From 1c8c71654ff6f20cf13bcceeb861d969fd5b53a8 Mon Sep 17 00:00:00 2001 From: zhipengl Date: Wed, 21 Nov 2018 01:22:11 +0800 Subject: [PATCH] Refactor patches for openssh package Use openssh-config package to package config and service files for openssh package. Merge adding source patch and spec related change to one meta patch named spec-include-Tis-chnages.patch. Deployment test and ping test between VMs pass Config files check pass. Story: 2003768 Task: 27588 Change-Id: I77cd054707d11dace1c47e8477d0e30b69719a38 Signed-off-by: zhipengl --- base/openssh-config/centos/build_srpm.data | 2 + .../openssh-config/centos/openssh-config.spec | 40 +++++++++++++ base/openssh-config/files/sshd.pam | 24 ++++++++ base/openssh-config/files/sshd.service | 18 ++++++ ...te-package-versioning-for-TIS-format.patch | 7 ++- base/openssh/centos/meta_patches/PATCH_ORDER | 5 +- ...t-script-kill-old-instances-on-start.patch | 1 - .../meta_patches/openssh-service-file.patch | 38 ------------ .../openssh-spec-file-add-init.patch | 35 ----------- ...spec-harden-server-and-client-config.patch | 40 ------------- .../spec-include-TiS-changes.patch | 54 +++++++++++++++++ .../sshd-pam-use-common-includes.patch | 58 ------------------- centos_iso_image.inc | 1 + centos_pkg_dirs | 1 + 14 files changed, 145 insertions(+), 179 deletions(-) create mode 100644 base/openssh-config/centos/build_srpm.data create mode 100644 base/openssh-config/centos/openssh-config.spec create mode 100644 base/openssh-config/files/sshd.pam create mode 100644 base/openssh-config/files/sshd.service delete mode 100644 base/openssh/centos/meta_patches/openssh-service-file.patch delete mode 100644 base/openssh/centos/meta_patches/openssh-spec-file-add-init.patch delete mode 100644 base/openssh/centos/meta_patches/spec-harden-server-and-client-config.patch create mode 100644 base/openssh/centos/meta_patches/spec-include-TiS-changes.patch delete mode 100644 base/openssh/centos/meta_patches/sshd-pam-use-common-includes.patch diff --git a/base/openssh-config/centos/build_srpm.data b/base/openssh-config/centos/build_srpm.data new file mode 100644 index 000000000..da1e20bd8 --- /dev/null +++ b/base/openssh-config/centos/build_srpm.data @@ -0,0 +1,2 @@ +SRC_DIR="files" +TIS_PATCH_VER=0 diff --git a/base/openssh-config/centos/openssh-config.spec b/base/openssh-config/centos/openssh-config.spec new file mode 100644 index 000000000..70a6c6a44 --- /dev/null +++ b/base/openssh-config/centos/openssh-config.spec @@ -0,0 +1,40 @@ +Summary: openssh-config +Name: openssh-config +Version: 1.0 +Release: %{tis_patch_ver}%{?_tis_dist} +License: Apache-2.0 +Group: base +Packager: StarlingX +URL: unknown +BuildArch: noarch +Source: %name-%version.tar.gz + +Requires: %{_bindir}/systemctl +Requires: openssh +Summary: package StarlingX configuration files of openssh to system folder. + +%description +package StarlingX configuration files of openssh to system folder. + +%prep +%setup + +%build + +%install +%{__install} -d %{buildroot}%{_datadir}/starlingx +%{__install} -d %{buildroot}%{_sysconfdir}/systemd/system +%{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam +%{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service + +%post +%define _pamconfdir %{_sysconfdir}/pam.d +if [ $1 -eq 1 ] ; then + # Initial installation + cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd +fi +%{_bindir}/systemctl disable sshd.service > /dev/null 2>&1 || : + +%files +%{_datadir}/starlingx/sshd.pam +%{_sysconfdir}/systemd/system/sshd.service diff --git a/base/openssh-config/files/sshd.pam b/base/openssh-config/files/sshd.pam new file mode 100644 index 000000000..3d6ce0a41 --- /dev/null +++ b/base/openssh-config/files/sshd.pam @@ -0,0 +1,24 @@ +# WRSM-1.0 + +auth include common-auth +account required pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +account include common-account +password include common-password +session optional pam_keyinit.so force revoke +session include common-session +session required pam_loginuid.so + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/base/openssh-config/files/sshd.service