From 4b2c4475a908e20e1fef29909123d7b060011b2cc25b4481299d90c8b0608712 Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson Date: Fri, 9 Apr 2021 01:57:00 +0000 Subject: [PATCH 1/3] Accepting request 874856 from home:kukuk:etc - Add support for vendor provided configuration files in /usr/share/ssh/ (openssh-8.4p1-vendordir.patch) - Move configuration files from /etc/ssh/ to /usr/share/ssh/ OBS-URL: https://build.opensuse.org/request/show/874856 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=228 --- openssh-8.4p1-vendordir.patch | 227 ++++++++++++++++++++++++++++++++++ openssh.changes | 7 ++ openssh.spec | 26 ++-- 3 files changed, 252 insertions(+), 8 deletions(-) create mode 100644 openssh-8.4p1-vendordir.patch diff --git a/openssh-8.4p1-vendordir.patch b/openssh-8.4p1-vendordir.patch new file mode 100644 index 0000000..4cd9346 --- /dev/null +++ b/openssh-8.4p1-vendordir.patch @@ -0,0 +1,227 @@ +Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib. +diff -u openssh-8.4p1/dh.c openssh-8.4p1-vendor/dh.c +--- openssh-8.4p1/dh.c 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1-vendor/dh.c 2021-01-29 11:49:40.968418136 +0100 +@@ -151,10 +151,18 @@ + size_t linesize = 0; + int best, bestcount, which, linenum; + struct dhgroup dhg; ++ char *dh_moduli_path; ++ struct stat st; + +- if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) { ++ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 && ++ stat(_PATH_DH_MODULI, &st) == -1) { ++ dh_moduli_path = _PATH_VENDOR_DH_MODULI; ++ } else { ++ dh_moduli_path = _PATH_DH_MODULI; ++ } ++ if ((f = fopen(dh_moduli_path, "r")) == NULL) { + logit("WARNING: could not open %s (%s), using fixed modulus", +- _PATH_DH_MODULI, strerror(errno)); ++ dh_moduli_path, strerror(errno)); + return (dh_new_group_fallback(max)); + } + +@@ -185,7 +193,7 @@ + + if (bestcount == 0) { + fclose(f); +- logit("WARNING: no suitable primes in %s", _PATH_DH_MODULI); ++ logit("WARNING: no suitable primes in %s", dh_moduli_path); + return (dh_new_group_fallback(max)); + } + which = arc4random_uniform(bestcount); +@@ -210,7 +218,7 @@ + fclose(f); + if (bestcount != which + 1) { + logit("WARNING: selected prime disappeared in %s, giving up", +- _PATH_DH_MODULI); ++ dh_moduli_path); + return (dh_new_group_fallback(max)); + } + +Gemeinsame Unterverzeichnisse: openssh-8.4p1/.github und openssh-8.4p1-vendor/.github. +Gemeinsame Unterverzeichnisse: openssh-8.4p1/m4 und openssh-8.4p1-vendor/m4. +Gemeinsame Unterverzeichnisse: openssh-8.4p1/openbsd-compat und openssh-8.4p1-vendor/openbsd-compat. +diff -u openssh-8.4p1/pathnames.h openssh-8.4p1-vendor/pathnames.h +--- openssh-8.4p1/pathnames.h 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1-vendor/pathnames.h 2021-01-29 11:35:41.655599046 +0100 +@@ -18,6 +18,8 @@ + #define SSHDIR ETCDIR "/ssh" + #endif + ++#define VENDORDIR "/usr/share/ssh" ++ + #ifndef _PATH_SSH_PIDDIR + #define _PATH_SSH_PIDDIR "/var/run" + #endif +@@ -35,13 +37,17 @@ + * should be world-readable. + */ + #define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config" ++#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config" + #define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config" ++#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config" + #define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key" + #define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key" + #define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key" + #define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key" + #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" + #define _PATH_DH_MODULI SSHDIR "/moduli" ++#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli" ++ + + #ifndef _PATH_SSH_PROGRAM + #define _PATH_SSH_PROGRAM "/usr/bin/ssh" +Gemeinsame Unterverzeichnisse: openssh-8.4p1/regress und openssh-8.4p1-vendor/regress. +diff -u openssh-8.4p1/ssh.c openssh-8.4p1-vendor/ssh.c +--- openssh-8.4p1/ssh.c 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1-vendor/ssh.c 2021-01-27 18:22:52.322271681 +0100 +@@ -593,6 +593,7 @@ + process_config_files(const char *host_name, struct passwd *pw, int final_pass, + int *want_final_pass) + { ++ struct