Accepting request 738490 from home:hpjansson:branches:network

Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).

Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes"
in /etc/sysconfig/ssh. This is set to "yes" by default, but
can be changed by the system administrator (bsc#1139089).

Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).

OBS-URL: https://build.opensuse.org/request/show/738490
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=198

openssh-7.9p1-keygen-preserve-perms.patch

@@ -0,0 +1,39 @@
+commit 07ffb49749c310b82e44278ae05e081d6f4a82bf
+Author: Hans Petter Jansson <hpj@cl.no>
+Date:   Fri Sep 27 01:57:16 2019 +0200
+
+    ssh-keygen: Preserve known_hosts permissions on rewrite
+    
+    Transfer the permissions of the old known_hosts file instead of
+    just going with what mkstemp() gives us. This is useful in corner
+    cases where known_hosts is shared between users.
+
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index 03a7fe5..ca8a309 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -1338,6 +1338,11 @@ do_known_hosts(struct passwd *pw, const char *name)
+ 		if (inplace)
+ 			unlink(tmp);
+ 	} else if (inplace) {
++		struct stat st;
++
++		/* Get metadata for existing file */
++		r = stat(identity_file, &st);
++
+ 		/* Backup existing file */
+ 		if (unlink(old) == -1 && errno != ENOENT)
+ 			fatal("unlink %.100s: %s", old, strerror(errno));
+@@ -1352,6 +1357,12 @@ do_known_hosts(struct passwd *pw, const char *name)
+ 			unlink(old);
+ 			exit(1);
+ 		}
++		/* Preserve permissions; non-critical */
++		if (r != -1)
++			r = chown(identity_file, st.st_uid, st.st_gid);
++		if (r != -1)
++			chmod(identity_file,
++			      st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO));
+ 
+ 		printf("%s updated.\n", identity_file);
+ 		printf("Original contents retained as %s\n", old);

openssh-7.9p1-revert-new-qos-defaults.patch

@@ -0,0 +1,76 @@
+commit 101aa2f70c937abb428c9433c39ba0fd9a91fe6b
+Author: Hans Petter Jansson <hpj@cl.no>
+Date:   Thu Jun 20 23:54:11 2019 +0200
+
+    Revert IPQoS DSCP AF21/CS1 from upstream due to bugs in other software
+    
+    Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
+
+diff --git a/readconf.c b/readconf.c
+index 24f2cb1..bbdea0d 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -2183,9 +2183,9 @@ fill_default_options(Options * options)
+ 	if (options->visual_host_key == -1)
+ 		options->visual_host_key = 0;
+ 	if (options->ip_qos_interactive == -1)
+-		options->ip_qos_interactive = IPTOS_DSCP_AF21;
++		options->ip_qos_interactive = IPTOS_LOWDELAY;
+ 	if (options->ip_qos_bulk == -1)
+-		options->ip_qos_bulk = IPTOS_DSCP_CS1;
++		options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ 	if (options->request_tty == -1)
+ 		options->request_tty = REQUEST_TTY_AUTO;
+ 	if (options->proxy_use_fdpass == -1)
+diff --git a/servconf.c b/servconf.c
+index 13cf154..766ac6b 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -445,9 +445,9 @@ fill_default_server_options(ServerOptions *options)
+ 	if (options->permit_tun == -1)
+ 		options->permit_tun = SSH_TUNMODE_NO;
+ 	if (options->ip_qos_interactive == -1)
+-		options->ip_qos_interactive = IPTOS_DSCP_AF21;
++		options->ip_qos_interactive = IPTOS_LOWDELAY;
+ 	if (options->ip_qos_bulk == -1)
+-		options->ip_qos_bulk = IPTOS_DSCP_CS1;
++		options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ 	if (options->version_addendum == NULL)
+ 		options->version_addendum = xstrdup("");
+ 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+diff --git a/ssh_config.5 b/ssh_config.5
+index 3bf0502..10246f8 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -1088,11 +1088,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+ If two values are specified, the first is automatically selected for
+ interactive sessions and the second for non-interactive sessions.
+ The default is
+-.Cm af21
+-(Low-Latency Data)
++.Cm lowdelay
+ for interactive sessions and
+-.Cm cs1
+-(Lower Effort)
++.Cm throughput
+ for non-interactive sessions.
+ .It Cm KbdInteractiveAuthentication
+ Specifies whether to use keyboard-interactive authentication.
+diff --git a/sshd_config.5 b/sshd_config.5
+index 50a4917..a276fcb 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -868,11 +868,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+ If two values are specified, the first is automatically selected for
+ interactive sessions and the second for non-interactive sessions.
+ The default is
+-.Cm af21
+-(Low-Latency Data)
++.Cm lowdelay
+ for interactive sessions and
+-.Cm cs1
+-(Lower Effort)
++.Cm throughput
+ for non-interactive sessions.
+ .It Cm KbdInteractiveAuthentication
+ Specifies whether to allow keyboard-interactive authentication.

openssh.changes

@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Mon Oct 14 23:58:39 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
+
+- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
+  This attempts to preserve the permissions of any existing
+  known_hosts file when modified by ssh-keygen (for instance,
+  with -R).
+
+-------------------------------------------------------------------
+Mon Oct 14 23:56:42 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
+
+- Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes"
+  in /etc/sysconfig/ssh. This is set to "yes" by default, but
+  can be changed by the system administrator (bsc#1139089).
+
+-------------------------------------------------------------------
+Mon Oct 14 23:50:04 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
+
+- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
+  This attempts to preserve the permissions of any existing
+  known_hosts file when modified by ssh-keygen (for instance,
+  with -R).
+
 -------------------------------------------------------------------
 Thu Oct 10 00:41:18 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
 

openssh.spec

@@ -97,6 +97,8 @@ Patch31:        openssh-7.7p1-ldap.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2213
 Patch32:        openssh-7.7p1-IPv6_X_forwarding.patch
 Patch33:        openssh-7.7p1-sftp_print_diagnostic_messages.patch
+Patch34:        openssh-7.9p1-keygen-preserve-perms.patch
+Patch35:        openssh-7.9p1-revert-new-qos-defaults.patch
 BuildRequires:  audit-devel
 BuildRequires:  autoconf
 BuildRequires:  groff

sshd-gen-keys-start

@@ -1,5 +1,8 @@
 #!/bin/sh
-if ! grep -q '^[[:space:]]*HostKey[[:space:]]' /etc/ssh/sshd_config; then
+
+. /etc/sysconfig/ssh
+
+if [ "$SSHD_AUTO_KEYGEN" = "yes" ]; then
     echo "Checking for missing server keys in /etc/ssh"
     ssh-keygen -A
 fi

sysconfig.ssh

@@ -7,3 +7,8 @@
 # Options for sshd
 #
 SSHD_OPTS=""
+
+#
+# Whether to run ssh-keygen -A
+#
+SSHD_AUTO_KEYGEN="yes"