From dcc585e9d269c538e53eb465bcfd092e57a32964a2600a644048e249ba9dace3 Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson Date: Fri, 22 Jan 2021 03:01:20 +0000 Subject: [PATCH 1/3] Accepting request 865536 from home:hpjansson:branches:network - Make sure sshd is enabled correctly when upgrading from a pre-systemd distribution (bsc#1180083). OBS-URL: https://build.opensuse.org/request/show/865536 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=223 --- openssh.changes | 6 ++++++ openssh.spec | 10 ++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/openssh.changes b/openssh.changes index d35b282..d58c5f3 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson + +- Make sure sshd is enabled correctly when upgrading from a + pre-systemd distribution (bsc#1180083). + ------------------------------------------------------------------- Mon Jan 18 00:30:37 UTC 2021 - Dirk Müller diff --git a/openssh.spec b/openssh.spec index e572352..6f1eca9 100644 --- a/openssh.spec +++ b/openssh.spec @@ -346,9 +346,12 @@ done # %%service_add_post scriptlet (in %%post server) will see it as a new service # and apply the preset, disabling it. We need to reenable it afterwards if # necessary. +mkdir -p %{_tmpenableddir} || : if [ -x %{_bindir}/systemctl ]; then - mkdir -p %{_tmpenableddir} || : %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : +else + if [ x$(find %{_sysconfdir}/init.d/rc[35].d -name 'S*' -type l -exec readlink -f {} \; | grep sshd$ | uniq) \ + == x%{_sysconfdir}/init.d/sshd ]; then echo "enabled" > %{_tmpenabledfile} || :; fi fi %pre server @@ -361,9 +364,12 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd # See %%pre. +mkdir -p %{_tmpenableddir} || : if [ -x %{_bindir}/systemctl ]; then - mkdir -p %{_tmpenableddir} || : %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : +else + if [ x$(find %{_sysconfdir}/init.d/rc[35].d -name 'S*' -type l -exec readlink -f {} \; | grep sshd$ | uniq) \ + == x%{_sysconfdir}/init.d/sshd ]; then echo "enabled" > %{_tmpenabledfile} || :; fi fi %service_add_pre sshd.service From f66af91814d5bdb958121efcf6f21960c66a390860b9d6d6f9f0d1af2826544e Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Fri, 22 Jan 2021 23:06:22 +0000 Subject: [PATCH 2/3] Accepting request 866139 from home:hpjansson:branches:network - Improve robustness of sshd init detection when upgrading from a pre-systemd distribution. - Add openssh-reenable-dh-group14-sha1-default.patch, which adds diffie-hellman-group14-sha1 key exchange back to the default list (bsc#1180958). This is needed for backwards compatibility with older platforms. OBS-URL: https://build.opensuse.org/request/show/866139 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=224 --- ...ssh-reenable-dh-group14-sha1-default.patch | 41 +++++++++++++++++++ openssh.changes | 14 +++++++ openssh.spec | 16 +++++--- 3 files changed, 66 insertions(+), 5 deletions(-) create mode 100644 openssh-reenable-dh-group14-sha1-default.patch diff --git a/openssh-reenable-dh-group14-sha1-default.patch b/openssh-reenable-dh-group14-sha1-default.patch new file mode 100644 index 0000000..8a70958 --- /dev/null +++ b/openssh-reenable-dh-group14-sha1-default.patch @@ -0,0 +1,41 @@ +diff --git a/myproposal.h b/myproposal.h +index 5312e60..83fd62d 100644 +--- a/myproposal.h ++++ b/myproposal.h +@@ -33,7 +33,8 @@ + "diffie-hellman-group-exchange-sha256," \ + "diffie-hellman-group16-sha512," \ + "diffie-hellman-group18-sha512," \ +- "diffie-hellman-group14-sha256" ++ "diffie-hellman-group14-sha256," \ ++ "diffie-hellman-group14-sha1" + + #define KEX_CLIENT_KEX KEX_SERVER_KEX + +diff --git a/ssh_config.5 b/ssh_config.5 +index d5888f2..100563e 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -1170,7 +1170,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group16-sha512, + diffie-hellman-group18-sha512, +-diffie-hellman-group14-sha256 ++diffie-hellman-group14-sha256, ++diffie-hellman-group14-sha1 + .Ed + .Pp + The list of available key exchange algorithms may also be obtained using +diff --git a/sshd_config.5 b/sshd_config.5 +index 0f5fe53..97364f5 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -986,7 +986,7 @@ curve25519-sha256,curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, +-diffie-hellman-group14-sha256 ++diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 + .Ed + .Pp + The list of available key exchange