stat st; + char buf[PATH_MAX]; + int r; + +@@ -611,10 +612,23 @@ + &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF | + (final_pass ? SSHCONF_FINAL : 0), want_final_pass); + +- /* Read systemwide configuration file after user config. */ +- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, +- host, host_name, &options, +- final_pass ? SSHCONF_FINAL : 0, want_final_pass); ++ /* If only the vendor configuration file exists, use that. ++ * Else use the standard configuration file. ++ */ ++ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 && ++ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) { ++ /* Read vendor distributed configuration file. */ ++ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, ++ pw, host, host_name, &options, ++ final_pass ? SSHCONF_FINAL : 0, ++ want_final_pass); ++ } else { ++ /* Read systemwide configuration file after user config. */ ++ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, ++ host, host_name, &options, ++ final_pass ? SSHCONF_FINAL : 0, ++ want_final_pass); ++ } + } + } + +Nur in openssh-8.4p1-vendor: #ssh_config.5#. +diff -u openssh-8.4p1/ssh_config.5 openssh-8.4p1-vendor/ssh_config.5 +--- openssh-8.4p1/ssh_config.5 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1-vendor/ssh_config.5 2021-02-24 12:02:53.935729753 +0100 +@@ -54,6 +54,9 @@ + .It + system-wide configuration file + .Pq Pa /etc/ssh/ssh_config ++.It ++vendor configuration file ++.Pq Pa /usr/share/ssh/ssh_config + .El + .Pp + For each parameter, the first obtained value +@@ -1942,6 +1945,11 @@ + values that are not specified in the user's configuration file, and + for those users who do not have a configuration file. + This file must be world-readable. ++.It Pa /usr/share/ssh/ssh_config ++Vendor specific configuraiton file. ++This file provides the vendor defaults and is used as fallback if the ++.Ic /etc/ssh/ssh_config ++configuration file does not exist. + .El + .Sh SEE ALSO + .Xr ssh 1 +Nur in openssh-8.4p1-vendor: ssh_config.5~. +diff -u openssh-8.4p1/sshd.c openssh-8.4p1-vendor/sshd.c +--- openssh-8.4p1/sshd.c 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1-vendor/sshd.c 2021-01-27 18:25:38.370273280 +0100 +@@ -136,7 +136,7 @@ + ServerOptions options; + + /* Name of the server configuration file. */ +-char *config_file_name = _PATH_SERVER_CONFIG_FILE; ++char *config_file_name = NULL; + + /* + * Debug mode flag. This can be set on the command line. If debug +@@ -1526,6 +1526,7 @@ + int + main(int ac, char **av) + { ++ struct stat st; + struct ssh *ssh = NULL; + extern char *optarg; + extern int optind; +@@ -1737,7 +1738,21 @@ + */ + (void)atomicio(vwrite, startup_pipe, "\0", 1); + } ++ } else if (config_file_name == NULL) { ++ /* If only the vendor configuration file exists, use that. ++ * Else use the standard configuration file. ++ */ ++ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 && ++ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) { ++ /* fill with global distributor settings */ ++ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE; ++ } else { ++ /* load global admin settings */ ++ config_file_name = _PATH_SERVER_CONFIG_FILE; ++ } ++ load_server_config(config_file_name, cfg); + } else if (strcasecmp(config_file_name, "none") != 0) ++ /* load config specified on commandline */ + load_server_config(config_file_name, cfg); + + parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, +diff -u openssh-8.4p1/sshd_config.5 openssh-8.4p1-vendor/sshd_config.5 +--- openssh-8.4p1/sshd_config.5 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1-vendor/sshd_config.5 2021-02-24 14:14:27.912038335 +0100 +@@ -44,7 +44,9 @@ + .Xr sshd 8 + reads configuration data from + .Pa /etc/ssh/sshd_config +-(or the file specified with ++( ++.Pa /usr/share/ssh/sshd_config ++if the file does not exist or the file specified with + .Fl f + on the command line). + The file contains keyword-argument pairs, one per line. +Nur in openssh-8.4p1-vendor: sshd_config.5~. +diff -u openssh-8.4p1/ssh-keysign.c openssh-8.4p1-vendor/ssh-keysign.c +--- openssh-8.4p1/ssh-keysign.c 2020-09-27 09:25:01.000000000 +0200 ++++ openssh-8.4p1-vendor/ssh-keysign.c 2021-02-24 11:34:17.684570215 +0100 +@@ -172,6 +172,7 @@ + u_char *signature, *data, rver; + char *host, *fp; + size_t slen, dlen; ++ struct stat st; + + if (pledge("stdio rpath getpw dns id", NULL) != 0) + fatal("%s: pledge: %s", __progname, strerror(errno)); +@@ -205,8 +206,12 @@ + + /* verify that ssh-keysign is enabled by the admin */ + initialize_options(&options); +- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", +- &options, 0, NULL); ++ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0) ++ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", ++ &options, 0, NULL); ++ else ++ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, ++ "", "", &options, 0, NULL); + fill_default_options(&options); + if (options.enable_ssh_keysign != 1) + fatal("ssh-keysign not enabled in %s", +Nur in openssh-8.4p1-vendor: ssh-keysign.c~. diff --git a/openssh.changes b/openssh.changes index 5bf8be8..945ac83 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk + +- Add support for vendor provided configuration files in + /usr/share/ssh/ (openssh-8.4p1-vendordir.patch) +- Move configuration files from /etc/ssh/ to /usr/share/ssh/ + ------------------------------------------------------------------- Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson diff --git a/openssh.spec b/openssh.spec index 7f55f4f..306e5bf 100644 --- a/openssh.spec +++ b/openssh.spec @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # - %define sandbox_seccomp 0 %ifnarch ppc %define sandbox_seccomp 1 @@ -112,6 +111,7 @@ Patch43: openssh-reenable-dh-group14-sha1-default.patch Patch44: openssh-fix-ssh-copy-id.patch Patch45: openssh-8.4p1-ssh_config_d.patch Patch46: openssh-whitelist-syscalls.patch +Patch47: openssh-8.4p1-vendordir.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -298,7 +298,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS --target=%{_target_cpu}-suse-linux %make_build -%sysusers_generate_pre %{SOURCE14} sshd +%sysusers_generate_pre %{SOURCE14} sshd sshd.conf %install %make_install @@ -323,6 +323,12 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir} install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config +# Move /etc to /usr/share/ssh +mkdir -p %{buildroot}%{_datadir}/ssh +mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_datadir}/ssh/ +mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_datadir}/ssh/ +mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_datadir}/ssh/ + %if 0%{?suse_version} < 1550 # install firewall definitions mkdir -p %{buildroot}%{_fwdefdir} @@ -394,7 +400,7 @@ fi %post server %{fillup_only -n ssh} %service_add_post sshd.service -%set_permissions %{_sysconfdir}/ssh/sshd_config +#%set_permissions %{_sysconfdir}/ssh/sshd_config # Work around %%service_add_post disabling the service on upgrades where # the package name changed. @@ -428,8 +434,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd %triggerin -n openssh-fips -- %{name} = %{version}-%{release} %restart_on_update sshd -%verifyscript server -%verify_permissions -e %{_sysconfdir}/ssh/sshd_config +#%verifyscript server +#%verify_permissions -e %{_sysconfdir}/ssh/sshd_config %files # openssh is an empty package that depends on -clients and -server, @@ -440,7 +446,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd %license LICENCE %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli +%attr(0755,root,root) %dir %{_datadir}/ssh +%attr(0600,root,root) %{_datadir}/ssh/moduli %attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0444,root,root) %{_mandir}/man5/moduli.5* %attr(0755,root,root) %{_bindir}/ssh-keygen* @@ -451,7 +458,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd %attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start %dir %attr(0755,root,root) %{_localstatedir}/lib/sshd %dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d -%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%attr(0755,root,root) %dir %{_datadir}/ssh +%attr(0640,root,root) %{_datadir}/ssh/sshd_config %if %{defined _distconfdir} %attr(0644,root,root) %{_distconfdir}/pam.d/sshd %else @@ -473,8 +481,10 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd %endif %files clients +#%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(0755,root,root) %dir %{_datadir}/ssh %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d -%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(0644,root,root) %{_datadir}/ssh/ssh_config %attr(0755,root,root) %{_bindir}/ssh %attr(0755,root,root) %{_bindir}/scp* %attr(0755,root,root) %{_bindir}/sftp* From d13558019e13ef990840f39c5d756cdf7c1be6449ae9debb8fa6197898c4df58 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Sat, 17 Apr 2021 14:22:02 +0000 Subject: [PATCH 2/3] Accepting request 873406 from home:jsegitz:branches:network - Drop openssh-7.7p1-allow_root_password_login.patch to prevent login as root via password by default (is also upstream default). Comment indicates that this was a temporary meassure that we now had for five years, time to get rid of it (bsc#1173067) OBS-URL: https://build.opensuse.org/request/show/873406 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=229 --- README.SUSE | 6 -- openssh-7.7p1-allow_root_password_login.patch | 59 ------------------- openssh.changes | 8 +++ openssh.spec | 1 - 4 files changed, 8 insertions(+), 66 deletions(-) delete mode 100644 openssh-7.7p1-allow_root_password_login.patch diff --git a/README.SUSE b/README.SUSE index cd33733..cb1f82b 100644 --- a/README.SUSE +++ b/README.SUSE @@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server: * PAM authentication is enabled and mostly even required, do not turn it off. -* root authentiation with password is enabled by default (PermitRootLogin yes). - NOTE: this has security implications and is only done in order to not change - behaviour of the server in an update. We strongly suggest setting this option - either "prohibit-password" or even better to "no" (which disables direct - remote root login entirely). - * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot diff --git a/openssh-7.7p1-allow_root_password_login.patch b/openssh-7.7p1-allow_root_password_login.patch deleted file mode 100644 index 815b8a5..0000000 --- a/openssh-7.7p1-allow_root_password_login.patch +++ /dev/null @@ -1,59 +0,0 @@ -# HG changeset patch -# Parent af43d436bc7fe818dd976c923ad99b89051eb299 -Allow root login with password by default. While less secure than upstream -default of forbidding access to the root account with a password, we are -temporarily introducing this change to keep the default used in older OpenSSH -versions shipped with SLE. - -Index: openssh-8.4p1/servconf.c -=================================================================== ---- openssh-8.4p1.orig/servconf.c -+++ openssh-8.4p1/servconf.c -@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption - if (options->login_grace_time == -1) - options->login_grace_time = 120; - if (options->permit_root_login == PERMIT_NOT_SET) -- options->permit_root_login = PERMIT_NO_PASSWD; -+ options->permit_root_login = PERMIT_YES; - if (options->ignore_rhosts == -1) - options->ignore_rhosts = 1; - if (options->ignore_user_known_hosts == -1) -Index: openssh-8.4p1/sshd_config -=================================================================== ---- openssh-8.4p1.orig/sshd_config -+++ openssh-8.4p1/sshd_config -@@ -29,7 +29,7 @@ - # Authentication: - - #LoginGraceTime 2m --#PermitRootLogin prohibit-password -+PermitRootLogin yes - #StrictModes yes - #MaxAuthTries 6 - #MaxSessions 10 -Index: openssh-8.4p1/sshd_config.0 -=================================================================== ---- openssh-8.4p1.orig/sshd_config.0 -+++ openssh-8.4p1/sshd_config.0 -@@ -778,7 +778,7 @@ DESCRIPTION - PermitRootLogin - Specifies whether root can log in using ssh(1). The argument - must be yes, prohibit-password, forced-commands-only, or no. The -- default is prohibit-password. -+ default is yes. - - If this option is set to prohibit-password (or its deprecated - alias, without-password), password and keyboard-interactive -Index: openssh-8.4p1/sshd_config.5 -=================================================================== ---- openssh-8.4p1.orig/sshd_config.5 -+++ openssh-8.4p1/sshd_config.5 -@@ -1331,7 +1331,7 @@ The argument must be - or - .Cm no . - The default is --.Cm prohibit-password . -+.Cm yes . - .Pp - If this option is set to - .Cm prohibit-password diff --git