Accepting request 874856 from home:kukuk:etc

- Add support for vendor provided configuration files in
  /usr/share/ssh/ (openssh-8.4p1-vendordir.patch)
- Move configuration files from /etc/ssh/ to /usr/share/ssh/

OBS-URL: https://build.opensuse.org/request/show/874856
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=228
This commit is contained in:
Hans Petter Jansson 2021-04-09 01:57:00 +00:00 committed by Git OBS Bridge
parent 35f68f8c1a
commit 4b2c4475a9
3 changed files with 252 additions and 8 deletions

View File

@ -0,0 +1,227 @@
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
diff -u openssh-8.4p1/dh.c openssh-8.4p1-vendor/dh.c
--- openssh-8.4p1/dh.c 2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1-vendor/dh.c 2021-01-29 11:49:40.968418136 +0100
@@ -151,10 +151,18 @@
size_t linesize = 0;
int best, bestcount, which, linenum;
struct dhgroup dhg;
+ char *dh_moduli_path;
+ struct stat st;
- if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
+ stat(_PATH_DH_MODULI, &st) == -1) {
+ dh_moduli_path = _PATH_VENDOR_DH_MODULI;
+ } else {
+ dh_moduli_path = _PATH_DH_MODULI;
+ }
+ if ((f = fopen(dh_moduli_path, "r")) == NULL) {
logit("WARNING: could not open %s (%s), using fixed modulus",
- _PATH_DH_MODULI, strerror(errno));
+ dh_moduli_path, strerror(errno));
return (dh_new_group_fallback(max));
}
@@ -185,7 +193,7 @@
if (bestcount == 0) {
fclose(f);
- logit("WARNING: no suitable primes in %s", _PATH_DH_MODULI);
+ logit("WARNING: no suitable primes in %s", dh_moduli_path);
return (dh_new_group_fallback(max));
}
which = arc4random_uniform(bestcount);
@@ -210,7 +218,7 @@
fclose(f);
if (bestcount != which + 1) {
logit("WARNING: selected prime disappeared in %s, giving up",
- _PATH_DH_MODULI);
+ dh_moduli_path);
return (dh_new_group_fallback(max));
}
Gemeinsame Unterverzeichnisse: openssh-8.4p1/.github und openssh-8.4p1-vendor/.github.
Gemeinsame Unterverzeichnisse: openssh-8.4p1/m4 und openssh-8.4p1-vendor/m4.
Gemeinsame Unterverzeichnisse: openssh-8.4p1/openbsd-compat und openssh-8.4p1-vendor/openbsd-compat.
diff -u openssh-8.4p1/pathnames.h openssh-8.4p1-vendor/pathnames.h
--- openssh-8.4p1/pathnames.h 2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1-vendor/pathnames.h 2021-01-29 11:35:41.655599046 +0100
@@ -18,6 +18,8 @@
#define SSHDIR ETCDIR "/ssh"
#endif
+#define VENDORDIR "/usr/share/ssh"
+
#ifndef _PATH_SSH_PIDDIR
#define _PATH_SSH_PIDDIR "/var/run"
#endif
@@ -35,13 +37,17 @@
* should be world-readable.
*/
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
+#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config"
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
+#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config"
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
#define _PATH_DH_MODULI SSHDIR "/moduli"
+#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli"
+
#ifndef _PATH_SSH_PROGRAM
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
Gemeinsame Unterverzeichnisse: openssh-8.4p1/regress und openssh-8.4p1-vendor/regress.
diff -u openssh-8.4p1/ssh.c openssh-8.4p1-vendor/ssh.c
--- openssh-8.4p1/ssh.c 2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1-vendor/ssh.c 2021-01-27 18:22:52.322271681 +0100
@@ -593,6 +593,7 @@
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
int *want_final_pass)
{
+ struct stat st;
char buf[PATH_MAX];
int r;
@@ -611,10 +612,23 @@
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
- /* Read systemwide configuration file after user config. */
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
- host, host_name, &options,
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
+ /* If only the vendor configuration file exists, use that.
+ * Else use the standard configuration file.
+ */
+ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 &&
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
+ /* Read vendor distributed configuration file. */
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
+ pw, host, host_name, &options,
+ final_pass ? SSHCONF_FINAL : 0,
+ want_final_pass);
+ } else {
+ /* Read systemwide configuration file after user config. */
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
+ host, host_name, &options,
+ final_pass ? SSHCONF_FINAL : 0,
+ want_final_pass);
+ }
}
}
Nur in openssh-8.4p1-vendor: #ssh_config.5#.
diff -u openssh-8.4p1/ssh_config.5 openssh-8.4p1-vendor/ssh_config.5
--- openssh-8.4p1/ssh_config.5 2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1-vendor/ssh_config.5 2021-02-24 12:02:53.935729753 +0100
@@ -54,6 +54,9 @@
.It
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
+.It
+vendor configuration file
+.Pq Pa /usr/share/ssh/ssh_config
.El
.Pp
For each parameter, the first obtained value
@@ -1942,6 +1945,11 @@
values that are not specified in the user's configuration file, and
for those users who do not have a configuration file.
This file must be world-readable.
+.It Pa /usr/share/ssh/ssh_config
+Vendor specific configuraiton file.
+This file provides the vendor defaults and is used as fallback if the
+.Ic /etc/ssh/ssh_config
+configuration file does not exist.
.El
.Sh SEE ALSO
.Xr ssh 1
Nur in openssh-8.4p1-vendor: ssh_config.5~.
diff -u openssh-8.4p1/sshd.c openssh-8.4p1-vendor/sshd.c
--- openssh-8.4p1/sshd.c 2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1-vendor/sshd.c 2021-01-27 18:25:38.370273280 +0100
@@ -136,7 +136,7 @@
ServerOptions options;
/* Name of the server configuration file. */
-char *config_file_name = _PATH_SERVER_CONFIG_FILE;
+char *config_file_name = NULL;
/*
* Debug mode flag. This can be set on the command line. If debug
@@ -1526,6 +1526,7 @@
int
main(int ac, char **av)
{
+ struct stat st;
struct ssh *ssh = NULL;
extern char *optarg;
extern int optind;
@@ -1737,7 +1738,21 @@
*/
(void)atomicio(vwrite, startup_pipe, "\0", 1);
}
+ } else if (config_file_name == NULL) {
+ /* If only the vendor configuration file exists, use that.
+ * Else use the standard configuration file.
+ */
+ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 &&
+ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) {
+ /* fill with global distributor settings */
+ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE;
+ } else {
+ /* load global admin settings */
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
+ }
+ load_server_config(config_file_name, cfg);
} else if (strcasecmp(config_file_name, "none") != 0)
+ /* load config specified on commandline */
load_server_config(config_file_name, cfg);
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
diff -u openssh-8.4p1/sshd_config.5 openssh-8.4p1-vendor/sshd_config.5
--- openssh-8.4p1/sshd_config.5 2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1-vendor/sshd_config.5 2021-02-24 14:14:27.912038335 +0100
@@ -44,7 +44,9 @@
.Xr sshd 8
reads configuration data from
.Pa /etc/ssh/sshd_config
-(or the file specified with
+(
+.Pa /usr/share/ssh/sshd_config
+if the file does not exist or the file specified with
.Fl f
on the command line).
The file contains keyword-argument pairs, one per line.
Nur in openssh-8.4p1-vendor: sshd_config.5~.
diff -u openssh-8.4p1/ssh-keysign.c openssh-8.4p1-vendor/ssh-keysign.c
--- openssh-8.4p1/ssh-keysign.c 2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1-vendor/ssh-keysign.c 2021-02-24 11:34:17.684570215 +0100
@@ -172,6 +172,7 @@
u_char *signature, *data, rver;
char *host, *fp;
size_t slen, dlen;
+ struct stat st;
if (pledge("stdio rpath getpw dns id", NULL) != 0)
fatal("%s: pledge: %s", __progname, strerror(errno));
@@ -205,8 +206,12 @@
/* verify that ssh-keysign is enabled by the admin */
initialize_options(&options);
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
- &options, 0, NULL);
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
+ &options, 0, NULL);
+ else
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw,
+ "", "", &options, 0, NULL);
fill_default_options(&options);
if (options.enable_ssh_keysign != 1)
fatal("ssh-keysign not enabled in %s",
Nur in openssh-8.4p1-vendor: ssh-keysign.c~.

