Revert "server crypto policy"

This reverts commit 1d8ffcfe05.

openssh-6.6p1-redhat.patch

@@ -1,6 +1,6 @@
-diff -up openssh-7.5p1/ssh_config.redhat openssh-7.5p1/ssh_config
+diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config
---- openssh-7.5p1/ssh_config.redhat	2017-03-20 03:39:27.000000000 +0100
+--- openssh-7.4p1/ssh_config.redhat	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.5p1/ssh_config	2017-07-11 13:05:42.728031520 +0200
++++ openssh-7.4p1/ssh_config	2016-12-23 13:32:00.045220402 +0100
 @@ -48,3 +48,7 @@
  #   VisualHostKey no
  #   ProxyCommand ssh -q -W %h:%p gateway.example.com
@@ -9,9 +9,9 @@ diff -up openssh-7.5p1/ssh_config.redhat openssh-7.5p1/ssh_config
 +# To modify the system-wide ssh configuration, create a  *.conf  file under
 +#  /etc/ssh/ssh_config.d/  which will be automatically included below
 +Include /etc/ssh/ssh_config.d/*.conf
-diff -up openssh-7.5p1/ssh_config_redhat.redhat openssh-7.5p1/ssh_config_redhat
+diff -up openssh-7.4p1/ssh_config_redhat.redhat openssh-7.4p1/ssh_config_redhat
---- openssh-7.5p1/ssh_config_redhat.redhat	2017-07-11 13:05:42.728031520 +0200
+--- openssh-7.4p1/ssh_config_redhat.redhat	2016-12-23 13:32:00.045220402 +0100
-+++ openssh-7.5p1/ssh_config_redhat	2017-07-11 13:05:42.728031520 +0200
++++ openssh-7.4p1/ssh_config_redhat	2016-12-23 13:32:00.045220402 +0100
 @@ -0,0 +1,20 @@
 +# Follow system-wide Crypto Policy, if defined:
 +Include /etc/crypto-policies/back-ends/openssh.config
@@ -33,10 +33,10 @@ diff -up openssh-7.5p1/ssh_config_redhat.redhat openssh-7.5p1/ssh_config_redhat
 +	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 +	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 +	SendEnv XMODIFIERS
-diff -up openssh-7.5p1/sshd_config.0.redhat openssh-7.5p1/sshd_config.0
+diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0
---- openssh-7.5p1/sshd_config.0.redhat	2017-03-20 10:52:56.000000000 +0100
+--- openssh-7.4p1/sshd_config.0.redhat	2016-12-19 06:21:22.000000000 +0100
-+++ openssh-7.5p1/sshd_config.0	2017-07-11 13:05:42.728031520 +0200
++++ openssh-7.4p1/sshd_config.0	2016-12-23 13:32:00.045220402 +0100
-@@ -850,9 +850,9 @@ DESCRIPTION
+@@ -837,9 +837,9 @@ DESCRIPTION
  
       SyslogFacility
               Gives the facility code that is used when logging messages from
@@ -49,10 +49,10 @@ diff -up openssh-7.5p1/sshd_config.0.redhat openssh-7.5p1/sshd_config.0
  
       TCPKeepAlive
               Specifies whether the system should send TCP keepalive messages
-diff -up openssh-7.5p1/sshd_config.5.redhat openssh-7.5p1/sshd_config.5
+diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
---- openssh-7.5p1/sshd_config.5.redhat	2017-03-20 03:39:27.000000000 +0100
+--- openssh-7.4p1/sshd_config.5.redhat	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.5p1/sshd_config.5	2017-07-11 13:05:42.728031520 +0200
++++ openssh-7.4p1/sshd_config.5	2016-12-23 13:32:00.046220403 +0100
-@@ -1413,7 +1413,7 @@ By default no subsystems are defined.
+@@ -1393,7 +1393,7 @@ By default no subsystems are defined.
  .It Cm SyslogFacility
  Gives the facility code that is used when logging messages from
  .Xr sshd 8 .
@@ -61,10 +61,10 @@ diff -up openssh-7.5p1/sshd_config.5.redhat openssh-7.5p1/sshd_config.5
  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
  The default is AUTH.
  .It Cm TCPKeepAlive
-diff -up openssh-7.5p1/sshd_config.redhat openssh-7.5p1/sshd_config
+diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
---- openssh-7.5p1/sshd_config.redhat	2017-03-20 03:39:27.000000000 +0100
+--- openssh-7.4p1/sshd_config.redhat	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.5p1/sshd_config	2017-07-11 13:10:44.967594004 +0200
++++ openssh-7.4p1/sshd_config	2016-12-23 13:33:05.386233133 +0100
-@@ -10,21 +10,32 @@
+@@ -10,21 +10,26 @@
  # possible, but leave them commented.  Uncommented options override the
  # default value.
  
