This is a minor update to the latest stable version of OpenSSH.
* Enable root login with password. * Drop selinux related modules from pam file. * Rework Systemd unit files and add files for socked based activation.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- openssh/openssh.nm | 13 +++++++++++-- openssh/sshd.pam | 5 ----- openssh/systemd/sshd.service | 7 +++++-- openssh/systemd/sshd.socket | 11 +++++++++++ openssh/systemd/sshd@.service | 9 +++++++++ 5 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 openssh/systemd/sshd.socket create mode 100644 openssh/systemd/sshd@.service
diff --git a/openssh/openssh.nm b/openssh/openssh.nm index 2e8de76..8b7ecea 100644 --- a/openssh/openssh.nm +++ b/openssh/openssh.nm @@ -4,7 +4,7 @@ ###############################################################################
name = openssh -version = 7.3p1 +version = 7.4p1 release = 1
groups = Application/Internet @@ -60,11 +60,12 @@ build # Disable GSS API authentication because KRB5 is required for that. sed -e "s/^.*GSSAPIAuthentication/#&/" -i %{BUILDROOT}/etc/ssh/ssh_config
- # Enable PAM usage, disable ChallengeResponseAuthentication and disable Motd. + # Enable PAM usage, disable ChallengeResponseAuthentication, enable root login and disable Motd. sed \ -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \ -e '/^#PrintMotd yes$/c PrintMotd no' \ -e '/^#UsePAM no$/c UsePAM yes' \ + -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \ -i %{BUILDROOT}/etc/ssh/sshd_config
# Install scriptfile for key generation @@ -140,6 +141,8 @@ packages %{sysconfdir}/ssh/sshd_config %{unitdir}/sshd.service %{unitdir}/sshd-keygen.service + %{unitdir}/sshd@.service + %{unitdir}/sshd.socket %{libdir}/openssh/sftp-server %{sbindir}/sshd-keygen %{sbindir}/sshd @@ -173,7 +176,9 @@ packages
script preun /bin/systemctl --no-reload disable sshd.service >/dev/null 2>&1 || : + /bin/systemctl --no-reload disable sshd.socket /bin/systemctl stop sshd.service >/dev/null 2>&1 || : + /bin/systemctl stop sshd.socket >/dev/null 2>&1 || : end
script postun @@ -181,6 +186,10 @@ packages end
script postup + # Enable root login. + sed -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \ + -i %{sysconfdir}/ssh/sshd_config + /bin/systemctl daemon-reload >/dev/null 2>&1 || :
/bin/systemctl try-restart sshd.service >/dev/null 2>&1 || : diff --git a/openssh/sshd.pam b/openssh/sshd.pam index a80e450..a9af149 100644 --- a/openssh/sshd.pam +++ b/openssh/sshd.pam @@ -1,15 +1,10 @@ #%PAM-1.0 -auth required pam_sepermit.so auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close session required pam_loginuid.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin diff --git a/openssh/systemd/sshd.service b/openssh/systemd/sshd.service index 9007d89..8372355 100644 --- a/openssh/systemd/sshd.service +++ b/openssh/systemd/sshd.service @@ -1,11 +1,14 @@ [Unit] Description=OpenSSH server daemon -After=syslog.target network.target auditd.service +After=syslog.target network.target auditd.service sshd-keygen.service +Wants=sshd-keygen.service
[Service] -ExecStartPre=/usr/sbin/sshd-keygen ExecStart=/usr/sbin/sshd -D ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartSec=30s
[Install] WantedBy=multi-user.target diff --git a/openssh/systemd/sshd.socket b/openssh/systemd/sshd.socket new file mode 100644 index 0000000..caa50c4 --- /dev/null +++ b/openssh/systemd/sshd.socket @@ -0,0 +1,11 @@ +[Unit] +Description=OpenSSH Server Socket +Documentation=man:sshd(8) man:sshd_config(5) +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/openssh/systemd/sshd@.service b/openssh/systemd/sshd@.service new file mode 100644 index 0000000..57862c0 --- /dev/null +++ b/openssh/systemd/sshd@.service @@ -0,0 +1,9 @@ +[Unit] +Description=OpenSSH per-connection server daemon +Documentation=man:sshd(8) man:sshd_config(5) +Wants=sshd-keygen.service +After=sshd-keygen.service + +[Service] +ExecStart=-/usr/sbin/sshd -i +StandardInput=socket