From: Stefan Schantl Date: Thu, 12 Jan 2017 14:07:45 +0000 (+0100) Subject: openssh: Update to 7.4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11858f068f866d19a1115d889965b093f48f16df;p=ipfire-3.x.git openssh: Update to 7.4 This is a minor update to the latest stable version of OpenSSH. * Enable root login with password. * Drop selinux related modules from pam file. * Rework Systemd unit files and add files for socked based activation. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- diff --git a/openssh/openssh.nm b/openssh/openssh.nm index 2e8de7629..8b7eceab4 100644 --- a/openssh/openssh.nm +++ b/openssh/openssh.nm @@ -4,7 +4,7 @@ ############################################################################### name = openssh -version = 7.3p1 +version = 7.4p1 release = 1 groups = Application/Internet @@ -60,11 +60,12 @@ build # Disable GSS API authentication because KRB5 is required for that. sed -e "s/^.*GSSAPIAuthentication/#&/" -i %{BUILDROOT}/etc/ssh/ssh_config - # Enable PAM usage, disable ChallengeResponseAuthentication and disable Motd. + # Enable PAM usage, disable ChallengeResponseAuthentication, enable root login and disable Motd. sed \ -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \ -e '/^#PrintMotd yes$/c PrintMotd no' \ -e '/^#UsePAM no$/c UsePAM yes' \ + -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \ -i %{BUILDROOT}/etc/ssh/sshd_config # Install scriptfile for key generation @@ -140,6 +141,8 @@ packages %{sysconfdir}/ssh/sshd_config %{unitdir}/sshd.service %{unitdir}/sshd-keygen.service + %{unitdir}/sshd@.service + %{unitdir}/sshd.socket %{libdir}/openssh/sftp-server %{sbindir}/sshd-keygen %{sbindir}/sshd @@ -173,7 +176,9 @@ packages script preun /bin/systemctl --no-reload disable sshd.service >/dev/null 2>&1 || : + /bin/systemctl --no-reload disable sshd.socket /bin/systemctl stop sshd.service >/dev/null 2>&1 || : + /bin/systemctl stop sshd.socket >/dev/null 2>&1 || : end script postun @@ -181,6 +186,10 @@ packages end script postup + # Enable root login. + sed -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \ + -i %{sysconfdir}/ssh/sshd_config + /bin/systemctl daemon-reload >/dev/null 2>&1 || : /bin/systemctl try-restart sshd.service >/dev/null 2>&1 || : diff --git a/openssh/sshd.pam b/openssh/sshd.pam index a80e45061..a9af14993 100644 --- a/openssh/sshd.pam +++ b/openssh/sshd.pam @@ -1,15 +1,10 @@ #%PAM-1.0 -auth required pam_sepermit.so auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close session required pam_loginuid.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin diff --git a/openssh/systemd/sshd.service b/openssh/systemd/sshd.service index 9007d8967..8372355f8 100644 --- a/openssh/systemd/sshd.service +++ b/openssh/systemd/sshd.service @@ -1,11 +1,14 @@ [Unit] Description=OpenSSH server daemon -After=syslog.target network.target auditd.service +After=syslog.target network.target auditd.service sshd-keygen.service +Wants=sshd-keygen.service [Service] -ExecStartPre=/usr/sbin/sshd-keygen ExecStart=/usr/sbin/sshd -D ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartSec=30s [Install] WantedBy=multi-user.target diff --git a/openssh/systemd/sshd.socket b/openssh/systemd/sshd.socket new file mode 100644 index 000000000..caa50c427 --- /dev/null +++ b/openssh/systemd/sshd.socket @@ -0,0 +1,11 @@ +[Unit] +Description=OpenSSH Server Socket +Documentation=man:sshd(8) man:sshd_config(5) +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/openssh/systemd/sshd@.service b/openssh/systemd/sshd@.service new file mode 100644 index 000000000..57862c0e5 --- /dev/null +++ b/openssh/systemd/sshd@.service @@ -0,0 +1,9 @@ +[Unit] +Description=OpenSSH per-connection server daemon +Documentation=man:sshd(8) man:sshd_config(5) +Wants=sshd-keygen.service +After=sshd-keygen.service + +[Service] +ExecStart=-/usr/sbin/sshd -i +StandardInput=socket