From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] openssh: Update to 7.4
Date: Thu, 12 Jan 2017 15:07:45 +0100
Message-ID: <20170112140745.29872-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0263993922211643167=="
List-Id: <development.lists.ipfire.org>

--===============0263993922211643167==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This is a minor update to the latest stable version of OpenSSH.

* Enable root login with password.
* Drop selinux related modules from pam file.
* Rework Systemd unit files and add files for socked based
activation.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 openssh/openssh.nm            | 13 +++++++++++--
 openssh/sshd.pam              |  5 -----
 openssh/systemd/sshd.service  |  7 +++++--
 openssh/systemd/sshd.socket   | 11 +++++++++++
 openssh/systemd/sshd(a).service |  9 +++++++++
 5 files changed, 36 insertions(+), 9 deletions(-)
 create mode 100644 openssh/systemd/sshd.socket
 create mode 100644 openssh/systemd/sshd(a).service

diff --git a/openssh/openssh.nm b/openssh/openssh.nm
index 2e8de76..8b7ecea 100644
--- a/openssh/openssh.nm
+++ b/openssh/openssh.nm
@@ -4,7 +4,7 @@
 ############################################################################=
###
=20
 name       =3D openssh
-version    =3D 7.3p1
+version    =3D 7.4p1
 release    =3D 1
=20
 groups     =3D Application/Internet
@@ -60,11 +60,12 @@ build
 		# Disable GSS API authentication because KRB5 is required for that.
 		sed -e "s/^.*GSSAPIAuthentication/#&/" -i %{BUILDROOT}/etc/ssh/ssh_config
=20
-		# Enable PAM usage, disable ChallengeResponseAuthentication and disable Mo=
td.
+		# Enable PAM usage, disable ChallengeResponseAuthentication, enable root l=
ogin and disable Motd.
 		sed \
 			-e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentica=
tion no' \
 			-e '/^#PrintMotd yes$/c PrintMotd no' \
 			-e '/^#UsePAM no$/c UsePAM yes' \
+			-e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \
 			-i %{BUILDROOT}/etc/ssh/sshd_config
=20
 		# Install scriptfile for key generation
@@ -140,6 +141,8 @@ packages
 			%{sysconfdir}/ssh/sshd_config
 			%{unitdir}/sshd.service
 			%{unitdir}/sshd-keygen.service
+			%{unitdir}/sshd(a).service
+			%{unitdir}/sshd.socket
 			%{libdir}/openssh/sftp-server
 			%{sbindir}/sshd-keygen
 			%{sbindir}/sshd
@@ -173,7 +176,9 @@ packages
=20
 		script preun
 			/bin/systemctl --no-reload disable sshd.service >/dev/null 2>&1 || :
+			/bin/systemctl --no-reload disable sshd.socket
 			/bin/systemctl stop sshd.service >/dev/null 2>&1 || :
+			/bin/systemctl stop sshd.socket >/dev/null 2>&1 || :
 		end
=20
 		script postun
@@ -181,6 +186,10 @@ packages
 		end
=20
 		script postup
+			# Enable root login.
+			sed -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \
+				-i %{sysconfdir}/ssh/sshd_config
+
 			/bin/systemctl daemon-reload >/dev/null 2>&1 || :
=20
 			/bin/systemctl try-restart sshd.service >/dev/null 2>&1 || :
diff --git a/openssh/sshd.pam b/openssh/sshd.pam
index a80e450..a9af149 100644
--- a/openssh/sshd.pam
+++ b/openssh/sshd.pam
@@ -1,15 +1,10 @@
 #%PAM-1.0
-auth	   required	pam_sepermit.so
 auth       substack     password-auth
 auth       include      postlogin
 account    required     pam_nologin.so
 account    include      password-auth
 password   include      password-auth
-# pam_selinux.so close should be the first session rule
-session    required     pam_selinux.so close
 session    required     pam_loginuid.so
-# pam_selinux.so open should only be followed by sessions to be executed in =
the user context
-session    required     pam_selinux.so open env_params
 session    optional     pam_keyinit.so force revoke
 session    include      password-auth
 session    include      postlogin
diff --git a/openssh/systemd/sshd.service b/openssh/systemd/sshd.service
index 9007d89..8372355 100644
--- a/openssh/systemd/sshd.service
+++ b/openssh/systemd/sshd.service
@@ -1,11 +1,14 @@
 [Unit]
 Description=3DOpenSSH server daemon
-After=3Dsyslog.target network.target auditd.service
+After=3Dsyslog.target network.target auditd.service sshd-keygen.service
+Wants=3Dsshd-keygen.service
=20
 [Service]
-ExecStartPre=3D/usr/sbin/sshd-keygen
 ExecStart=3D/usr/sbin/sshd -D
 ExecReload=3D/bin/kill -HUP $MAINPID
+KillMode=3Dprocess
+Restart=3Don-failure
+RestartSec=3D30s
=20
 [Install]
 WantedBy=3Dmulti-user.target
diff --git a/openssh/systemd/sshd.socket b/openssh/systemd/sshd.socket
new file mode 100644
index 0000000..caa50c4
--- /dev/null
+++ b/openssh/systemd/sshd.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=3DOpenSSH Server Socket
+Documentation=3Dman:sshd(8) man:sshd_config(5)
+Conflicts=3Dsshd.service
+
+[Socket]
+ListenStream=3D22
+Accept=3Dyes
+
+[Install]
+WantedBy=3Dsockets.target
diff --git a/openssh/systemd/sshd(a).service b/openssh/systemd/sshd(a).service
new file mode 100644
index 0000000..57862c0
--- /dev/null
+++ b/openssh/systemd/sshd(a).service
@@ -0,0 +1,9 @@
+[Unit]
+Description=3DOpenSSH per-connection server daemon
+Documentation=3Dman:sshd(8) man:sshd_config(5)
+Wants=3Dsshd-keygen.service
+After=3Dsshd-keygen.service
+
+[Service]
+ExecStart=3D-/usr/sbin/sshd -i
+StandardInput=3Dsocket
--=20
2.9.3


--===============0263993922211643167==--