@@ -88,19 +88,13 @@ diff -up openssh-7.5p1/sshd_config.redhat openssh-7.5p1/sshd_config
  # Ciphers and keying
  #RekeyLimit default none
  
-+# System-wide Crypto policies:
-+# The following macro will get expanded to the system-wide crypto policy
-+# defaults. For more information, see manual page for update-crypto-policies(8).
-+# To manually overwrite options defined here, write them BEFORE this block
-+#{INCLUDE_CRYPTO_POLICY}#
-+
  # Logging
  #SyslogFacility AUTH
 +SyslogFacility AUTHPRIV
  #LogLevel INFO
  
  # Authentication:
-@@ -57,9 +68,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -57,9 +62,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # To disable tunneled clear text passwords, change to no here!
  #PasswordAuthentication yes
  #PermitEmptyPasswords no
@@ -112,7 +106,7 @@ diff -up openssh-7.5p1/sshd_config.redhat openssh-7.5p1/sshd_config
  
  # Kerberos options
  #KerberosAuthentication no
-@@ -68,8 +81,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -68,8 +75,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
  #KerberosGetAFSToken no
  
  # GSSAPI options
@@ -123,7 +117,7 @@ diff -up openssh-7.5p1/sshd_config.redhat openssh-7.5p1/sshd_config
  
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
-@@ -80,12 +93,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -80,12 +87,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
@@ -138,7 +132,7 @@ diff -up openssh-7.5p1/sshd_config.redhat openssh-7.5p1/sshd_config
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PermitTTY yes
-@@ -107,6 +120,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -108,6 +115,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # no default banner path
  #Banner none
  

openssh.spec

@@ -90,7 +90,6 @@ Source12: sshd-keygen@.service
 Source13: sshd-keygen
 Source14: sshd.tmpfiles
 Source15: sshd-keygen.target
-Source16: sshd-pre.sh
 
 # Internal debug
 Patch0: openssh-5.9p1-wIm.patch
@@ -156,7 +155,7 @@ Patch702: openssh-5.1p1-askpass-progress.patch
 #https://bugzilla.redhat.com/show_bug.cgi?id=198332
 Patch703: openssh-4.3p2-askpass-grab-info.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
-Patch707: openssh-7.5p1-redhat.patch
+Patch707: openssh-6.6p1-redhat.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
 Patch708: openssh-6.6p1-entropy.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
@@ -598,7 +597,6 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
 mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
-mkdir -p -m755 $RPM_BUILD_ROOT/run/openssh
 make install DESTDIR=$RPM_BUILD_ROOT
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
 
@@ -617,7 +615,6 @@ install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
 install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
 install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
 install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
-install -m744 %{SOURCE16} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-pre
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
@@ -706,12 +703,10 @@ getent passwd sshd >/dev/null || \
 %if ! %{rescue}
 %files server
 %dir %attr(0711,root,root) %{_var}/empty/sshd
-%dir %attr(0755,root,root) /run/openssh
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
-%attr(0755,root,root) %{_libexecdir}/openssh/sshd-pre
 %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
 %attr(0644,root,root) %{_mandir}/man5/moduli.5*
 %attr(0644,root,root) %{_mandir}/man8/sshd.8*

sshd-pre.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# simple helper script, which substitutes a token in configuration file with
-# system wide crypto policy, if installed. If not, this script just copies the
-# configuration file to the runtime file, that will be used by the SSHD daemon.
-
-SSHD_CONFIG="/etc/ssh/sshd_config"
-SSHD_CONFIG_RUNTIME="/run/openssh/sshd_config"
-CRYPTO_POLICIES="/etc/crypto-policies/back-ends/openssh.config"
-
-if [ ! -f "$CRYPTO_POLICIES" ]; then
-	# if not installed, copy just the template
-	# (to overwrite potential old policy)
-	cat "$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
-else
-	# do the substitution.
-	sed -e '/#{INCLUDE_CRYPTO_POLICY}#/ {' -e "r $CRYPTO_POLICIES" -e 'd' -e '}' \
-		"$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
-fi
-
-# XXX should be taken care of in SELinux somehow
-# set reasonable label if it gets the default (do not overwrite fixed)
-ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME
-
-# makes sure we have sane permissions as the original file has.
-chmod 600 $SSHD_CONFIG_RUNTIME
-
-# reload the service if requested
-if [ "$1" = "reload" ]; then
-	/bin/kill -HUP $2
-fi

sshd.service

@@ -7,9 +7,8 @@ Wants=sshd-keygen.target
 [Service]
 Type=notify
 EnvironmentFile=-/etc/sysconfig/sshd
-ExecStartPre=/usr/libexec/openssh/sshd-pre
+ExecStart=/usr/sbin/sshd -D $OPTIONS
-ExecStart=/usr/sbin/sshd -D $OPTIONS -f /run/openssh/sshd_config
+ExecReload=/bin/kill -HUP $MAINPID
-ExecReload=/usr/libexec/openssh/sshd-pre reload $MAINPID
 KillMode=process
 Restart=on-failure
 RestartSec=42s

sshd.tmpfiles

@@ -1,2 +1 @@
 d /var/empty/sshd 711 root root -
-d /run/openssh 755 root root -

sshd@.service

@@ -6,6 +6,5 @@ After=sshd-keygen.target
 
 [Service]
 EnvironmentFile=-/etc/sysconfig/sshd
-ExecStartPre=/usr/libexec/openssh/sshd-pre
+ExecStart=-/usr/sbin/sshd -i $OPTIONS
-ExecStart=-/usr/sbin/sshd -i $OPTIONS -f /run/openssh/sshd_config
 StandardInput=socket