-7.5p1/sshd_config.0.redhat openssh-7.5p1/sshd_config.0 +--- openssh-7.5p1/sshd_config.0.redhat 2017-03-20 10:52:56.000000000 +0100 ++++ openssh-7.5p1/sshd_config.0 2017-07-11 13:05:42.728031520 +0200 +@@ -850,9 +850,9 @@ DESCRIPTION SyslogFacility Gives the facility code that is used when logging messages from @@ -49,10 +49,10 @@ diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0 TCPKeepAlive Specifies whether the system should send TCP keepalive messages -diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5 ---- openssh-7.4p1/sshd_config.5.redhat 2016-12-19 05:59:41.000000000 +0100 -+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:32:00.046220403 +0100 -@@ -1393,7 +1393,7 @@ By default no subsystems are defined. +diff -up openssh-7.5p1/sshd_config.5.redhat openssh-7.5p1/sshd_config.5 +--- openssh-7.5p1/sshd_config.5.redhat 2017-03-20 03:39:27.000000000 +0100 ++++ openssh-7.5p1/sshd_config.5 2017-07-11 13:05:42.728031520 +0200 +@@ -1413,7 +1413,7 @@ By default no subsystems are defined. .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Xr sshd 8 . @@ -61,10 +61,10 @@ diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. .It Cm TCPKeepAlive -diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config ---- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100 -+++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100 -@@ -10,21 +10,26 @@ +diff -up openssh-7.5p1/sshd_config.redhat openssh-7.5p1/sshd_config +--- openssh-7.5p1/sshd_config.redhat 2017-03-20 03:39:27.000000000 +0100 ++++ openssh-7.5p1/sshd_config 2017-07-11 13:10:44.967594004 +0200 +@@ -10,21 +10,32 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -88,13 +88,19 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config # Ciphers and keying #RekeyLimit default none ++# System-wide Crypto policies: ++# The following macro will get expanded to the system-wide crypto policy ++# defaults. For more information, see manual page for update-crypto-policies(8). ++# To manually overwrite options defined here, write them BEFORE this block ++#{INCLUDE_CRYPTO_POLICY}# ++ # Logging #SyslogFacility AUTH +SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: -@@ -57,9 +62,11 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -57,9 +68,11 @@ AuthorizedKeysFile .ssh/authorized_keys # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no @@ -106,7 +112,7 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config # Kerberos options #KerberosAuthentication no -@@ -68,8 +75,8 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -68,8 +81,8 @@ AuthorizedKeysFile .ssh/authorized_keys #KerberosGetAFSToken no # GSSAPI options @@ -117,7 +123,7 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -@@ -80,12 +87,12 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -80,12 +93,12 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. @@ -132,7 +138,7 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes -@@ -108,6 +115,12 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -107,6 +120,12 @@ AuthorizedKeysFile .ssh/authorized_keys # no default banner path #Banner none diff --git a/openssh.spec b/openssh.spec index 141d689..f54b20b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -90,6 +90,7 @@ Source12: sshd-keygen@.service Source13: sshd-keygen Source14: sshd.tmpfiles Source15: sshd-keygen.target +Source16: sshd-pre.sh # Internal debug Patch0: openssh-5.9p1-wIm.patch @@ -155,7 +156,7 @@ Patch702: openssh-5.1p1-askpass-progress.patch #https://bugzilla.redhat.com/show_bug.cgi?id=198332 Patch703: openssh-4.3p2-askpass-grab-info.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) -Patch707: openssh-6.6p1-redhat.patch +Patch707: openssh-7.5p1-redhat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) Patch708: openssh-6.6p1-entropy.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) @@ -634,6 +635,7 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd +mkdir -p -m755 $RPM_BUILD_ROOT/run/openssh make install DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf @@ -652,6 +654,7 @@ install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen +install -m744 %{SOURCE16} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-pre install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf @@ -750,10 +753,12 @@ getent passwd sshd >/dev/null || \ %if ! %{rescue} %files server %dir %attr(0711,root,root) %{_var}/empty/sshd +%dir %attr(0755,root,root) /run/openssh %attr(0755,root,root) %{_sbindir}/sshd %attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen +%attr(0755,root,root) %{_libexecdir}/openssh/sshd-pre %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* %attr(0644,root,root) %{_mandir}/man5/moduli.5* %attr(0644,root,root) %{_mandir}/man8/sshd.8* diff --git a/sshd-pre.sh b/sshd-pre.sh new file mode 100644 index 0000000..985426b --- /dev/null +++ b/sshd-pre.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +# simple helper script, which substitutes a token in configuration file with +# system wide crypto policy, if installed. If not, this script just copies the +# configuration file to the runtime file, that will be used by the SSHD daemon. + +SSHD_CONFIG="/etc/ssh/sshd_config" +SSHD_CONFIG_RUNTIME="/run/openssh/sshd_config" +CRYPTO_POLICIES="/etc/crypto-policies/back-ends/openssh.config" + +if [ ! -f "$CRYPTO_POLICIES" ]; then + # if not installed, copy just the template + # (to overwrite potential old policy) + cat "$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME" +else + # do the substitution. + sed -e '/#{INCLUDE_CRYPTO_POLICY}#/ {' -e "r $CRYPTO_POLICIES" -e 'd' -e '}' \ + "$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME" +fi + +# XXX should be taken care of in SELinux somehow +# set reasonable label if it gets the default (do not overwrite fixed) +ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME + +# makes sure we have sane permissions as the original file has. +chmod 600 $SSHD_CONFIG_RUNTIME + +# reload the service if requested +if [ "$1" = "reload" ]; then + /bin/kill -HUP $2 +fi diff --git a/sshd.service b/sshd.service index e8afb86..46222f0 100644 --- a/sshd.service +++ b/sshd.service @@ -7,8 +7,9 @@ Wants=sshd-keygen.target [Service] Type=notify EnvironmentFile=-/etc/sysconfig/sshd -ExecStart=/usr/sbin/sshd -D $OPTIONS -ExecReload=/bin/kill -HUP $MAINPID +ExecStartPre=/usr/libexec/openssh/sshd-pre +ExecStart=/usr/sbin/sshd -D $OPTIONS -f /run/openssh/sshd_config +ExecReload=/usr/libexec/openssh/sshd-pre reload $MAINPID KillMode=process Restart=on-failure RestartSec=42s diff --git a/sshd.tmpfiles b/sshd.tmpfiles index c35a2b8..586c7e3 100644 --- a/sshd.tmpfiles +++ b/sshd.tmpfiles @@ -1 +1,2 @@ d /var/empty/sshd 711 root root - +d /run/openssh 755 root root - diff --git a/sshd@.service b/sshd@.service index 196c555..c95a3cb 100644 --- a/sshd@.service +++ b/sshd@.service @@ -6,5 +6,6 @@ After=sshd-keygen.target [Service] EnvironmentFile=-/etc/sysconfig/sshd -ExecStart=-/usr/sbin/sshd -i $OPTIONS +ExecStartPre=/usr/libexec/openssh/sshd-pre +ExecStart=-/usr/sbin/sshd -i $OPTIONS -f /run/openssh/sshd_config StandardInput=socket