Accepting request 738490 from home:hpjansson:branches:network

Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).

Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes"
in /etc/sysconfig/ssh. This is set to "yes" by default, but
can be changed by the system administrator (bsc#1139089).

Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).

OBS-URL: https://build.opensuse.org/request/show/738490
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=198
This commit is contained in:
Tomáš Chvátal 2019-10-15 07:47:08 +00:00 committed by Git OBS Bridge
parent 318211936a
commit fbcab3da0e
6 changed files with 149 additions and 1 deletions

View File

@ -0,0 +1,39 @@
commit 07ffb49749c310b82e44278ae05e081d6f4a82bf
Author: Hans Petter Jansson <hpj@cl.no>
Date: Fri Sep 27 01:57:16 2019 +0200
ssh-keygen: Preserve known_hosts permissions on rewrite
Transfer the permissions of the old known_hosts file instead of
just going with what mkstemp() gives us. This is useful in corner
cases where known_hosts is shared between users.
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 03a7fe5..ca8a309 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1338,6 +1338,11 @@ do_known_hosts(struct passwd *pw, const char *name)
if (inplace)
unlink(tmp);
} else if (inplace) {
+ struct stat st;
+
+ /* Get metadata for existing file */
+ r = stat(identity_file, &st);
+
/* Backup existing file */
if (unlink(old) == -1 && errno != ENOENT)
fatal("unlink %.100s: %s", old, strerror(errno));
@@ -1352,6 +1357,12 @@ do_known_hosts(struct passwd *pw, const char *name)
unlink(old);
exit(1);
}
+ /* Preserve permissions; non-critical */
+ if (r != -1)
+ r = chown(identity_file, st.st_uid, st.st_gid);
+ if (r != -1)
+ chmod(identity_file,
+ st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO));
printf("%s updated.\n", identity_file);
printf("Original contents retained as %s\n", old);

View File

@ -0,0 +1,76 @@
commit 101aa2f70c937abb428c9433c39ba0fd9a91fe6b
Author: Hans Petter Jansson <hpj@cl.no>
Date: Thu Jun 20 23:54:11 2019 +0200
Revert IPQoS DSCP AF21/CS1 from upstream due to bugs in other software
Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
diff --git a/readconf.c b/readconf.c
index 24f2cb1..bbdea0d 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2183,9 +2183,9 @@ fill_default_options(Options * options)
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->request_tty == -1)
options->request_tty = REQUEST_TTY_AUTO;
if (options->proxy_use_fdpass == -1)
diff --git a/servconf.c b/servconf.c
index 13cf154..766ac6b 100644
--- a/servconf.c
+++ b/servconf.c
@@ -445,9 +445,9 @@ fill_default_server_options(ServerOptions *options)
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
diff --git a/ssh_config.5 b/ssh_config.5
index 3bf0502..10246f8 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1088,11 +1088,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
diff --git a/sshd_config.5 b/sshd_config.5
index 50a4917..a276fcb 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -868,11 +868,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.

View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Mon Oct 14 23:58:39 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).
-------------------------------------------------------------------
Mon Oct 14 23:56:42 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
- Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes"
in /etc/sysconfig/ssh. This is set to "yes" by default, but
can be changed by the system administrator (bsc#1139089).
-------------------------------------------------------------------
Mon Oct 14 23:50:04 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Oct 10 00:41:18 UTC 2019 - Hans Petter Jansson <hpj@suse.com> Thu Oct 10 00:41:18 UTC 2019 - Hans Petter Jansson <hpj@suse.com>

View File

@ -97,6 +97,8 @@ Patch31: openssh-7.7p1-ldap.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213 # https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
Patch34: openssh-7.9p1-keygen-preserve-perms.patch
Patch35: openssh-7.9p1-revert-new-qos-defaults.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: groff BuildRequires: groff

View File

@ -1,5 +1,8 @@
#!/bin/sh #!/bin/sh
if ! grep -q '^[[:space:]]*HostKey[[:space:]]' /etc/ssh/sshd_config; then
. /etc/sysconfig/ssh
if [ "$SSHD_AUTO_KEYGEN" = "yes" ]; then
echo "Checking for missing server keys in /etc/ssh" echo "Checking for missing server keys in /etc/ssh"
ssh-keygen -A ssh-keygen -A
fi fi

View File

@ -7,3 +7,8 @@
# Options for sshd # Options for sshd
# #
SSHD_OPTS="" SSHD_OPTS=""
#
# Whether to run ssh-keygen -A
#
SSHD_AUTO_KEYGEN="yes"