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
- Add support for vendor provided configuration files in
/usr/share/ssh/ (openssh-8.4p1-vendordir.patch)
- Move configuration files from /etc/ssh/ to /usr/share/ssh/
-------------------------------------------------------------------
Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson <hpj@suse.com>

View File

@ -15,7 +15,6 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define sandbox_seccomp 0
%ifnarch ppc
%define sandbox_seccomp 1
@ -112,6 +111,7 @@ Patch43: openssh-reenable-dh-group14-sha1-default.patch
Patch44: openssh-fix-ssh-copy-id.patch
Patch45: openssh-8.4p1-ssh_config_d.patch
Patch46: openssh-whitelist-syscalls.patch
Patch47: openssh-8.4p1-vendordir.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@ -298,7 +298,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
--target=%{_target_cpu}-suse-linux
%make_build
%sysusers_generate_pre %{SOURCE14} sshd
%sysusers_generate_pre %{SOURCE14} sshd sshd.conf
%install
%make_install
@ -323,6 +323,12 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
# Move /etc to /usr/share/ssh
mkdir -p %{buildroot}%{_datadir}/ssh
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_datadir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_datadir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_datadir}/ssh/
%if 0%{?suse_version} < 1550
# install firewall definitions
mkdir -p %{buildroot}%{_fwdefdir}
@ -394,7 +400,7 @@ fi
%post server
%{fillup_only -n ssh}
%service_add_post sshd.service
%set_permissions %{_sysconfdir}/ssh/sshd_config
#%set_permissions %{_sysconfdir}/ssh/sshd_config
# Work around %%service_add_post disabling the service on upgrades where
# the package name changed.
@ -428,8 +434,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update sshd
%verifyscript server
%verify_permissions -e %{_sysconfdir}/ssh/sshd_config
#%verifyscript server
#%verify_permissions -e %{_sysconfdir}/ssh/sshd_config
%files
# openssh is an empty package that depends on -clients and -server,
@ -440,7 +446,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
%license LICENCE
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%attr(0755,root,root) %dir %{_datadir}/ssh
%attr(0600,root,root) %{_datadir}/ssh/moduli
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
%attr(0755,root,root) %{_bindir}/ssh-keygen*
@ -451,7 +458,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0755,root,root) %dir %{_datadir}/ssh
%attr(0640,root,root) %{_datadir}/ssh/sshd_config
%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/pam.d/sshd
%else
@ -473,8 +481,10 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
%endif
%files clients
#%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(0755,root,root) %dir %{_datadir}/ssh
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(0644,root,root) %{_datadir}/ssh/ssh_config
%attr(0755,root,root) %{_bindir}/ssh
%attr(0755,root,root) %{_bindir}/scp*
%attr(0755,root,root) %{_bindir}/sftp*