algorithms may also be obtained using diff --git a/openssh.changes b/openssh.changes index d58c5f3..585a3df 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Fri Jan 22 21:06:42 UTC 2021 - Hans Petter Jansson + +- Improve robustness of sshd init detection when upgrading from + a pre-systemd distribution. + +------------------------------------------------------------------- +Fri Jan 22 03:30:59 UTC 2021 - Hans Petter Jansson + +- Add openssh-reenable-dh-group14-sha1-default.patch, which adds + diffie-hellman-group14-sha1 key exchange back to the default + list (bsc#1180958). This is needed for backwards compatibility + with older platforms. + ------------------------------------------------------------------- Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson diff --git a/openssh.spec b/openssh.spec index 6f1eca9..7926c7c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -107,6 +107,7 @@ Patch39: openssh-8.1p1-use-openssl-kdf.patch Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch Patch41: openssh-fips-ensure-approved-moduli.patch Patch42: openssh-link-with-sk.patch +Patch43: openssh-reenable-dh-group14-sha1-default.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -129,6 +130,8 @@ BuildRequires: pkgconfig(krb5) %else BuildRequires: krb5-mini-devel %endif +Requires(pre): findutils +Requires(pre): grep %description SSH (Secure Shell) is a program for logging into and executing commands @@ -166,6 +169,8 @@ Summary: SSH (Secure Shell) server Group: Productivity/Networking/SSH Requires: %{name}-common = %{version}-%{release} Recommends: audit +Requires(pre): findutils +Requires(pre): grep Requires(pre): shadow Requires(post): %fillup_prereq Requires(post): permissions @@ -350,8 +355,9 @@ mkdir -p %{_tmpenableddir} || : if [ -x %{_bindir}/systemctl ]; then %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : else - if [ x$(find %{_sysconfdir}/init.d/rc[35].d -name 'S*' -type l -exec readlink -f {} \; | grep sshd$ | uniq) \ - == x%{_sysconfdir}/init.d/sshd ]; then echo "enabled" > %{_tmpenabledfile} || :; fi + if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \ + -exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1 + then echo "enabled" > %{_tmpenabledfile} || :; fi fi %pre server @@ -362,14 +368,14 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstate test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||: %endif - # See %%pre. mkdir -p %{_tmpenableddir} || : if [ -x %{_bindir}/systemctl ]; then %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : else - if [ x$(find %{_sysconfdir}/init.d/rc[35].d -name 'S*' -type l -exec readlink -f {} \; | grep sshd$ | uniq) \ - == x%{_sysconfdir}/init.d/sshd ]; then echo "enabled" > %{_tmpenabledfile} || :; fi + if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \ + -exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1 + then echo "enabled" > %{_tmpenabledfile} || :; fi fi %service_add_pre sshd.service From b459802ca3e1b5d7f561801e31d39e2bc6841f0647706a3636ef482aa7726764 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Sun, 24 Jan 2021 18:19:54 +0000 Subject: [PATCH 3/3] Accepting request 866259 from home:hpjansson:branches:network - Add openssh-fix-ssh-copy-id.patch, which fixes breakage introduced in 8.4p1 (bsc#1181311). - sysusers-sshd.conf: use sysusers.d configuration file to create sshd user (avoid hard dependency on shadow). OBS-URL: https://build.opensuse.org/request/show/866259 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=225 --- openssh-fix-ssh-copy-id.patch | 30 ++++++++++++++++++++++++++++++ openssh.changes | 12 ++++++++++++ openssh.spec | 16 ++++++++++++---- sysusers-sshd.conf | 2 ++ 4 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 openssh-fix-ssh-copy-id.patch create mode 100644 sysusers-sshd.conf diff --git a/openssh-fix-ssh-copy-id.patch b/openssh-fix-ssh-copy-id.patch new file mode 100644 index 0000000..3c63ce1 --- /dev/null +++ b/openssh-fix-ssh-copy-id.patch @@ -0,0 +1,30 @@ +From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001 +From: Oleg +Date: Thu, 1 Oct 2020 12:09:08 +0300 +Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id + +--- + contrib/ssh-copy-id | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id +index 392f64f94..a76907717 100644 +--- a/contrib/ssh-copy-id ++++ b/contrib/ssh-copy-id +@@ -247,7 +247,7 @@ installkeys_sh() { + # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing + # the cat adds the keys we're getting via STDIN + # and if available restorecon is used to restore the SELinux context +- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF) ++ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF + cd; + umask 077; + mkdir -p $(dirname "${AUTH_KEY_FILE}") && +@@ -258,6 +258,7 @@ installkeys_sh() { + restorecon -F .ssh ${AUTH_KEY_FILE}; + fi + EOF ++ ) + + # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; + printf "exec sh -c '%s'" "${INSTALLKEYS_SH}" diff --git a/openssh.changes b/openssh.changes index 585a3df..445993d 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Sat Jan 23 18:28:19 UTC 2021 - Hans Petter Jansson + +- Add openssh-fix-ssh-copy-id.patch, which fixes breakage + introduced in 8.4p1 (bsc#1181311). + ------------------------------------------------------------------- Fri Jan 22 21:06:42 UTC 2021 - Hans Petter Jansson @@ -18,6 +24,12 @@ Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson - Make sure sshd is enabled correctly when upgrading from a pre-systemd distribution (bsc#1180083). +------------------------------------------------------------------- +Mon Jan 18 11:04:41 UTC 2021 - Thorsten Kukuk + +- sysusers-sshd.conf: use sysusers.d configuration file to create + sshd user (avoid hard dependency on shadow). + ------------------------------------------------------------------- Mon Jan 18 00:30:37 UTC 2021 - Dirk Müller diff --git a/openssh.spec b/openssh.spec index 7926c7c..ccc95ba 100644 --- a/openssh.spec +++ b/openssh.spec @@ -58,6 +58,7 @@ Source10: sshd.service Source11: README.FIPS Source12: cavs_driver-ssh.pl Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring +Source14: sysusers-sshd.conf Patch0: openssh-7.7p1-allow_root_password_login.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch @@ -108,6 +109,7 @@ Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch Patch41: openssh-fips-ensure-approved-moduli.patch Patch42: openssh-link-with-sk.patch Patch43: openssh-reenable-dh-group14-sha1-default.patch +Patch44: openssh-fix-ssh-copy-id.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -120,6 +122,8 @@ BuildRequires: pkgconfig BuildRequires: zlib-devel BuildRequires: pkgconfig(libfido2) BuildRequires: pkgconfig(libsystemd) +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools Requires: %{name}-clients = %{version}-%{release} Requires: %{name}-server = %{version}-%{release} %if %{with tirpc} @@ -171,10 +175,10 @@ Requires: %{name}-common = %{version}-%{release} Recommends: audit Requires(pre): findutils Requires(pre): grep -Requires(pre): shadow Requires(post): %fillup_prereq Requires(post): permissions Provides: openssh:%{_sbindir}/sshd +%sysusers_requires %description server SSH (Secure Shell) is a program for logging into and executing commands @@ -292,6 +296,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS --target=%{_target_cpu}-suse-linux %make_build +%sysusers_generate_pre %{SOURCE14} sshd %install %make_install @@ -327,6 +332,10 @@ rm -f %{buildroot}%{_datadir}/Ssh.bin # sshd keys generator wrapper install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start +# Install sysusers.d config for sshd user +mkdir -p %{buildroot}%{_sysusersdir} +install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf + # the hmac hashes - taken from openssl # # re-define the __os_install_post macro: the macro strips @@ -360,9 +369,7 @@ else then echo "enabled" > %{_tmpenabledfile} || :; fi fi -%pre server -getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd -getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstatedir}/lib/sshd -s /bin/false -c "SSH daemon" sshd +%pre server -f sshd.pre %if %{defined _distconfdir} # move outdated pam.d/*.rpmsave file away test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||: @@ -446,6 +453,7 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd %endif %attr(0644,root,root) %{_unitdir}/sshd.service +%attr(0644,root,root) %{_sysusersdir}/sshd.conf %attr(0444,root,root) %{_mandir}/man5/sshd_config* %attr(0444,root,root) %{_mandir}/man8/sftp-server.8* %attr(0444,root,root) %{_mandir}/man8/sshd.8* diff --git a/sysusers-sshd.conf b/sysusers-sshd.conf new file mode 100644 index 0000000..040c8ad --- /dev/null +++ b/sysusers-sshd.conf @@ -0,0 +1,2 @@ +# Type Name ID GECOS [HOME] +u sshd - "SSH daemon" /var/lib/sshd