[PATCH] openssh: Update to 7.4

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

* [PATCH] openssh: Update to 7.4
@ 2017-01-12 14:07 Stefan Schantl
  0 siblings, 0 replies; only message in thread
From: Stefan Schantl @ 2017-01-12 14:07 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 4940 bytes --]

This is a minor update to the latest stable version of OpenSSH.

* Enable root login with password.
* Drop selinux related modules from pam file.
* Rework Systemd unit files and add files for socked based
activation.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 openssh/openssh.nm            | 13 +++++++++++--
 openssh/sshd.pam              |  5 -----
 openssh/systemd/sshd.service  |  7 +++++--
 openssh/systemd/sshd.socket   | 11 +++++++++++
 openssh/systemd/sshd(a).service |  9 +++++++++
 5 files changed, 36 insertions(+), 9 deletions(-)
 create mode 100644 openssh/systemd/sshd.socket
 create mode 100644 openssh/systemd/sshd(a).service

diff --git a/openssh/openssh.nm b/openssh/openssh.nm
index 2e8de76..8b7ecea 100644
--- a/openssh/openssh.nm
+++ b/openssh/openssh.nm
@@ -4,7 +4,7 @@
 ###############################################################################
 
 name       = openssh
-version    = 7.3p1
+version    = 7.4p1
 release    = 1
 
 groups     = Application/Internet
@@ -60,11 +60,12 @@ build
 		# Disable GSS API authentication because KRB5 is required for that.
 		sed -e "s/^.*GSSAPIAuthentication/#&/" -i %{BUILDROOT}/etc/ssh/ssh_config
 
-		# Enable PAM usage, disable ChallengeResponseAuthentication and disable Motd.
+		# Enable PAM usage, disable ChallengeResponseAuthentication, enable root login and disable Motd.
 		sed \
 			-e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
 			-e '/^#PrintMotd yes$/c PrintMotd no' \
 			-e '/^#UsePAM no$/c UsePAM yes' \
+			-e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \
 			-i %{BUILDROOT}/etc/ssh/sshd_config
 
 		# Install scriptfile for key generation
@@ -140,6 +141,8 @@ packages
 			%{sysconfdir}/ssh/sshd_config
 			%{unitdir}/sshd.service
 			%{unitdir}/sshd-keygen.service
+			%{unitdir}/sshd(a).service
+			%{unitdir}/sshd.socket
 			%{libdir}/openssh/sftp-server
 			%{sbindir}/sshd-keygen
 			%{sbindir}/sshd
@@ -173,7 +176,9 @@ packages
 
 		script preun
 			/bin/systemctl --no-reload disable sshd.service >/dev/null 2>&1 || :
+			/bin/systemctl --no-reload disable sshd.socket
 			/bin/systemctl stop sshd.service >/dev/null 2>&1 || :
+			/bin/systemctl stop sshd.socket >/dev/null 2>&1 || :
 		end
 
 		script postun
@@ -181,6 +186,10 @@ packages
 		end
 
 		script postup
+			# Enable root login.
+			sed -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \
+				-i %{sysconfdir}/ssh/sshd_config
+
 			/bin/systemctl daemon-reload >/dev/null 2>&1 || :
 
 			/bin/systemctl try-restart sshd.service >/dev/null 2>&1 || :
diff --git a/openssh/sshd.pam b/openssh/sshd.pam
index a80e450..a9af149 100644
--- a/openssh/sshd.pam
+++ b/openssh/sshd.pam
@@ -1,15 +1,10 @@
 #%PAM-1.0
-auth	   required	pam_sepermit.so
 auth       substack     password-auth
 auth       include      postlogin
 account    required     pam_nologin.so
 account    include      password-auth
 password   include      password-auth
-# pam_selinux.so close should be the first session rule
-session    required     pam_selinux.so close
 session    required     pam_loginuid.so
-# pam_selinux.so open should only be followed by sessions to be executed in the user context
-session    required     pam_selinux.so open env_params
 session    optional     pam_keyinit.so force revoke
 session    include      password-auth
 session    include      postlogin
diff --git a/openssh/systemd/sshd.service b/openssh/systemd/sshd.service
index 9007d89..8372355 100644
--- a/openssh/systemd/sshd.service
+++ b/openssh/systemd/sshd.service
@@ -1,11 +1,14 @@
 [Unit]
 Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
+After=syslog.target network.target auditd.service sshd-keygen.service
+Wants=sshd-keygen.service
 
 [Service]
-ExecStartPre=/usr/sbin/sshd-keygen
 ExecStart=/usr/sbin/sshd -D
 ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=30s
 
 [Install]
 WantedBy=multi-user.target
diff --git a/openssh/systemd/sshd.socket b/openssh/systemd/sshd.socket
new file mode 100644
index 0000000..caa50c4
--- /dev/null
+++ b/openssh/systemd/sshd.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenSSH Server Socket
+Documentation=man:sshd(8) man:sshd_config(5)
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/openssh/systemd/sshd(a).service b/openssh/systemd/sshd(a).service
new file mode 100644
index 0000000..57862c0
--- /dev/null
+++ b/openssh/systemd/sshd(a).service
@@ -0,0 +1,9 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+Wants=sshd-keygen.service
+After=sshd-keygen.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i
+StandardInput=socket
-- 
2.9.3


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2017-01-12 14:07 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-12 14:07 [PATCH] openssh: Update to 7.4 Stefan Schantl

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox