Merge "Refactor patches for openssh package"
This commit is contained in:
commit
36dc17738d
2
base/openssh-config/centos/build_srpm.data
Normal file
2
base/openssh-config/centos/build_srpm.data
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
SRC_DIR="files"
|
||||||
|
TIS_PATCH_VER=0
|
40
base/openssh-config/centos/openssh-config.spec
Normal file
40
base/openssh-config/centos/openssh-config.spec
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
Summary: openssh-config
|
||||||
|
Name: openssh-config
|
||||||
|
Version: 1.0
|
||||||
|
Release: %{tis_patch_ver}%{?_tis_dist}
|
||||||
|
License: Apache-2.0
|
||||||
|
Group: base
|
||||||
|
Packager: StarlingX
|
||||||
|
URL: unknown
|
||||||
|
BuildArch: noarch
|
||||||
|
Source: %name-%version.tar.gz
|
||||||
|
|
||||||
|
Requires: %{_bindir}/systemctl
|
||||||
|
Requires: openssh
|
||||||
|
Summary: package StarlingX configuration files of openssh to system folder.
|
||||||
|
|
||||||
|
%description
|
||||||
|
package StarlingX configuration files of openssh to system folder.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup
|
||||||
|
|
||||||
|
%build
|
||||||
|
|
||||||
|
%install
|
||||||
|
%{__install} -d %{buildroot}%{_datadir}/starlingx
|
||||||
|
%{__install} -d %{buildroot}%{_sysconfdir}/systemd/system
|
||||||
|
%{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam
|
||||||
|
%{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service
|
||||||
|
|
||||||
|
%post
|
||||||
|
%define _pamconfdir %{_sysconfdir}/pam.d
|
||||||
|
if [ $1 -eq 1 ] ; then
|
||||||
|
# Initial installation
|
||||||
|
cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd
|
||||||
|
fi
|
||||||
|
%{_bindir}/systemctl disable sshd.service > /dev/null 2>&1 || :
|
||||||
|
|
||||||
|
%files
|
||||||
|
%{_datadir}/starlingx/sshd.pam
|
||||||
|
%{_sysconfdir}/systemd/system/sshd.service
|
24
base/openssh-config/files/sshd.pam
Normal file
24
base/openssh-config/files/sshd.pam
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
# WRSM-1.0
|
||||||
|
|
||||||
|
auth include common-auth
|
||||||
|
account required pam_nologin.so
|
||||||
|
|
||||||
|
# SELinux needs to be the first session rule. This ensures that any
|
||||||
|
# lingering context has been cleared. Without out this it is possible
|
||||||
|
# that a module could execute code in the wrong domain.
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
|
account include common-account
|
||||||
|
password include common-password
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include common-session
|
||||||
|
session required pam_loginuid.so
|
||||||
|
|
||||||
|
# SELinux needs to intervene at login time to ensure that the process
|
||||||
|
# starts in the proper default security context. Only sessions which are
|
||||||
|
# intended to run in the user's context should be run after this.
|
||||||
|
# When the module is present, "required" would be sufficient (When SELinux
|
||||||
|
# is disabled, this returns success.)
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
18
base/openssh-config/files/sshd.service
Normal file
18
base/openssh-config/files/sshd.service
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=OpenSSH server daemon
|
||||||
|
Documentation=man:sshd(8) man:sshd_config(5)
|
||||||
|
After=network.target sshd-keygen.service
|
||||||
|
Wants=sshd-keygen.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
EnvironmentFile=/etc/sysconfig/sshd
|
||||||
|
ExecStart=/etc/init.d/sshd start
|
||||||
|
ExecStop=/etc/init.d/sshd stop
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
PIDFile=/var/run/sshd.pid
|
||||||
|
KillMode=none
|
||||||
|
#Restart=on-failure
|
||||||
|
#RestartSec=42s
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -1,14 +1,15 @@
|
|||||||
From 4da56227f47a96f37eb0e46e0222f7e1d2f95c2b Mon Sep 17 00:00:00 2001
|
From 4da56227f47a96f37eb0e46e0222f7e1d2f95c2b Mon Sep 17 00:00:00 2001
|
||||||
From: Scott Little <scott.little@windriver.com>
|
From: Scott Little <scott.little@windriver.com>
|
||||||
Date: Mon, 2 Oct 2017 15:32:16 -0400
|
Date: Mon, 2 Oct 2017 15:32:16 -0400
|
||||||
Subject: [3/6] WRS: 0001-Update-package-versioning-for-TIS-format.patch
|
Subject: 0001-Update-package-versioning-for-TIS-format.patch
|
||||||
|
|
||||||
|
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
|
||||||
---
|
---
|
||||||
SPECS/openssh.spec | 4 ++--
|
SPECS/openssh.spec | 4 ++--
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
|
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
|
||||||
index d10e73e..be83a63 100644
|
index 5c030bc..0a91b56 100644
|
||||||
--- a/SPECS/openssh.spec
|
--- a/SPECS/openssh.spec
|
||||||
+++ b/SPECS/openssh.spec
|
+++ b/SPECS/openssh.spec
|
||||||
@@ -71,7 +71,7 @@
|
@@ -71,7 +71,7 @@
|
||||||
@ -30,5 +31,5 @@ index d10e73e..be83a63 100644
|
|||||||
|
|
||||||
%description
|
%description
|
||||||
--
|
--
|
||||||
2.7.4
|
1.8.3.1
|
||||||
|
|
||||||
|
@ -1,6 +1,3 @@
|
|||||||
sshd-pam-use-common-includes.patch
|
|
||||||
openssh-service-file.patch
|
|
||||||
openssh-spec-file-add-init.patch
|
|
||||||
0001-Update-package-versioning-for-TIS-format.patch
|
0001-Update-package-versioning-for-TIS-format.patch
|
||||||
|
spec-include-TiS-changes.patch
|
||||||
openssh-init-script-kill-old-instances-on-start.patch
|
openssh-init-script-kill-old-instances-on-start.patch
|
||||||
spec-harden-server-and-client-config.patch
|
|
||||||
|
@ -29,4 +29,3 @@ index 8901b4f..cd8b4ab 100755
|
|||||||
RETVAL=$?
|
RETVAL=$?
|
||||||
--
|
--
|
||||||
1.9.1
|
1.9.1
|
||||||
|
|
||||||
|
@ -1,38 +0,0 @@
|
|||||||
From 136246c027dedb5c22c7a50ce8beebdecf85defe Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Mon, 2 Oct 2017 15:32:15 -0400
|
|
||||||
Subject: [PATCH 3/7] WRS: openssh-service-file.patch
|
|
||||||
|
|
||||||
Conflicts:
|
|
||||||
SOURCES/sshd.service
|
|
||||||
---
|
|
||||||
SOURCES/sshd.service | 11 ++++++-----
|
|
||||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/SOURCES/sshd.service b/SOURCES/sshd.service
|
|
||||||
index af7845c..5cba529 100644
|
|
||||||
--- a/SOURCES/sshd.service
|
|
||||||
+++ b/SOURCES/sshd.service
|
|
||||||
@@ -5,13 +5,14 @@ After=network.target sshd-keygen.service
|
|
||||||
Wants=sshd-keygen.service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
-Type=notify
|
|
||||||
EnvironmentFile=/etc/sysconfig/sshd
|
|
||||||
-ExecStart=/usr/sbin/sshd -D $OPTIONS
|
|
||||||
+ExecStart=/etc/init.d/sshd start
|
|
||||||
+ExecStop=/etc/init.d/sshd stop
|
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
|
||||||
-KillMode=process
|
|
||||||
-Restart=on-failure
|
|
||||||
-RestartSec=42s
|
|
||||||
+PIDFile=/var/run/sshd.pid
|
|
||||||
+KillMode=none
|
|
||||||
+#Restart=on-failure
|
|
||||||
+#RestartSec=42s
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
From 788beea32cfa09f61c27db117ec3b3b0500fbad8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Mon, 2 Oct 2017 15:32:16 -0400
|
|
||||||
Subject: [2/6] WRS: openssh-spec-file-add-init.patch
|
|
||||||
|
|
||||||
---
|
|
||||||
SPECS/openssh.spec | 5 -----
|
|
||||||
1 file changed, 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
|
|
||||||
index e137156..d10e73e 100644
|
|
||||||
--- a/SPECS/openssh.spec
|
|
||||||
+++ b/SPECS/openssh.spec
|
|
||||||
@@ -719,9 +719,6 @@ getent passwd sshd >/dev/null || \
|
|
||||||
%preun server
|
|
||||||
%systemd_preun sshd.service sshd.socket
|
|
||||||
|
|
||||||
-%postun server
|
|
||||||
-%systemd_postun_with_restart sshd.service
|
|
||||||
-
|
|
||||||
%files
|
|
||||||
%defattr(-,root,root)
|
|
||||||
%{!?_licensedir:%global license %%doc}
|
|
||||||
@@ -784,8 +781,6 @@ getent passwd sshd >/dev/null || \
|
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
|
|
||||||
|
|
||||||
-%files server-sysvinit
|
|
||||||
-%defattr(-,root,root)
|
|
||||||
%attr(0755,root,root) /etc/rc.d/init.d/sshd
|
|
||||||
%endif
|
|
||||||
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,40 +0,0 @@
|
|||||||
From 857b95ac924a980c60d894148d3c5d41aca8447d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andy Ning <andy.ning@windriver.com>
|
|
||||||
Date: Thu, 22 Mar 2018 11:45:26 -0400
|
|
||||||
Subject: [PATCH] CGTS-9265: patch to harden server and client config
|
|
||||||
|
|
||||||
Replace the hardcoded sshd_config and ssh_config files with patches
|
|
||||||
to openssh.
|
|
||||||
|
|
||||||
Signed-off-by: Andy Ning <andy.ning@windriver.com>
|
|
||||||
---
|
|
||||||
SPECS/openssh.spec | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
|
|
||||||
index 442261e..c62e6c8 100644
|
|
||||||
--- a/SPECS/openssh.spec
|
|
||||||
+++ b/SPECS/openssh.spec
|
|
||||||
@@ -251,6 +251,9 @@ Patch959: openssh-7.4p1-authorized_keys_command.patch
|
|
||||||
# Fix for CVE-2017-15906 (#1517226)
|
|
||||||
Patch960: openssh-7.5p1-sftp-empty-files.patch
|
|
||||||
|
|
||||||
+# WRS: harden server and client config
|
|
||||||
+Patch1000: harden-server-and-client-config.patch
|
|
||||||
+
|
|
||||||
License: BSD
|
|
||||||
Group: Applications/Internet
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
||||||
@@ -511,6 +514,9 @@ popd
|
|
||||||
|
|
||||||
%patch100 -p1 -b .coverity
|
|
||||||
|
|
||||||
+# WRS
|
|
||||||
+%patch1000 -p1 -b .harden
|
|
||||||
+
|
|
||||||
%if 0
|
|
||||||
# Nothing here yet
|
|
||||||
%endif
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -0,0 +1,54 @@
|
|||||||
|
From 788beea32cfa09f61c27db117ec3b3b0500fbad8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Scott Little <scott.little@windriver.com>
|
||||||
|
Date: Mon, 2 Oct 2017 15:32:16 -0400
|
||||||
|
Subject: spec-include-TiS-changes.patch
|
||||||
|
|
||||||
|
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
|
||||||
|
---
|
||||||
|
SPECS/openssh.spec | 9 ++++-----
|
||||||
|
1 file changed, 4 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
|
||||||
|
index 0a91b56..bbae9d7 100644
|
||||||
|
--- a/SPECS/openssh.spec
|
||||||
|
+++ b/SPECS/openssh.spec
|
||||||
|
@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch
|
||||||
|
Patch959: openssh-7.4p1-authorized_keys_command.patch
|
||||||
|
# Fix for CVE-2017-15906 (#1517226)
|
||||||
|
Patch960: openssh-7.5p1-sftp-empty-files.patch
|
||||||
|
+# WRS: harden server and client config
|
||||||
|
+Patch1000: harden-server-and-client-config.patch
|
||||||
|
|
||||||
|
License: BSD
|
||||||
|
Group: Applications/Internet
|
||||||
|
@@ -510,6 +512,8 @@ popd
|
||||||
|
%patch700 -p1 -b .fips
|
||||||
|
|
||||||
|
%patch100 -p1 -b .coverity
|
||||||
|
+# WRS
|
||||||
|
+%patch1000 -p1 -b .harden
|
||||||
|
|
||||||
|
%if 0
|
||||||
|
# Nothing here yet
|
||||||
|
@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \
|
||||||
|
%preun server
|
||||||
|
%systemd_preun sshd.service sshd.socket
|
||||||
|
|
||||||
|
-%postun server
|
||||||
|
-%systemd_postun_with_restart sshd.service
|
||||||
|
-
|
||||||
|
%files
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%{!?_licensedir:%global license %%doc}
|
||||||
|
@@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \
|
||||||
|
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||||
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
|
||||||
|
|
||||||
|
-%files server-sysvinit
|
||||||
|
-%defattr(-,root,root)
|
||||||
|
%attr(0755,root,root) /etc/rc.d/init.d/sshd
|
||||||
|
%endif
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
@ -1,58 +0,0 @@
|
|||||||
From e5e0631b4568821e63cf676c425ed13873e98b0a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Mon, 2 Oct 2017 15:32:15 -0400
|
|
||||||
Subject: [PATCH 2/7] WRS: sshd-pam-use-common-includes.patch
|
|
||||||
|
|
||||||
---
|
|
||||||
SOURCES/sshd.pam | 38 +++++++++++++++++++++-----------------
|
|
||||||
1 file changed, 21 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/SOURCES/sshd.pam b/SOURCES/sshd.pam
|
|
||||||
index 0f5c061..72303eb 100644
|
|
||||||
--- a/SOURCES/sshd.pam
|
|
||||||
+++ b/SOURCES/sshd.pam
|
|
||||||
@@ -1,20 +1,24 @@
|
|
||||||
#%PAM-1.0
|
|
||||||
-auth required pam_sepermit.so
|
|
||||||
-auth substack password-auth
|
|
||||||
-auth include postlogin
|
|
||||||
-# Used with polkit to reauthorize users in remote sessions
|
|
||||||
--auth optional pam_reauthorize.so prepare
|
|
||||||
+
|
|
||||||
+auth include common-auth
|
|
||||||
account required pam_nologin.so
|
|
||||||
-account include password-auth
|
|
||||||
-password include password-auth
|
|
||||||
-# pam_selinux.so close should be the first session rule
|
|
||||||
-session required pam_selinux.so close
|
|
||||||
-session required pam_loginuid.so
|
|
||||||
-# pam_selinux.so open should only be followed by sessions to be executed in the user context
|
|
||||||
-session required pam_selinux.so open env_params
|
|
||||||
-session required pam_namespace.so
|
|
||||||
+
|
|
||||||
+# SELinux needs to be the first session rule. This ensures that any
|
|
||||||
+# lingering context has been cleared. Without out this it is possible
|
|
||||||
+# that a module could execute code in the wrong domain.
|
|
||||||
+# When the module is present, "required" would be sufficient (When SELinux
|
|
||||||
+# is disabled, this returns success.)
|
|
||||||
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
|
||||||
+
|
|
||||||
+account include common-account
|
|
||||||
+password include common-password
|
|
||||||
session optional pam_keyinit.so force revoke
|
|
||||||
-session include password-auth
|
|
||||||
-session include postlogin
|
|
||||||
-# Used with polkit to reauthorize users in remote sessions
|
|
||||||
--session optional pam_reauthorize.so prepare
|
|
||||||
+session include common-session
|
|
||||||
+session required pam_loginuid.so
|
|
||||||
+
|
|
||||||
+# SELinux needs to intervene at login time to ensure that the process
|
|
||||||
+# starts in the proper default security context. Only sessions which are
|
|
||||||
+# intended to run in the user's context should be run after this.
|
|
||||||
+# When the module is present, "required" would be sufficient (When SELinux
|
|
||||||
+# is disabled, this returns success.)
|
|
||||||
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
@ -188,6 +188,7 @@ dhcp-config
|
|||||||
openssh
|
openssh
|
||||||
openssh-clients
|
openssh-clients
|
||||||
openssh-server
|
openssh-server
|
||||||
|
openssh-config
|
||||||
|
|
||||||
# facter
|
# facter
|
||||||
facter
|
facter
|
||||||
|
@ -10,6 +10,7 @@ filesystem/nfs-utils-config
|
|||||||
base/dhcp
|
base/dhcp
|
||||||
base/dhcp-config
|
base/dhcp-config
|
||||||
base/openssh
|
base/openssh
|
||||||
|
base/openssh-config
|
||||||
config/facter
|
config/facter
|
||||||
virt/qemu
|
virt/qemu
|
||||||
filesystem/nfscheck
|
filesystem/nfscheck
|
||||||
|
Loading…
Reference in New Issue
Block a user