From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [IPFire-SCM] [git.ipfire.org] IPFire 3.x development tree branch, master, updated. e78de92e15c1bb378e6447cf8b7131e491b00b29 Date: Mon, 12 Mar 2012 00:23:27 +0100 Message-ID: <20120311232328.5DFFE200D6@argus.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3933021322235491215==" List-Id: --===============3933021322235491215== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 3.x development tree". The branch, master has been updated via e78de92e15c1bb378e6447cf8b7131e491b00b29 (commit) via 40c54876556beb130f2f17211a69a23d5be9587a (commit) via a5d9074a463a3c13e46784a0b1e0e7a548027c97 (commit) from 47902c21be198525dc2ebe7f4caed1c6d2497346 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit e78de92e15c1bb378e6447cf8b7131e491b00b29 Author: Michael Tremer Date: Mon Mar 12 00:22:18 2012 +0100 openssh: Some bigger changes. =20 Adopts systemd files from Fedora and cleans up a lot in the makefile. commit 40c54876556beb130f2f17211a69a23d5be9587a Author: Michael Tremer Date: Sun Mar 11 23:42:07 2012 +0100 grubby: Update to version 8.9. =20 Fixes #10059, #10062. commit a5d9074a463a3c13e46784a0b1e0e7a548027c97 Author: Michael Tremer Date: Sun Mar 11 23:41:39 2012 +0100 samba: Make package compile on x86_64. ----------------------------------------------------------------------- Summary of changes: grubby/grubby.nm | 16 +++- openssh/openssh.nm | 139 ++++++++++++++++++++++-----------= -- openssh/ssh-keygen | 8 -- openssh/sshd-keygen | 63 ++++++++++++++++ openssh/sshd.pam | 20 +++-- openssh/systemd/openssh.service | 12 --- openssh/systemd/sshd-keygen.service | 12 +++ openssh/systemd/sshd.service | 10 +++ openssh/systemd/sshd.socket | 10 +++ openssh/systemd/sshd(a).service | 8 ++ samba/samba.nm | 26 +++--- 11 files changed, 230 insertions(+), 94 deletions(-) delete mode 100644 openssh/ssh-keygen create mode 100644 openssh/sshd-keygen delete mode 100644 openssh/systemd/openssh.service create mode 100644 openssh/systemd/sshd-keygen.service create mode 100644 openssh/systemd/sshd.service create mode 100644 openssh/systemd/sshd.socket create mode 100644 openssh/systemd/sshd(a).service Difference in files: diff --git a/grubby/grubby.nm b/grubby/grubby.nm index 92c1a58..830f27d 100644 --- a/grubby/grubby.nm +++ b/grubby/grubby.nm @@ -4,7 +4,7 @@ ############################################################################= ### =20 name =3D grubby -version =3D 8.3 +version =3D 8.9 release =3D 1 =20 groups =3D System/Base @@ -20,7 +20,8 @@ description environment. end =20 -sources =3D %{thisapp}.tar.bz2 +# Source tarballs must be generated from git. +sources =3D %{thisapp}.tar.bz2 =20 build requires @@ -34,11 +35,20 @@ build make test end =20 - make_install_targets +=3D mandir=3D/usr/share/man + make_install_targets +=3D mandir=3D%{mandir} end =20 packages package %{name} + # Pull in uboot-tools on ARM platforms. + if "%{DISTRO_ARCH}" =3D=3D "armv7hl" + requires +=3D uboot-tools + end + + if "%{DISTRO_ARCH}" =3D=3D "armv5tel" + requires +=3D uboot-tools + end + end =20 package %{name}-debuginfo template DEBUGINFO diff --git a/openssh/openssh.nm b/openssh/openssh.nm index 0b0250c..d04d2b2 100644 --- a/openssh/openssh.nm +++ b/openssh/openssh.nm @@ -5,7 +5,7 @@ =20 name =3D openssh version =3D 5.9p1 -release =3D 3 +release =3D 4 =20 groups =3D Application/Internet url =3D http://www.openssh.com/portable.html @@ -26,10 +26,14 @@ build audit-devel autoconf automake + groff + libedit-devel libselinux-devel - nss-devel - openssl-devel>=3D1.0.0d-2 + ncurses-devel + openldap-devel + openssl-devel >=3D 1.0.0d-2 pam-devel + util-linux zlib-devel end =20 @@ -67,17 +71,25 @@ build end =20 configure_options +=3D \ - --sysconfdir=3D/etc/ssh \ - --datadir=3D/usr/share/sshd \ - --libexecdir=3D/usr/lib/openssh \ - --with-md5-passwords \ - --with-privsep-path=3D/var/lib/sshd \ + --sysconfdir=3D%{sysconfdir}/ssh \ + --datadir=3D%{datadir}/sshd \ + --libexecdir=3D%{libdir}/openssh \ + --with-default-path=3D/usr/local/bin:/bin:/usr/bin \ + --with-superuser-path=3D/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbi= n:/usr/bin \ + --with-privsep-path=3D/var/empty/sshd \ + --enable-vendor-patchlevel=3D"%{DISTRO_NAME} %{thisver}" \ + --disable-strip \ + --with-ssl-engine \ + --with-authorized-keys-command \ + --with-ipaddr-display \ + --with-ldap \ --with-pam \ + --with-libedit \ --with-selinux \ --with-audit=3Dlinux =20 prepare_cmds - autoreconf + autoreconf -vfi end =20 install_cmds @@ -85,15 +97,32 @@ build sed -e "s/^.*GSSAPIAuthentication/#&/" -i %{BUILDROOT}/etc/ssh/ssh_config =20 # Install scriptfile for key generation - install -m 754 %{DIR_SOURCE}/ssh-keygen %{BUILDROOT}/usr/lib/openssh/ + mkdir -pv %{BUILDROOT}%{sbindir} + install -m 754 %{DIR_SOURCE}/sshd-keygen %{BUILDROOT}%{sbindir} + + # Install ssh-copy-id. + install -m755 contrib/ssh-copy-id %{BUILDROOT}%{bindir} + install contrib/ssh-copy-id.1 %{BUILDROOT}%{mandir}/man1/ end end =20 packages package openssh + prerequires + shadow-utils + end + requires - openssh-clients=3D%{thisver} - openssh-server=3D%{thisver} + openssh-clients =3D %{thisver} + openssh-server =3D %{thisver} + end + + configfiles + %{sysconfdir}/ssh/moduli + end + + script prein + getent group sshd_keys >/dev/null || groupadd -r ssh_keys || : end end =20 @@ -101,29 +130,33 @@ packages summary =3D OpenSSH client applications. description =3D %{summary} =20 + requires =3D openssh =3D %{thisver} + files - /etc/ssh/ssh_config - /usr/bin/scp - /usr/bin/sftp - /usr/bin/slogin - /usr/bin/ssh - /usr/bin/ssh-add - /usr/bin/ssh-agent - /usr/bin/ssh-keyscan - /usr/lib/openssh/ssh-pkcs11-helper - /usr/share/man/cat1/scp.1 - /usr/share/man/cat1/sftp.1 - /usr/share/man/cat1/slogin.1 - /usr/share/man/cat1/ssh-add.1 - /usr/share/man/cat1/ssh-agent.1 - /usr/share/man/cat1/ssh-keyscan.1 - /usr/share/man/cat1/ssh.1 - /usr/share/man/cat5/ssh_config.5 - /usr/share/man/cat8/ssh-pkcs11-helper.8 + %{sysconfdir}/ssh/ssh_config + %{bindir}/scp + %{bindir}/sftp + %{bindir}/slogin + %{bindir}/ssh + %{bindir}/ssh-add + %{bindir}/ssh-agent + %{bindir}/ssh-copy-id + %{bindir}/ssh-keyscan + %{libdir}/openssh/ssh-pkcs11-helper + %{mandir}/man1/scp.1* + %{mandir}/man1/sftp.1* + %{mandir}/man1/slogin.1* + %{mandir}/man1/ssh-add.1* + %{mandir}/man1/ssh-agent.1* + %{mandir}/man1/ssh-copy-id.1* + %{mandir}/man1/ssh-keyscan.1* + %{mandir}/man1/ssh.1* + %{mandir}/man5/ssh_config.5* + %{mandir}/man8/ssh-pkcs11-helper.8* end =20 configfiles - /etc/ssh/ssh_config + %{sysconfdir}/ssh/ssh_config end end =20 @@ -131,26 +164,24 @@ packages summary =3D OpenSSH server applications. description =3D %{summary} =20 - # /usr/bin/ssh-keygen is needed to generate keys for the ssh server. - requires =3D /usr/bin/ssh-keygen + requires =3D openssh =3D %{thisver} =20 files - /etc/pam.d/sshd - /etc/ssh/moduli - /etc/ssh/sshd_config - /lib/systemd/system/openssh.service - /usr/lib/openssh/sftp-server - /usr/lib/openssh/ssh-keygen - /usr/sbin/sshd - /usr/share/man/cat5/sshd_config.5* - /usr/share/man/cat5/moduli.5* - /usr/share/man/cat8/sshd.8* - /usr/share/man/cat8/sftp-server.8* - /var/lib/sshd + %{sysconfdir}/pam.d/sshd + %{sysconfdir}/ssh/sshd_config + /lib/systemd + %{libdir}/openssh/sftp-server + %{sbindir}/sshd-keygen + %{sbindir}/sshd + %{mandir}/man5/sshd_config.5* + %{mandir}/man5/moduli.5* + %{mandir}/man8/sshd.8* + %{mandir}/man8/sftp-server.8* + /var/empty/sshd end =20 configfiles - /etc/ssh/sshd_config + %{sysconfdir}/ssh/sshd_config end =20 prerequires @@ -160,9 +191,10 @@ packages =20 script prein # Create unprivileged user and group. - getent group sshd || groupadd -r sshd - getent passwd sshd || useradd -r -g sshd \ - -d /var/lib/sshd -s /sbin/nologin sshd + getent group sshd >/dev/null || groupadd -r sshd + getent passwd sshd >/dev/null || useradd -r -g sshd \ + -c "Privilege-separated SSH" \ + -d /var/empty/sshd -s /sbin/nologin sshd end =20 script postin @@ -170,8 +202,10 @@ packages end =20 script preun - /bin/systemctl --no-reload disable openssh.service >/dev/null 2>&1 || : - /bin/systemctl stop openssh.service >/dev/null 2>&1 || : + /bin/systemctl --no-reload disable sshd.service >/dev/null 2>&1 || : + /bin/systemctl --no-reload disable sshd-keygen.service >/dev/null 2>&1 ||= : + /bin/systemctl stop sshd.service >/dev/null 2>&1 || : + /bin/systemctl stop sshd-keygen.service >/dev/null 2>&1 || : end =20 script postun @@ -180,6 +214,9 @@ packages =20 script postup /bin/systemctl daemon-reload >/dev/null 2>&1 || : + + /bin/systemctl try-restart sshd.service >/dev/null 2>&1 || : + /bin/systemctl try-restart sshd-keygen.service >/dev/null 2>&1 || : end end =20 diff --git a/openssh/ssh-keygen b/openssh/ssh-keygen deleted file mode 100644 index 46e64d6..0000000 --- a/openssh/ssh-keygen +++ /dev/null @@ -1,8 +0,0 @@ -#! /bin/sh - -# Generates keyfiles for defined algorithm -for algo in dsa rsa ecdsa; do - [ -e "/etc/ssh/ssh_host_${algo}_key" ] && continue - /usr/bin/ssh-keygen -q -t ${algo} -N "" -f /etc/ssh/ssh_host_${algo}_key -done - diff --git a/openssh/sshd-keygen b/openssh/sshd-keygen new file mode 100644 index 0000000..619e839 --- /dev/null +++ b/openssh/sshd-keygen @@ -0,0 +1,63 @@ +#!/bin/bash + +# Create the host keys for the OpenSSH server. +# + +# Some functions to make the below more readable +KEYGEN=3D/usr/bin/ssh-keygen +RSA1_KEY=3D/etc/ssh/ssh_host_key +RSA_KEY=3D/etc/ssh/ssh_host_rsa_key +DSA_KEY=3D/etc/ssh/ssh_host_dsa_key + +do_rsa1_keygen() { + if [ ! -s $RSA1_KEY ]; then + rm -f $RSA1_KEY + if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/d= ev/null; then + chgrp ssh_keys $RSA1_KEY + chmod 600 $RSA1_KEY + chmod 644 $RSA1_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA1_KEY.pub + fi + else + exit 1 + fi + fi +} + +do_rsa_keygen() { + if [ ! -s $RSA_KEY ]; then + rm -f $RSA_KEY + if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/= null; then + chgrp ssh_keys $RSA_KEY + chmod 600 $RSA_KEY + chmod 644 $RSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA_KEY.pub + fi + else + exit 1 + fi + fi +} + +do_dsa_keygen() { + if [ ! -s $DSA_KEY ]; then + rm -f $DSA_KEY + if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/= null; then + chgrp ssh_keys $DSA_KEY + chmod 600 $DSA_KEY + chmod 644 $DSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $DSA_KEY.pub + fi + else + exit 1 + fi + fi +} + +# Create keys +do_rsa_keygen +do_rsa1_keygen +do_dsa_keygen diff --git a/openssh/sshd.pam b/openssh/sshd.pam index ba632dd..a80e450 100644 --- a/openssh/sshd.pam +++ b/openssh/sshd.pam @@ -1,9 +1,15 @@ #%PAM-1.0 -auth include system-auth - +auth required pam_sepermit.so +auth substack password-auth +auth include postlogin account required pam_nologin.so -account include system-auth - -password include system-auth - -session include system-auth +account include password-auth +password include password-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session required pam_loginuid.so +# pam_selinux.so open should only be followed by sessions to be executed in = the user context +session required pam_selinux.so open env_params +session optional pam_keyinit.so force revoke +session include password-auth +session include postlogin diff --git a/openssh/systemd/openssh.service b/openssh/systemd/openssh.service deleted file mode 100644 index 7fdd641..0000000 --- a/openssh/systemd/openssh.