a/openssh.changes b/openssh.changes index 945ac83..1a38a66 100644 --- a/openssh.changes +++ b/openssh.changes @@ -5,6 +5,14 @@ Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk /usr/share/ssh/ (openssh-8.4p1-vendordir.patch) - Move configuration files from /etc/ssh/ to /usr/share/ssh/ +------------------------------------------------------------------- +Thu Feb 18 13:54:44 UTC 2021 - Johannes Segitz + +- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login + as root via password by default (is also upstream default). Comment + indicates that this was a temporary meassure that we now had for + five years, time to get rid of it (bsc#1173067) + ------------------------------------------------------------------- Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson diff --git a/openssh.spec b/openssh.spec index 306e5bf..0846fd6 100644 --- a/openssh.spec +++ b/openssh.spec @@ -58,7 +58,6 @@ Source11: README.FIPS Source12: cavs_driver-ssh.pl Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring Source14: sysusers-sshd.conf -Patch0: openssh-7.7p1-allow_root_password_login.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch4: openssh-7.7p1-eal3.patch From b0cebdb7b8abc606850680ab627e09d51bf2ef034021a328d3522a40ff12bf26 Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson Date: Tue, 27 Apr 2021 13:00:08 +0000 Subject: [PATCH 3/3] Accepting request 887559 from home:hpjansson:openssh-tw - Change vendor configuration dir from /usr/share/ssh/ to /usr/etc/ssh/. - Remove upgrade enablement hack. This has been fixed in systemd-rpm-macros (bsc#1180083). OBS-URL: https://build.opensuse.org/request/show/887559 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=230 --- openssh-8.4p1-vendordir.patch | 8 ++--- openssh.changes | 8 +++++ openssh.spec | 62 ++++++----------------------------- 3 files changed, 22 insertions(+), 56 deletions(-) diff --git a/openssh-8.4p1-vendordir.patch b/openssh-8.4p1-vendordir.patch index 4cd9346..9566a96 100644 --- a/openssh-8.4p1-vendordir.patch +++ b/openssh-8.4p1-vendordir.patch @@ -51,7 +51,7 @@ diff -u openssh-8.4p1/pathnames.h openssh-8.4p1-vendor/pathnames.h #define SSHDIR ETCDIR "/ssh" #endif -+#define VENDORDIR "/usr/share/ssh" ++#define VENDORDIR "/usr/etc/ssh" + #ifndef _PATH_SSH_PIDDIR #define _PATH_SSH_PIDDIR "/var/run" @@ -124,7 +124,7 @@ diff -u openssh-8.4p1/ssh_config.5 openssh-8.4p1-vendor/ssh_config.5 .Pq Pa /etc/ssh/ssh_config +.It +vendor configuration file -+.Pq Pa /usr/share/ssh/ssh_config ++.Pq Pa /usr/etc/ssh/ssh_config .El .Pp For each parameter, the first obtained value @@ -132,7 +132,7 @@ diff -u openssh-8.4p1/ssh_config.5 openssh-8.4p1-vendor/ssh_config.5 values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable. -+.It Pa /usr/share/ssh/ssh_config ++.It Pa /usr/etc/ssh/ssh_config +Vendor specific configuraiton file. +This file provides the vendor defaults and is used as fallback if the +.Ic /etc/ssh/ssh_config @@ -192,7 +192,7 @@ diff -u openssh-8.4p1/sshd_config.5 openssh-8.4p1-vendor/sshd_config.5 .Pa /etc/ssh/sshd_config -(or the file specified with +( -+.Pa /usr/share/ssh/sshd_config ++.Pa /usr/etc/ssh/sshd_config +if the file does not exist or the file specified with .Fl f on the command line). diff --git a/openssh.changes b/openssh.changes index 1a38a66..e970f28 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Apr 22 12:02:55 UTC 2021 - Hans Petter Jansson + +- Change vendor configuration dir from /usr/share/ssh/ to + /usr/etc/ssh/. +- Remove upgrade enablement hack. This has been fixed in + systemd-rpm-macros (bsc#1180083). + ------------------------------------------------------------------- Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk diff --git a/openssh.spec b/openssh.spec index 0846fd6..4fce50c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -29,8 +29,6 @@ %define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' ) %define CHECKSUM_SUFFIX .hmac %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE" -%define _tmpenableddir %{_localstatedir}/lib/sshd -%define _tmpenabledfile %{_tmpenableddir}/is-enabled.rpmtmp #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} @@ -322,11 +320,11 