Merge "Refactor patches for openssh package"

base/openssh-config/centos/build_srpm.data

@@ -0,0 +1,2 @@
+SRC_DIR="files"
+TIS_PATCH_VER=0

base/openssh-config/centos/openssh-config.spec

@@ -0,0 +1,40 @@
+Summary: openssh-config
+Name: openssh-config
+Version: 1.0
+Release: %{tis_patch_ver}%{?_tis_dist}
+License: Apache-2.0
+Group: base
+Packager: StarlingX
+URL: unknown
+BuildArch: noarch
+Source: %name-%version.tar.gz
+
+Requires: %{_bindir}/systemctl
+Requires: openssh
+Summary: package StarlingX configuration files of openssh to system folder.
+
+%description
+package StarlingX configuration files of openssh to system folder.
+
+%prep
+%setup
+
+%build
+
+%install
+%{__install} -d  %{buildroot}%{_datadir}/starlingx
+%{__install} -d  %{buildroot}%{_sysconfdir}/systemd/system
+%{__install} -m 644 sshd.pam      %{buildroot}%{_datadir}/starlingx/sshd.pam
+%{__install} -m 644 sshd.service  %{buildroot}%{_sysconfdir}/systemd/system/sshd.service
+
+%post
+%define _pamconfdir %{_sysconfdir}/pam.d
+if [ $1 -eq 1 ] ; then
+        # Initial installation
+        cp -f %{_datadir}/starlingx/sshd.pam  %{_pamconfdir}/sshd
+fi
+%{_bindir}/systemctl disable sshd.service  > /dev/null 2>&1 || :
+
+%files
+%{_datadir}/starlingx/sshd.pam
+%{_sysconfdir}/systemd/system/sshd.service

base/openssh-config/files/sshd.pam

@@ -0,0 +1,24 @@
+# WRSM-1.0
+
+auth       include      common-auth
+account    required     pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session    [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+account    include      common-account
+password   include      common-password
+session    optional     pam_keyinit.so force revoke
+session    include      common-session
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

base/openssh-config/files/sshd.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=OpenSSH server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target sshd-keygen.service
+Wants=sshd-keygen.service
+
+[Service]
+EnvironmentFile=/etc/sysconfig/sshd
+ExecStart=/etc/init.d/sshd start
+ExecStop=/etc/init.d/sshd stop
+ExecReload=/bin/kill -HUP $MAINPID
+PIDFile=/var/run/sshd.pid
+KillMode=none
+#Restart=on-failure
+#RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target

base/openssh/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch

@@ -1,14 +1,15 @@
 From 4da56227f47a96f37eb0e46e0222f7e1d2f95c2b Mon Sep 17 00:00:00 2001
 From: Scott Little <scott.little@windriver.com>
 Date: Mon, 2 Oct 2017 15:32:16 -0400
-Subject: [3/6] WRS: 0001-Update-package-versioning-for-TIS-format.patch
+Subject: 0001-Update-package-versioning-for-TIS-format.patch
 
+Signed-off-by: zhipengl <zhipengs.liu@intel.com>
 ---
  SPECS/openssh.spec | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
-index d10e73e..be83a63 100644
+index 5c030bc..0a91b56 100644
 --- a/SPECS/openssh.spec
 +++ b/SPECS/openssh.spec
 @@ -71,7 +71,7 @@
@@ -30,5 +31,5 @@ index d10e73e..be83a63 100644
  
  %description
 -- 
-2.7.4
+1.8.3.1
 

base/openssh/centos/meta_patches/PATCH_ORDER

@@ -1,6 +1,3 @@
-sshd-pam-use-common-includes.patch
-openssh-service-file.patch
-openssh-spec-file-add-init.patch
 0001-Update-package-versioning-for-TIS-format.patch
+spec-include-TiS-changes.patch
 openssh-init-script-kill-old-instances-on-start.patch
-spec-harden-server-and-client-config.patch

base/openssh/centos/meta_patches/openssh-init-script-kill-old-instances-on-start.patch

@@ -29,4 +29,3 @@ index 8901b4f..cd8b4ab 100755
  	RETVAL=$?
 -- 
 1.9.1
-

base/openssh/centos/meta_patches/openssh-service-file.patch

@@ -1,38 +0,0 @@
-From 136246c027dedb5c22c7a50ce8beebdecf85defe Mon Sep 17 00:00:00 2001
-From: Scott Little <scott.little@windriver.com>
-Date: Mon, 2 Oct 2017 15:32:15 -0400
-Subject: [PATCH 3/7] WRS: openssh-service-file.patch
-
-Conflicts:
-	SOURCES/sshd.service
----
- SOURCES/sshd.service | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/SOURCES/sshd.service b/SOURCES/sshd.service
-index af7845c..5cba529 100644
---- a/SOURCES/sshd.service
-+++ b/SOURCES/sshd.service
-@@ -5,13 +5,14 @@ After=network.target sshd-keygen.service
- Wants=sshd-keygen.service
- 
- [Service]
--Type=notify
- EnvironmentFile=/etc/sysconfig/sshd
--ExecStart=/usr/sbin/sshd -D $OPTIONS
-+ExecStart=/etc/init.d/sshd start
-+ExecStop=/etc/init.d/sshd stop
- ExecReload=/bin/kill -HUP $MAINPID
--KillMode=process
--Restart=on-failure
--RestartSec=42s
-+PIDFile=/var/run/sshd.pid
-+KillMode=none
-+#Restart=on-failure
-+#RestartSec=42s
- 
- [Install]
- WantedBy=multi-user.target
--- 
-1.9.1
-

base/openssh/centos/meta_patches/openssh-spec-file-add-init.patch

@@ -1,35 +0,0 @@
-From 788beea32cfa09f61c27db117ec3b3b0500fbad8 Mon Sep 17 00:00:00 2001
-From: Scott Little <scott.little@windriver.com>
-Date: Mon, 2 Oct 2017 15:32:16 -0400
-Subject: [2/6] WRS: openssh-spec-file-add-init.patch
-
----
- SPECS/openssh.spec | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
-index e137156..d10e73e 100644
---- a/SPECS/openssh.spec
-+++ b/SPECS/openssh.spec
-@@ -719,9 +719,6 @@ getent passwd sshd >/dev/null || \
- %preun server
- %systemd_preun sshd.service sshd.socket
- 
--%postun server
--%systemd_postun_with_restart sshd.service
--
- %files
- %defattr(-,root,root)
- %{!?_licensedir:%global license %%doc}
-@@ -784,8 +781,6 @@ getent passwd sshd >/dev/null || \
- %attr(0644,root,root) %{_unitdir}/sshd.socket
- %attr(0644,root,root) %{_unitdir}/sshd-keygen.service
- 
--%files server-sysvinit
--%defattr(-,root,root)
- %attr(0755,root,root) /etc/rc.d/init.d/sshd
- %endif
- 
--- 
-2.7.4
-

base/openssh/centos/meta_patches/spec-harden-server-and-client-config.patch

@@ -1,40 +0,0 @@
-From 857b95ac924a980c60d894148d3c5d41aca8447d Mon Sep 17 00:00:00 2001
-From: Andy Ning <andy.ning@windriver.com>
-Date: Thu, 22 Mar 2018 11:45:26 -0400
-Subject: [PATCH] CGTS-9265: patch to harden server and client config
-
-Replace the hardcoded sshd_config and ssh_config files with patches
-to openssh.
-
-Signed-off-by: Andy Ning <andy.ning@windriver.com>
----
- SPECS/openssh.spec | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
-index 442261e..c62e6c8 100644
---- a/SPECS/openssh.spec
-+++ b/SPECS/openssh.spec
-@@ -251,6 +251,9 @@ Patch959: openssh-7.4p1-authorized_keys_command.patch
- # Fix for CVE-2017-15906 (#1517226)
- Patch960: openssh-7.5p1-sftp-empty-files.patch
- 
-+# WRS: harden server and client config
-+Patch1000: harden-server-and-client-config.patch
-+
- License: BSD
- Group: Applications/Internet
- BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-@@ -511,6 +514,9 @@ popd
- 
- %patch100 -p1 -b .coverity
- 
-+# WRS
-+%patch1000 -p1 -b .harden
-+
- %if 0
- # Nothing here yet
- %endif
--- 
-2.7.4
-

base/openssh/centos/meta_patches/spec-include-TiS-changes.patch

@@ -0,0 +1,54 @@
+From 788beea32cfa09f61c27db117ec3b3b0500fbad8 Mon Sep 17 00:00:00 2001
+From: Scott Little <scott.little@windriver.com>
+Date: Mon, 2 Oct 2017 15:32:16 -0400
+Subject: spec-include-TiS-changes.patch
+
+Signed-off-by: zhipengl <zhipengs.liu@intel.com>
+---
+ SPECS/openssh.spec | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
+index 0a91b56..bbae9d7 100644
+--- a/SPECS/openssh.spec
++++ b/SPECS/openssh.spec
+@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch
+ Patch959: openssh-7.4p1-authorized_keys_command.patch
+ # Fix for CVE-2017-15906 (#1517226)
+ Patch960: openssh-7.5p1-sftp-empty-files.patch
++# WRS: harden server and client config
++Patch1000: harden-server-and-client-config.patch
+ 
+ License: BSD
+ Group: Applications/Internet
+@@ -510,6 +512,8 @@ popd
+ %patch700 -p1 -b .fips
+ 
+ %patch100 -p1 -b .coverity
++# WRS
++%patch1000 -p1 -b .harden
+ 
+ %if 0
+ # Nothing here yet
+@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \
+ %preun server
+ %systemd_preun sshd.service sshd.socket
+ 
+-%postun server
+-%systemd_postun_with_restart sshd.service
+-
+ %files
+ %defattr(-,root,root)
+ %{!?_licensedir:%global license %%doc}
+@@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \
+ %attr(0644,root,root) %{_unitdir}/sshd.socket
+ %attr(0644,root,root) %{_unitdir}/sshd-keygen.service
+ 
+-%files server-sysvinit
+-%defattr(-,root,root)
+ %attr(0755,root,root) /etc/rc.d/init.d/sshd
+ %endif
+ 
+-- 
+1.8.3.1
+

base/openssh/centos/meta_patches/sshd-pam-use-common-includes.patch

@@ -1,58 +0,0 @@
-From e5e0631b4568821e63cf676c425ed13873e98b0a Mon Sep 17 00:00:00 2001
-From: Scott Little <scott.little@windriver.com>
-Date: Mon, 2 Oct 2017 15:32:15 -0400
-Subject: [PATCH 2/7] WRS: sshd-pam-use-common-includes.patch
-
----
- SOURCES/sshd.pam | 38 +++++++++++++++++++++-----------------
- 1 file changed, 21 insertions(+), 17 deletions(-)
-
-diff --git a/SOURCES/sshd.pam b/SOURCES/sshd.pam
-index 0f5c061..72303eb 100644
---- a/SOURCES/sshd.pam
-+++ b/SOURCES/sshd.pam
-@@ -1,20 +1,24 @@
- #%PAM-1.0
--auth	   required	pam_sepermit.so
--auth       substack     password-auth
--auth       include      postlogin
--# Used with polkit to reauthorize users in remote sessions
---auth      optional     pam_reauthorize.so prepare
-+
-+auth       include      common-auth
- account    required     pam_nologin.so
--account    include      password-auth
--password   include      password-auth
--# pam_selinux.so close should be the first session rule
--session    required     pam_selinux.so close
--session    required     pam_loginuid.so
--# pam_selinux.so open should only be followed by sessions to be executed in the user context
--session    required     pam_selinux.so open env_params
--session    required     pam_namespace.so
-+
-+# SELinux needs to be the first session rule. This ensures that any
-+# lingering context has been cleared. Without out this it is possible
-+# that a module could execute code in the wrong domain.
-+# When the module is present, "required" would be sufficient (When SELinux
-+# is disabled, this returns success.)
-+session    [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
-+
-+account    include      common-account
-+password   include      common-password
- session    optional     pam_keyinit.so force revoke
--session    include      password-auth
--session    include      postlogin
--# Used with polkit to reauthorize users in remote sessions
---session   optional     pam_reauthorize.so prepare
-+session    include      common-session
-+session    required     pam_loginuid.so
-+
-+# SELinux needs to intervene at login time to ensure that the process
-+# starts in the proper default security context. Only sessions which are
-+# intended to run in the user's context should be run after this.
-+# When the module is present, "required" would be sufficient (When SELinux
-+# is disabled, this returns success.)
-+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
--- 
-1.9.1
-

centos_iso_image.inc

@@ -188,6 +188,7 @@ dhcp-config
 openssh
 openssh-clients
 openssh-server
+openssh-config
 
 # facter
 facter

centos_pkg_dirs

@@ -10,6 +10,7 @@ filesystem/nfs-utils-config
 base/dhcp
 base/dhcp-config
 base/openssh
+base/openssh-config
 config/facter
 virt/qemu
 filesystem/nfscheck