openssh: Update to 7.4

This is a minor update to the latest stable version of OpenSSH.

* Enable root login with password.
* Drop selinux related modules from pam file.
* Rework Systemd unit files and add files for socked based
activation.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/openssh/openssh.nm b/openssh/openssh.nm
index 2e8de7629f60685dbbea2fb916ca26afbae8b774..8b7eceab4c2b69e90b0011fd2c37205277e3d676 100644 (file)
--- a/openssh/openssh.nm
+++ b/openssh/openssh.nm
@@ -4,7 +4,7 @@
 ###############################################################################
 
 name       = openssh
-version    = 7.3p1
+version    = 7.4p1
 release    = 1
 
 groups     = Application/Internet
@@ -60,11 +60,12 @@ build
                # Disable GSS API authentication because KRB5 is required for that.
                sed -e "s/^.*GSSAPIAuthentication/#&/" -i %{BUILDROOT}/etc/ssh/ssh_config
 
-               # Enable PAM usage, disable ChallengeResponseAuthentication and disable Motd.
+               # Enable PAM usage, disable ChallengeResponseAuthentication, enable root login and disable Motd.
                sed \
                        -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
                        -e '/^#PrintMotd yes$/c PrintMotd no' \
                        -e '/^#UsePAM no$/c UsePAM yes' \
+                       -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \
                        -i %{BUILDROOT}/etc/ssh/sshd_config
 
                # Install scriptfile for key generation
@@ -140,6 +141,8 @@ packages
                        %{sysconfdir}/ssh/sshd_config
                        %{unitdir}/sshd.service
                        %{unitdir}/sshd-keygen.service
+                       %{unitdir}/sshd@.service
+                       %{unitdir}/sshd.socket
                        %{libdir}/openssh/sftp-server
                        %{sbindir}/sshd-keygen
                        %{sbindir}/sshd
@@ -173,7 +176,9 @@ packages
 
                script preun
                        /bin/systemctl --no-reload disable sshd.service >/dev/null 2>&1 || :
+                       /bin/systemctl --no-reload disable sshd.socket
                        /bin/systemctl stop sshd.service >/dev/null 2>&1 || :
+                       /bin/systemctl stop sshd.socket >/dev/null 2>&1 || :
                end
 
                script postun
@@ -181,6 +186,10 @@ packages
                end
 
                script postup
+                       # Enable root login.
+                       sed -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \
+                               -i %{sysconfdir}/ssh/sshd_config
+
                        /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 
                        /bin/systemctl try-restart sshd.service >/dev/null 2>&1 || :

diff --git a/openssh/sshd.pam b/openssh/sshd.pam
index a80e4506162b555771cd790b3537b4ee9547fdc1..a9af1499354b86d4ac00e182c05c1e251ff3f63e 100644 (file)
--- a/openssh/sshd.pam
+++ b/openssh/sshd.pam
@@ -1,15 +1,10 @@
 #%PAM-1.0
-auth      required     pam_sepermit.so
 auth       substack     password-auth
 auth       include      postlogin
 account    required     pam_nologin.so
 account    include      password-auth
 password   include      password-auth
-# pam_selinux.so close should be the first session rule
-session    required     pam_selinux.so close
 session    required     pam_loginuid.so
-# pam_selinux.so open should only be followed by sessions to be executed in the user context
-session    required     pam_selinux.so open env_params
 session    optional     pam_keyinit.so force revoke
 session    include      password-auth
 session    include      postlogin

diff --git a/openssh/systemd/sshd.service b/openssh/systemd/sshd.service
index 9007d896704924b1f18647019782f6a759565bfd..8372355f8d981d6834ac4402054b64419affc595 100644 (file)
--- a/openssh/systemd/sshd.service
+++ b/openssh/systemd/sshd.service
@@ -1,11 +1,14 @@
 [Unit]
 Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
+After=syslog.target network.target auditd.service sshd-keygen.service
+Wants=sshd-keygen.service
 
 [Service]
-ExecStartPre=/usr/sbin/sshd-keygen
 ExecStart=/usr/sbin/sshd -D
 ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=30s
 
 [Install]
 WantedBy=multi-user.target

diff --git a/openssh/systemd/sshd.socket b/openssh/systemd/sshd.socket
new file mode 100644 (file)
index 0000000..caa50c4
--- /dev/null
+++ b/openssh/systemd/sshd.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenSSH Server Socket
+Documentation=man:sshd(8) man:sshd_config(5)
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target

diff --git a/openssh/systemd/sshd@.service b/openssh/systemd/sshd@.service
new file mode 100644 (file)
index 0000000..57862c0
--- /dev/null
+++ b/openssh/systemd/sshd@.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+Wants=sshd-keygen.service
+After=sshd-keygen.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i
+StandardInput=socket