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir} install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config -# Move /etc to /usr/share/ssh -mkdir -p %{buildroot}%{_datadir}/ssh -mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_datadir}/ssh/ -mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_datadir}/ssh/ -mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_datadir}/ssh/ +# Move /etc to /usr/etc/ssh +mkdir -p %{buildroot}%{_distconfdir}/ssh +mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/ +mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/ +mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/ %if 0%{?suse_version} < 1550 # install firewall definitions @@ -363,52 +361,17 @@ done }} -%pre -# Remember whether the sshd service was enabled prior to an upgrade. This -# is needed when upgrading to a split-off openssh-server package. The -# %%service_add_post scriptlet (in %%post server) will see it as a new service -# and apply the preset, disabling it. We need to reenable it afterwards if -# necessary. -mkdir -p %{_tmpenableddir} || : -if [ -x %{_bindir}/systemctl ]; then - %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : -else - if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \ - -exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1 - then echo "enabled" > %{_tmpenabledfile} || :; fi -fi - %pre server -f sshd.pre %if %{defined _distconfdir} # move outdated pam.d/*.rpmsave file away test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||: %endif -# See %%pre. -mkdir -p %{_tmpenableddir} || : -if [ -x %{_bindir}/systemctl ]; then - %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : -else - if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \ - -exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1 - then echo "enabled" > %{_tmpenabledfile} || :; fi -fi - %service_add_pre sshd.service %post server %{fillup_only -n ssh} %service_add_post sshd.service -#%set_permissions %{_sysconfdir}/ssh/sshd_config - -# Work around %%service_add_post disabling the service on upgrades where -# the package name changed. -if [ -x %{_bindir}/systemctl ] && [ -f %{_tmpenabledfile} ] \ - && [ x$(cat %{_tmpenabledfile} || :) == "xenabled" ]; then - systemctl enable sshd || : -fi - -rm -f %{_tmpenabledfile} %preun server %service_del_preun sshd.service @@ -433,9 +396,6 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd %triggerin -n openssh-fips -- %{name} = %{version}-%{release} %restart_on_update sshd -#%verifyscript server -#%verify_permissions -e %{_sysconfdir}/ssh/sshd_config - %files # openssh is an empty package that depends on -clients and -server, # resulting in a clean upgrade path from prior to the split even when @@ -445,8 +405,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd %license LICENCE %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh -%attr(0755,root,root) %dir %{_datadir}/ssh -%attr(0600,root,root) %{_datadir}/ssh/moduli +%attr(0755,root,root) %dir %{_distconfdir}/ssh +%attr(0600,root,root) %{_distconfdir}/ssh/moduli %attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0444,root,root) %{_mandir}/man5/moduli.5* %attr(0755,root,root) %{_bindir}/ssh-keygen* @@ -457,8 +417,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd %attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start %dir %attr(0755,root,root) %{_localstatedir}/lib/sshd %dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d -%attr(0755,root,root) %dir %{_datadir}/ssh -%attr(0640,root,root) %{_datadir}/ssh/sshd_config +%attr(0755,root,root) %dir %{_distconfdir}/ssh +%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config %if %{defined _distconfdir} %attr(0644,root,root) %{_distconfdir}/pam.d/sshd %else @@ -480,10 +440,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd %endif %files clients -#%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config -%attr(0755,root,root) %dir %{_datadir}/ssh %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d -%attr(0644,root,root) %{_datadir}/ssh/ssh_config +%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config %attr(0755,root,root) %{_bindir}/ssh %attr(0755,root,root) %{_bindir}/scp* %attr(0755,root,root) %{_bindir}/sftp*