diff --git a/logind_set_tty.patch b/logind_set_tty.patch new file mode 100644 index 0000000..5d3e37c --- /dev/null +++ b/logind_set_tty.patch @@ -0,0 +1,197 @@ +diff --git a/Makefile.in b/Makefile.in +index f0ea07e7b..35dcf45f1 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -56,6 +56,7 @@ SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBFIDO2=@LIBFIDO2@ + LIBWTMPDB=@LIBWTMPDB@ ++LIBSYSTEMD=@LIBSYSTEMD@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +@@ -208,7 +209,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) + + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD) + + scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) + $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +diff --git a/configure.ac b/configure.ac +index a12c6f7ad..860df3379 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1789,6 +1789,47 @@ AC_ARG_WITH([wtmpdb], + ) + + ++# Check whether user wants logind/set tty support ++AC_ARG_WITH([logind], ++ [ --with-logind[[=PATH]] Enable logind support for sshd], ++ [ if test "x$withval" != "xno" ; then ++ if test "x$withval" = "xyes" ; then ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) ++ if test "x$PKGCONFIG" != "xno"; then ++ AC_MSG_CHECKING([if $PKGCONFIG knows about libsystemd]) ++ if "$PKGCONFIG" libsystemd; then ++ AC_MSG_RESULT([yes]) ++ use_pkgconfig_for_libsystemd=yes ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ fi ++ else ++ CPPFLAGS="$CPPFLAGS -I${withval}/include" ++ if test -n "${rpath_opt}"; then ++ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval}/lib ${LDFLAGS}" ++ fi ++ fi ++ if test "x$use_pkgconfig_for_libsystemd" = "xyes"; then ++ LIBSYSTEMD=`$PKGCONFIG --libs libsystemd` ++ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libsystemd`" ++ else ++ LIBSYSTEMD="-lsystemd" ++ fi ++ OTHERLIBS=`echo $LIBSYSTEMD | sed 's/-lsystemd//'` ++ AC_CHECK_LIB([systemd], [sd_bus_open_system], ++ [ AC_DEFINE([USE_LOGIND], [1], [Use systemd-logind]) ++ AC_SUBST([LIBSYSTEMD]) ++ ], ++ [ AC_MSG_ERROR([libsystemd not found]) ], ++ [ $OTHERLIBS ] ++ ) ++ fi ] ++) ++ ++ + AUDIT_MODULE=none + AC_ARG_WITH([audit], + [ --with-audit=module Enable audit support (modules=debug,bsm,linux)], +diff --git a/loginrec.c b/loginrec.c +index 86caf83b2..8b413190b 100644 +--- a/loginrec.c ++++ b/loginrec.c +@@ -191,6 +191,10 @@ + # include + #endif + ++#ifdef USE_LOGIND ++# include ++#endif ++ + /** + ** prototypes for helper functions in this file + **/ +@@ -214,6 +218,9 @@ int syslogin_write_entry(struct logininfo *li); + #ifdef USE_WTMPDB + int wtmpdb_write_entry(struct logininfo *li); + #endif ++#ifdef USE_LOGIND ++int logind_set_tty(struct logininfo *li); ++#endif + + int getlast_entry(struct logininfo *li); + int lastlog_get_entry(struct logininfo *li); +@@ -477,6 +484,9 @@ login_write(struct logininfo *li) + #ifdef USE_WTMPDB + wtmpdb_write_entry(li); + #endif ++#ifdef USE_LOGIND ++ logind_set_tty(li); ++#endif + #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN + if (li->type == LTYPE_LOGIN && + !sys_auth_record_login(li->username,li->hostname,li->line, +@@ -1476,6 +1486,88 @@ wtmpdb_write_entry(struct logininfo *li) + } + #endif + ++#ifdef USE_LOGIND ++#define DBUS_DESTINATION "org.freedesktop.login1" ++#define DBUS_PATH_ID "/org/freedesktop/login1/session/auto" ++#define DBUS_INTERFACE "org.freedesktop.login1.Session" ++#define DBUS_PATH "/org/freedesktop/login1/session/%s" ++ ++static int ++logind_perform_login(struct logininfo *li) ++{ ++ sd_bus *bus = NULL; ++ sd_bus_error error = SD_BUS_ERROR_NULL; ++ char *session_id = NULL; ++ char *dbus_path; ++ const char *tty; ++ char buf[PATH_MAX]; ++ int r; ++ int fd; ++ ++ if (sd_bus_open_system(&bus) < 0) ++ { ++ logit("logind: canot open dbus"); ++ return (0); ++ } ++ ++ if (sd_bus_get_property_string(bus, DBUS_DESTINATION, ++ DBUS_PATH_ID, DBUS_INTERFACE, ++ "Id", &error, &session_id) < 0) ++ { ++ logit("logind: cannot get session ID"); ++ return (0); ++ } ++ ++ if (strncmp(li->line, "/dev/", 5) != 0) ++ snprintf (buf, sizeof(buf), "/dev/%s", li->line); ++ else ++ tty = li->line; ++ ++ fd = open(tty, O_RDWR|O_CLOEXEC|O_NOCTTY); ++ ++ if (asprintf (&dbus_path, DBUS_PATH, session_id) < 0) ++ return (0); ++ ++ if (sd_bus_call_method(bus, DBUS_DESTINATION, dbus_path, ++ DBUS_INTERFACE, "TakeControl", &error, NULL, ++ "b", 1) < 0) { ++ logit("logind: cannot take control"); ++ free(dbus_path); ++ return (0); ++ } ++ ++ if ((r = sd_bus_call_method(bus, DBUS_DESTINATION, dbus_path, ++ DBUS_INTERFACE, "SetTTY", &error, NULL, ++ "h", fd)) < 0) { ++ if (r != -EBADR) /* logind does not support "SetTTY" */ ++ logit("logind: cannot set TTY(%s, %s): %s", session_id, tty, strerror(-r)); ++ free(dbus_path); ++ return (0); ++ } ++ ++ free(dbus_path); ++ ++ if (sd_bus_flush(bus) < 0) ++ return (0); ++ ++ return (1); ++} ++ ++int ++logind_set_tty(struct logininfo *li) ++{ ++ switch(li->type) { ++ case LTYPE_LOGIN: ++ return (logind_perform_login(li)); ++ case LTYPE_LOGOUT: ++ return (1); ++ default: ++ logit("%s: invalid type field", __func__); ++ return (0); ++ } ++} ++#endif ++ + + /** + ** Low-level libutil login() functions diff --git a/openssh-8.4p1-pam_motd.patch b/openssh-8.4p1-pam_motd.patch index 1bb9969..51e703b 100644 --- a/openssh-8.4p1-pam_motd.patch +++ b/openssh-8.4p1-pam_motd.patch @@ -1,19 +1,13 @@ -Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/contrib und openssh-8.4p1/contrib. -Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/.github und openssh-8.4p1/.github. -Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/m4 und openssh-8.4p1/m4. -Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/openbsd-compat und openssh-8.4p1/openbsd-compat. -Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/regress und openssh-8.4p1/regress. diff -u openssh-8.4p1.orig/sshd_config openssh-8.4p1/sshd_config --- openssh-8.4p1.orig/sshd_config 2020-09-27 09:25:01.000000000 +0200 +++ openssh-8.4p1/sshd_config 2021-05-18 19:15:39.190701511 +0200 -@@ -88,8 +88,8 @@ +@@ -88,8 +88,7 @@ #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes -#PrintMotd yes -#PrintLastLog yes +PrintMotd no -+PrintLastLog no #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed diff --git a/openssh.changes b/openssh.changes index 9e04114..35399ad 100644 --- a/openssh.changes +++ b/openssh.changes @@ -39,6 +39,17 @@ Fri Jul 21 02:48:58 UTC 2023 - Simon Lees may circumvent this restriction. +------------------------------------------------------------------- +Wed Jun 21 12:14:54 UTC 2023 - Thorsten Kukuk + +- Disable old lastlog, we use pam_lastlog2 +- openssh-8.4p1-pam_motd.patch: adjust to remove PrintLastLog + +------------------------------------------------------------------- +Thu Jun 15 07:05:38 UTC 2023 - Thorsten Kukuk + +- logind_set_tty.patch: tell systemd-logind our current TTY + ------------------------------------------------------------------- Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa diff --git a/openssh.spec b/openssh.spec index d0bb5b7..1516741 100644 --- a/openssh.spec +++ b/openssh.spec @@ -115,6 +115,7 @@ Patch48: openssh-8.4p1-pam_motd.patch Patch49: openssh-do-not-send-empty-message.patch Patch50: openssh-openssl-3.patch Patch51: wtmpdb.patch +Patch52: logind_set_tty.patch Patch100: fix-missing-lz.patch BuildRequires: audit-devel BuildRequires: automake @@ -317,6 +318,10 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS --with-libedit \ %if %{with wtmpdb} --with-wtmpdb \ +%endif +%if 0%{?suse_version} >= 1550 + --disable-lastlog \ + --with-logind \ %endif --with-security-key-builtin \ --target=%{_target_cpu}-suse-linux