Accepting request 866259 from home:hpjansson:branches:network

- Add openssh-fix-ssh-copy-id.patch, which fixes breakage introduced in 8.4p1 (bsc#1181311). - sysusers-sshd.conf: use sysusers.d configuration file to create sshd user (avoid hard dependency on shadow). OBS-URL: https://build.opensuse.org/request/show/866259 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=225
2021-01-24 18:19:54 +00:00 · 2021-01-24 18:19:54 +00:00 · b459802ca3
commit b459802ca3
parent f66af91814
4 changed files with 56 additions and 4 deletions
--- a/openssh-fix-ssh-copy-id.patch
+++ b/openssh-fix-ssh-copy-id.patch
@ -0,0 +1,30 @@
+From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
+From: Oleg <Fallmay@users.noreply.github.com>
+Date: Thu, 1 Oct 2020 12:09:08 +0300
+Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
+
+---
+ contrib/ssh-copy-id | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 392f64f94..a76907717 100644
+--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
+@@ -247,7 +247,7 @@ installkeys_sh() {
+   #    the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
+   #    the cat adds the keys we're getting via STDIN
+   #    and if available restorecon is used to restore the SELinux context
+-  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
+  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
+ 	cd;
+ 	umask 077;
+ 	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+@@ -258,6 +258,7 @@ installkeys_sh() {
+ 	  restorecon -F .ssh ${AUTH_KEY_FILE};
+ 	fi
+ EOF
+  )
+ 
+   # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
+   printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sat Jan 23 18:28:19 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
+
+- Add openssh-fix-ssh-copy-id.patch, which fixes breakage
+  introduced in 8.4p1 (bsc#1181311).
+
 -------------------------------------------------------------------
 Fri Jan 22 21:06:42 UTC 2021 - Hans Petter Jansson <hpj@suse.com>

@ -18,6 +24,12 @@ Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
 - Make sure sshd is enabled correctly when upgrading from a
  pre-systemd distribution (bsc#1180083).

+-------------------------------------------------------------------
+Mon Jan 18 11:04:41 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- sysusers-sshd.conf: use sysusers.d configuration file to create
+  sshd user (avoid hard dependency on shadow).
+
 -------------------------------------------------------------------
 Mon Jan 18 00:30:37 UTC 2021 - Dirk Müller <dmueller@suse.com>

--- a/openssh.spec
+++ b/openssh.spec
@ -58,6 +58,7 @@ Source10:       sshd.service
 Source11:       README.FIPS
 Source12:       cavs_driver-ssh.pl
 Source13:       https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
+Source14:       sysusers-sshd.conf
 Patch0:         openssh-7.7p1-allow_root_password_login.patch
 Patch1:         openssh-7.7p1-X11_trusted_forwarding.patch
 Patch3:         openssh-7.7p1-enable_PAM_by_default.patch
@ -108,6 +109,7 @@ Patch40:        openssh-8.1p1-ed25519-use-openssl-rng.patch
 Patch41:        openssh-fips-ensure-approved-moduli.patch
 Patch42:        openssh-link-with-sk.patch
 Patch43:        openssh-reenable-dh-group14-sha1-default.patch
+Patch44:        openssh-fix-ssh-copy-id.patch
 BuildRequires:  audit-devel
 BuildRequires:  automake
 BuildRequires:  groff
@ -120,6 +122,8 @@ BuildRequires:  pkgconfig
 BuildRequires:  zlib-devel
 BuildRequires:  pkgconfig(libfido2)
 BuildRequires:  pkgconfig(libsystemd)
+BuildRequires:  sysuser-shadow
+BuildRequires:  sysuser-tools
 Requires:       %{name}-clients = %{version}-%{release}
 Requires:       %{name}-server = %{version}-%{release}
 %if %{with tirpc}
@ -171,10 +175,10 @@ Requires:       %{name}-common = %{version}-%{release}
 Recommends:     audit
 Requires(pre):  findutils
 Requires(pre):  grep
-Requires(pre):  shadow
 Requires(post): %fillup_prereq
 Requires(post): permissions
 Provides:       openssh:%{_sbindir}/sshd
+%sysusers_requires

 %description server
 SSH (Secure Shell) is a program for logging into and executing commands
@ -292,6 +296,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
    --target=%{_target_cpu}-suse-linux

 %make_build
+%sysusers_generate_pre %{SOURCE14} sshd

 %install
 %make_install
@ -327,6 +332,10 @@ rm -f %{buildroot}%{_datadir}/Ssh.bin
 # sshd keys generator wrapper
 install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start

+# Install sysusers.d config for sshd user
+mkdir -p %{buildroot}%{_sysusersdir}
+install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
+
 # the hmac hashes - taken from openssl
 #
 # re-define the __os_install_post macro: the macro strips
@ -360,9 +369,7 @@ else
    then echo "enabled" > %{_tmpenabledfile} || :; fi
 fi

-%pre server
-getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
-getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstatedir}/lib/sshd -s /bin/false -c "SSH daemon" sshd
+%pre server -f sshd.pre
 %if %{defined _distconfdir}
 # move outdated pam.d/*.rpmsave file away
 test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
@ -446,6 +453,7 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
 %endif
 %attr(0644,root,root) %{_unitdir}/sshd.service
+%attr(0644,root,root) %{_sysusersdir}/sshd.conf
 %attr(0444,root,root) %{_mandir}/man5/sshd_config*
 %attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
 %attr(0444,root,root) %{_mandir}/man8/sshd.8*
--- a/sysusers-sshd.conf
+++ b/sysusers-sshd.conf
@ -0,0 +1,2 @@
+# Type Name ID GECOS [HOME]
+u sshd - "SSH daemon" /var/lib/sshd