From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] openssh: Update to 7.4
Date: Thu, 12 Jan 2017 15:07:45 +0100 [thread overview]
Message-ID: <20170112140745.29872-1-stefan.schantl@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 4940 bytes --]
This is a minor update to the latest stable version of OpenSSH.
* Enable root login with password.
* Drop selinux related modules from pam file.
* Rework Systemd unit files and add files for socked based
activation.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
openssh/openssh.nm | 13 +++++++++++--
openssh/sshd.pam | 5 -----
openssh/systemd/sshd.service | 7 +++++--
openssh/systemd/sshd.socket | 11 +++++++++++
openssh/systemd/sshd(a).service | 9 +++++++++
5 files changed, 36 insertions(+), 9 deletions(-)
create mode 100644 openssh/systemd/sshd.socket
create mode 100644 openssh/systemd/sshd(a).service
diff --git a/openssh/openssh.nm b/openssh/openssh.nm
index 2e8de76..8b7ecea 100644
--- a/openssh/openssh.nm
+++ b/openssh/openssh.nm
@@ -4,7 +4,7 @@
###############################################################################
name = openssh
-version = 7.3p1
+version = 7.4p1
release = 1
groups = Application/Internet
@@ -60,11 +60,12 @@ build
# Disable GSS API authentication because KRB5 is required for that.
sed -e "s/^.*GSSAPIAuthentication/#&/" -i %{BUILDROOT}/etc/ssh/ssh_config
- # Enable PAM usage, disable ChallengeResponseAuthentication and disable Motd.
+ # Enable PAM usage, disable ChallengeResponseAuthentication, enable root login and disable Motd.
sed \
-e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
-e '/^#PrintMotd yes$/c PrintMotd no' \
-e '/^#UsePAM no$/c UsePAM yes' \
+ -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \
-i %{BUILDROOT}/etc/ssh/sshd_config
# Install scriptfile for key generation
@@ -140,6 +141,8 @@ packages
%{sysconfdir}/ssh/sshd_config
%{unitdir}/sshd.service
%{unitdir}/sshd-keygen.service
+ %{unitdir}/sshd(a).service
+ %{unitdir}/sshd.socket
%{libdir}/openssh/sftp-server
%{sbindir}/sshd-keygen
%{sbindir}/sshd
@@ -173,7 +176,9 @@ packages
script preun
/bin/systemctl --no-reload disable sshd.service >/dev/null 2>&1 || :
+ /bin/systemctl --no-reload disable sshd.socket
/bin/systemctl stop sshd.service >/dev/null 2>&1 || :
+ /bin/systemctl stop sshd.socket >/dev/null 2>&1 || :
end
script postun
@@ -181,6 +186,10 @@ packages
end
script postup
+ # Enable root login.
+ sed -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \
+ -i %{sysconfdir}/ssh/sshd_config
+
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
/bin/systemctl try-restart sshd.service >/dev/null 2>&1 || :
diff --git a/openssh/sshd.pam b/openssh/sshd.pam
index a80e450..a9af149 100644
--- a/openssh/sshd.pam
+++ b/openssh/sshd.pam
@@ -1,15 +1,10 @@
#%PAM-1.0
-auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
-# pam_selinux.so close should be the first session rule
-session required pam_selinux.so close
session required pam_loginuid.so
-# pam_selinux.so open should only be followed by sessions to be executed in the user context
-session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
diff --git a/openssh/systemd/sshd.service b/openssh/systemd/sshd.service
index 9007d89..8372355 100644
--- a/openssh/systemd/sshd.service
+++ b/openssh/systemd/sshd.service
@@ -1,11 +1,14 @@
[Unit]
Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
+After=syslog.target network.target auditd.service sshd-keygen.service
+Wants=sshd-keygen.service
[Service]
-ExecStartPre=/usr/sbin/sshd-keygen
ExecStart=/usr/sbin/sshd -D
ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=30s
[Install]
WantedBy=multi-user.target
diff --git a/openssh/systemd/sshd.socket b/openssh/systemd/sshd.socket
new file mode 100644
index 0000000..caa50c4
--- /dev/null
+++ b/openssh/systemd/sshd.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenSSH Server Socket
+Documentation=man:sshd(8) man:sshd_config(5)
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/openssh/systemd/sshd(a).service b/openssh/systemd/sshd(a).service
new file mode 100644
index 0000000..57862c0
--- /dev/null
+++ b/openssh/systemd/sshd(a).service
@@ -0,0 +1,9 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+Wants=sshd-keygen.service
+After=sshd-keygen.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i
+StandardInput=socket
--
2.9.3
reply other threads:[~2017-01-12 14:07 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170112140745.29872-1-stefan.schantl@ipfire.org \
--to=stefan.schantl@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox