From: Michael Tremer Date: Sun, 11 Mar 2012 23:22:18 +0000 (+0100) Subject: openssh: Some bigger changes. X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e78de92e15c1bb378e6447cf8b7131e491b00b29;p=people%2Fms%2Fipfire-3.x.git openssh: Some bigger changes. Adopts systemd files from Fedora and cleans up a lot in the makefile. --- diff --git a/openssh/openssh.nm b/openssh/openssh.nm index 0b0250ca2..d04d2b24d 100644 --- a/openssh/openssh.nm +++ b/openssh/openssh.nm @@ -5,7 +5,7 @@ name = openssh version = 5.9p1 -release = 3 +release = 4 groups = Application/Internet url = http://www.openssh.com/portable.html @@ -26,10 +26,14 @@ build audit-devel autoconf automake + groff + libedit-devel libselinux-devel - nss-devel - openssl-devel>=1.0.0d-2 + ncurses-devel + openldap-devel + openssl-devel >= 1.0.0d-2 pam-devel + util-linux zlib-devel end @@ -67,17 +71,25 @@ build end configure_options += \ - --sysconfdir=/etc/ssh \ - --datadir=/usr/share/sshd \ - --libexecdir=/usr/lib/openssh \ - --with-md5-passwords \ - --with-privsep-path=/var/lib/sshd \ + --sysconfdir=%{sysconfdir}/ssh \ + --datadir=%{datadir}/sshd \ + --libexecdir=%{libdir}/openssh \ + --with-default-path=/usr/local/bin:/bin:/usr/bin \ + --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ + --with-privsep-path=/var/empty/sshd \ + --enable-vendor-patchlevel="%{DISTRO_NAME} %{thisver}" \ + --disable-strip \ + --with-ssl-engine \ + --with-authorized-keys-command \ + --with-ipaddr-display \ + --with-ldap \ --with-pam \ + --with-libedit \ --with-selinux \ --with-audit=linux prepare_cmds - autoreconf + autoreconf -vfi end install_cmds @@ -85,15 +97,32 @@ build sed -e "s/^.*GSSAPIAuthentication/#&/" -i %{BUILDROOT}/etc/ssh/ssh_config # Install scriptfile for key generation - install -m 754 %{DIR_SOURCE}/ssh-keygen %{BUILDROOT}/usr/lib/openssh/ + mkdir -pv %{BUILDROOT}%{sbindir} + install -m 754 %{DIR_SOURCE}/sshd-keygen %{BUILDROOT}%{sbindir} + + # Install ssh-copy-id. + install -m755 contrib/ssh-copy-id %{BUILDROOT}%{bindir} + install contrib/ssh-copy-id.1 %{BUILDROOT}%{mandir}/man1/ end end packages package openssh + prerequires + shadow-utils + end + requires - openssh-clients=%{thisver} - openssh-server=%{thisver} + openssh-clients = %{thisver} + openssh-server = %{thisver} + end + + configfiles + %{sysconfdir}/ssh/moduli + end + + script prein + getent group sshd_keys >/dev/null || groupadd -r ssh_keys || : end end @@ -101,29 +130,33 @@ packages summary = OpenSSH client applications. description = %{summary} + requires = openssh = %{thisver} + files - /etc/ssh/ssh_config - /usr/bin/scp - /usr/bin/sftp - /usr/bin/slogin - /usr/bin/ssh - /usr/bin/ssh-add - /usr/bin/ssh-agent - /usr/bin/ssh-keyscan - /usr/lib/openssh/ssh-pkcs11-helper - /usr/share/man/cat1/scp.1 - /usr/share/man/cat1/sftp.1 - /usr/share/man/cat1/slogin.1 - /usr/share/man/cat1/ssh-add.1 - /usr/share/man/cat1/ssh-agent.1 - /usr/share/man/cat1/ssh-keyscan.1 - /usr/share/man/cat1/ssh.1 - /usr/share/man/cat5/ssh_config.5 - /usr/share/man/cat8/ssh-pkcs11-helper.8 + %{sysconfdir}/ssh/ssh_config + %{bindir}/scp + %{bindir}/sftp + %{bindir}/slogin + %{bindir}/ssh + %{bindir}/ssh-add + %{bindir}/ssh-agent + %{bindir}/ssh-copy-id + %{bindir}/ssh-keyscan + %{libdir}/openssh/ssh-pkcs11-helper + %{mandir}/man1/scp.1* + %{mandir}/man1/sftp.1* + %{mandir}/man1/slogin.1* + %{mandir}/man1/ssh-add.1* + %{mandir}/man1/ssh-agent.1* + %{mandir}/man1/ssh-copy-id.1* + %{mandir}/man1/ssh-keyscan.1* + %{mandir}/man1/ssh.1* + %{mandir}/man5/ssh_config.5* + %{mandir}/man8/ssh-pkcs11-helper.8* end configfiles - /etc/ssh/ssh_config + %{sysconfdir}/ssh/ssh_config end end @@ -131,26 +164,24 @@ packages summary = OpenSSH server applications. description = %{summary} - # /usr/bin/ssh-keygen is needed to generate keys for the ssh server. - requires = /usr/bin/ssh-keygen + requires = openssh = %{thisver} files - /etc/pam.d/sshd - /etc/ssh/moduli - /etc/ssh/sshd_config - /lib/systemd/system/openssh.service - /usr/lib/openssh/sftp-server - /usr/lib/openssh/ssh-keygen - /usr/sbin/sshd - /usr/share/man/cat5/sshd_config.5* - /usr/share/man/cat5/moduli.5* - /usr/share/man/cat8/sshd.8* - /usr/share/man/cat8/sftp-server.8* - /var/lib/sshd + %{sysconfdir}/pam.d/sshd + %{sysconfdir}/ssh/sshd_config + /lib/systemd + %{libdir}/openssh/sftp-server + %{sbindir}/sshd-keygen + %{sbindir}/sshd + %{mandir}/man5/sshd_config.5* + %{mandir}/man5/moduli.5* + %{mandir}/man8/sshd.8* + %{mandir}/man8/sftp-server.8* + /var/empty/sshd end configfiles - /etc/ssh/sshd_config + %{sysconfdir}/ssh/sshd_config end prerequires @@ -160,9 +191,10 @@ packages script prein # Create unprivileged user and group. - getent group sshd || groupadd -r sshd - getent passwd sshd || useradd -r -g sshd \ - -d /var/lib/sshd -s /sbin/nologin sshd + getent group sshd >/dev/null || groupadd -r sshd + getent passwd sshd >/dev/null || useradd -r -g sshd \ + -c "Privilege-separated SSH" \ + -d /var/empty/sshd -s /sbin/nologin sshd end script postin @@ -170,8 +202,10 @@ packages end script preun - /bin/systemctl --no-reload disable openssh.service >/dev/null 2>&1 || : - /bin/systemctl stop openssh.service >/dev/null 2>&1 || : + /bin/systemctl --no-reload disable sshd.service >/dev/null 2>&1 || : + /bin/systemctl --no-reload disable sshd-keygen.service >/dev/null 2>&1 || : + /bin/systemctl stop sshd.service >/dev/null 2>&1 || : + /bin/systemctl stop sshd-keygen.service >/dev/null 2>&1 || : end script postun @@ -180,6 +214,9 @@ packages script postup /bin/systemctl daemon-reload >/dev/null 2>&1 || : + + /bin/systemctl try-restart sshd.service >/dev/null 2>&1 || : + /bin/systemctl try-restart sshd-keygen.service >/dev/null 2>&1 || : end end diff --git a/openssh/ssh-keygen b/openssh/ssh-keygen deleted file mode 100644 index 46e64d61d..000000000 --- a/openssh/ssh-keygen +++ /dev/null @@ -1,8 +0,0 @@ -#! /bin/sh - -# Generates keyfiles for defined algorithm -for algo in dsa rsa ecdsa; do - [ -e "/etc/ssh/ssh_host_${algo}_key" ] && continue - /usr/bin/ssh-keygen -q -t ${algo} -N "" -f /etc/ssh/ssh_host_${algo}_key -done - diff --git a/openssh/sshd-keygen b/openssh/sshd-keygen new file mode 100644 index 000000000..619e83950 --- /dev/null +++ b/openssh/sshd-keygen @@ -0,0 +1,63 @@ +#!/bin/bash + +# Create the host keys for the OpenSSH server. +# + +# Some functions to make the below more readable +KEYGEN=/usr/bin/ssh-keygen +RSA1_KEY=/etc/ssh/ssh_host_key +RSA_KEY=/etc/ssh/ssh_host_rsa_key +DSA_KEY=/etc/ssh/ssh_host_dsa_key + +do_rsa1_keygen() { + if [ ! -s $RSA1_KEY ]; then + rm -f $RSA1_KEY + if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then + chgrp ssh_keys $RSA1_KEY + chmod 600 $RSA1_KEY + chmod 644 $RSA1_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA1_KEY.pub + fi + else + exit 1 + fi + fi +} + +do_rsa_keygen() { + if [ ! -s $RSA_KEY ]; then + rm -f $RSA_KEY + if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then + chgrp ssh_keys $RSA_KEY + chmod 600 $RSA_KEY + chmod 644 $RSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA_KEY.pub + fi + else + exit 1 + fi + fi +} + +do_dsa_keygen() { + if [ ! -s $DSA_KEY ]; then + rm -f $DSA_KEY + if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then + chgrp ssh_keys $DSA_KEY + chmod 600 $DSA_KEY + chmod 644 $DSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $DSA_KEY.pub + fi + else + exit 1 + fi + fi +} + +# Create keys +do_rsa_keygen +do_rsa1_keygen +do_dsa_keygen diff --git a/openssh/sshd.pam b/openssh/sshd.pam index ba632dda5..a80e45061 100644 --- a/openssh/sshd.pam +++ b/openssh/sshd.pam @@ -1,9 +1,15 @@ #%PAM-1.0 -auth include system-auth - +auth required pam_sepermit.so +auth substack password-auth +auth include postlogin account required pam_nologin.so -account include system-auth - -password include system-auth - -session include system-auth +account include password-auth +password include password-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session required pam_loginuid.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open env_params +session optional pam_keyinit.so force revoke +session include password-auth +session include postlogin diff --git a/openssh/systemd/openssh.service b/openssh/systemd/openssh.service deleted file mode 100644 index 7fdd641cf..000000000 --- a/openssh/systemd/openssh.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=OpenSSH Server -After=network.target - -[Service] -ExecStartPre=/usr/lib/openssh/ssh-keygen -ExecStart=/usr/sbin/sshd -D -ExecReload=/bin/kill -HUP $MAINPID -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/openssh/systemd/sshd-keygen.service b/openssh/systemd/sshd-keygen.service new file mode 100644 index 000000000..bfef3289f --- /dev/null +++ b/openssh/systemd/sshd-keygen.service @@ -0,0 +1,12 @@ +[Unit] +Description=SSH server keys generation. +After=syslog.target +Before=sshd.service + +[Service] +Type=oneshot +ExecStart=/usr/sbin/sshd-keygen +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/openssh/systemd/sshd.service b/openssh/systemd/sshd.service new file mode 100644 index 000000000..6b90aa165 --- /dev/null +++ b/openssh/systemd/sshd.service @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH server daemon +After=syslog.target network.target auditd.service + +[Service] +ExecStart=/usr/sbin/sshd -D $OPTIONS +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/openssh/systemd/sshd.socket b/openssh/systemd/sshd.socket new file mode 100644 index 000000000..94b953318 --- /dev/null +++ b/openssh/systemd/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/openssh/systemd/sshd@.service b/openssh/systemd/sshd@.service new file mode 100644 index 000000000..09f995e77 --- /dev/null +++ b/openssh/systemd/sshd@.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=syslog.target auditd.service + +[Service] +EnvironmentFile=/etc/sysconfig/sshd +ExecStart=-/usr/sbin/sshd -i $OPTIONS +StandardInput=socket