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=3DOpenSSH Server -After=3Dnetwork.target - -[Service] -ExecStartPre=3D/usr/lib/openssh/ssh-keygen -ExecStart=3D/usr/sbin/sshd -D -ExecReload=3D/bin/kill -HUP $MAINPID -Restart=3Dalways - -[Install] -WantedBy=3Dmulti-user.target diff --git a/openssh/systemd/sshd-keygen.service b/openssh/systemd/sshd-keyge= n.service new file mode 100644 index 0000000..bfef328 --- /dev/null +++ b/openssh/systemd/sshd-keygen.service @@ -0,0 +1,12 @@ +[Unit] +Description=3DSSH server keys generation. +After=3Dsyslog.target +Before=3Dsshd.service + +[Service] +Type=3Doneshot +ExecStart=3D/usr/sbin/sshd-keygen +RemainAfterExit=3Dyes + +[Install] +WantedBy=3Dmulti-user.target diff --git a/openssh/systemd/sshd.service b/openssh/systemd/sshd.service new file mode 100644 index 0000000..6b90aa1 --- /dev/null +++ b/openssh/systemd/sshd.service @@ -0,0 +1,10 @@ +[Unit] +Description=3DOpenSSH server daemon +After=3Dsyslog.target network.target auditd.service + +[Service] +ExecStart=3D/usr/sbin/sshd -D $OPTIONS +ExecReload=3D/bin/kill -HUP $MAINPID + +[Install] +WantedBy=3Dmulti-user.target diff --git a/openssh/systemd/sshd.socket b/openssh/systemd/sshd.socket new file mode 100644 index 0000000..94b9533 --- /dev/null +++ b/openssh/systemd/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=3DOpenSSH Server Socket +Conflicts=3Dsshd.service + +[Socket] +ListenStream=3D22 +Accept=3Dyes + +[Install] +WantedBy=3Dsockets.target diff --git a/openssh/systemd/sshd(a).service b/openssh/systemd/sshd(a).service new file mode 100644 index 0000000..09f995e --- /dev/null +++ b/openssh/systemd/sshd(a).service @@ -0,0 +1,8 @@ +[Unit] +Description=3DOpenSSH per-connection server daemon +After=3Dsyslog.target auditd.service + +[Service] +EnvironmentFile=3D/etc/sysconfig/sshd +ExecStart=3D-/usr/sbin/sshd -i $OPTIONS +StandardInput=3Dsocket diff --git a/samba/samba.nm b/samba/samba.nm index dcf1edf..5902b9b 100644 --- a/samba/samba.nm +++ b/samba/samba.nm @@ -5,7 +5,7 @@ =20 name =3D samba version =3D 3.6.3 -release =3D 1 +release =3D 2 =20 maintainer =3D Christian Schmidt groups =3D Networking/Daemons @@ -53,17 +53,17 @@ build DIR_APP =3D %{DIR_SRC}/%{thisapp}/source3 =20 configure_options +=3D \ - --prefix=3D/usr \ + --prefix=3D%{prefix} \ --localstatedir=3D/var \ - --with-lockdir=3D/var/lib/samba \ - --with-piddir=3D/var/run \ - --with-mandir=3D/usr/share/man \ - --with-privatedir=3D/var/lib/samba/private \ + --with-lockdir=3D%{sharedstatedir}/samba \ + --with-piddir=3D%{rundir} \ + --with-mandir=3D%{mandir} \ + --with-privatedir=3D%{sharedstatedir}/samba/private \ --with-logfilebase=3D/var/log/samba \ - --with-modulesdir=3D/usr/lib/samba \ - --with-configdir=3D/etc/samba \ - --with-pammodulesdir=3D/lib/security \ - --with-swatdir=3D/usr/share/swat \ + --with-modulesdir=3D%{libdir}/samba \ + --with-configdir=3D%{sysconfdir}/samba \ + --with-pammodulesdir=3D/%{lib}/security \ + --with-swatdir=3D%{datadir}/swat \ --with-automount \ --with-libsmbclient \ --with-libsmbsharemodes \ @@ -81,8 +81,8 @@ build all modules =20 install_cmds - mkdir -pv %{BUILDROOT}/etc/samba - echo "127.0.0.1 localhost" > %{BUILDROOT}/etc/samba/lmhosts + mkdir -pv %{BUILDROOT}%{sysconfdir}/samba + echo "127.0.0.1 localhost" > %{BUILDROOT}%{sysconfdir}/samba/lmhosts end end =20 @@ -96,7 +96,7 @@ packages package %{name}-devel template DEVEL =20 - requires +=3D %{name}-libs=3D%{thisver} + requires +=3D %{name}-libs =3D %{thisver} end =20 package %{name}-debuginfo hooks/post-receive -- IPFire 3.x development tree --===============3933021322235491215==--