b/base/openssh-config/files/sshd.service new file mode 100644 index 000000000..5cba52933 --- /dev/null +++ b/base/openssh-config/files/sshd.service @@ -0,0 +1,18 @@ +[Unit] +Description=OpenSSH server daemon +Documentation=man:sshd(8) man:sshd_config(5) +After=network.target sshd-keygen.service +Wants=sshd-keygen.service + +[Service] +EnvironmentFile=/etc/sysconfig/sshd +ExecStart=/etc/init.d/sshd start +ExecStop=/etc/init.d/sshd stop +ExecReload=/bin/kill -HUP $MAINPID +PIDFile=/var/run/sshd.pid +KillMode=none +#Restart=on-failure +#RestartSec=42s + +[Install] +WantedBy=multi-user.target diff --git a/base/openssh/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch b/base/openssh/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch index 2c867b17d..881496126 100644 --- a/base/openssh/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch +++ b/base/openssh/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch @@ -1,14 +1,15 @@ From 4da56227f47a96f37eb0e46e0222f7e1d2f95c2b Mon Sep 17 00:00:00 2001 From: Scott Little Date: Mon, 2 Oct 2017 15:32:16 -0400 -Subject: [3/6] WRS: 0001-Update-package-versioning-for-TIS-format.patch +Subject: 0001-Update-package-versioning-for-TIS-format.patch +Signed-off-by: zhipengl --- SPECS/openssh.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec -index d10e73e..be83a63 100644 +index 5c030bc..0a91b56 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -71,7 +71,7 @@ @@ -30,5 +31,5 @@ index d10e73e..be83a63 100644 %description -- -2.7.4 +1.8.3.1 diff --git a/base/openssh/centos/meta_patches/PATCH_ORDER b/base/openssh/centos/meta_patches/PATCH_ORDER index 94b612f90..2d936ef02 100644 --- a/base/openssh/centos/meta_patches/PATCH_ORDER +++ b/base/openssh/centos/meta_patches/PATCH_ORDER @@ -1,6 +1,3 @@ -sshd-pam-use-common-includes.patch -openssh-service-file.patch -openssh-spec-file-add-init.patch 0001-Update-package-versioning-for-TIS-format.patch +spec-include-TiS-changes.patch openssh-init-script-kill-old-instances-on-start.patch -spec-harden-server-and-client-config.patch diff --git a/base/openssh/centos/meta_patches/openssh-init-script-kill-old-instances-on-start.patch b/base/openssh/centos/meta_patches/openssh-init-script-kill-old-instances-on-start.patch index aa2b06596..905fd3840 100644 --- a/base/openssh/centos/meta_patches/openssh-init-script-kill-old-instances-on-start.patch +++ b/base/openssh/centos/meta_patches/openssh-init-script-kill-old-instances-on-start.patch @@ -29,4 +29,3 @@ index 8901b4f..cd8b4ab 100755 RETVAL=$? -- 1.9.1 - diff --git a/base/openssh/centos/meta_patches/openssh-service-file.patch b/base/openssh/centos/meta_patches/openssh-service-file.patch deleted file mode 100644 index e65ef065c..000000000 --- a/base/openssh/centos/meta_patches/openssh-service-file.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 136246c027dedb5c22c7a50ce8beebdecf85defe Mon Sep 17 00:00:00 2001 -From: Scott Little -Date: Mon, 2 Oct 2017 15:32:15 -0400 -Subject: [PATCH 3/7] WRS: openssh-service-file.patch - -Conflicts: - SOURCES/sshd.service ---- - SOURCES/sshd.service | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/SOURCES/sshd.service b/SOURCES/sshd.service -index af7845c..5cba529 100644 ---- a/SOURCES/sshd.service -+++ b/SOURCES/sshd.service -@@ -5,13 +5,14 @@ After=network.target sshd-keygen.service - Wants=sshd-keygen.service - - [Service] --Type=notify - EnvironmentFile=/etc/sysconfig/sshd --ExecStart=/usr/sbin/sshd -D $OPTIONS -+ExecStart=/etc/init.d/sshd start -+ExecStop=/etc/init.d/sshd stop - ExecReload=/bin/kill -HUP $MAINPID --KillMode=process --Restart=on-failure --RestartSec=42s -+PIDFile=/var/run/sshd.pid -+KillMode=none -+#Restart=on-failure -+#RestartSec=42s - - [Install] - WantedBy=multi-user.target --- -1.9.1 - diff --git a/base/openssh/centos/meta_patches/openssh-spec-file-add-init.patch b/base/openssh/centos/meta_patches/openssh-spec-file-add-init.patch deleted file mode 100644 index f1a330635..000000000 --- a/base/openssh/centos/meta_patches/openssh-spec-file-add-init.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 788beea32cfa09f61c27db117ec3b3b0500fbad8 Mon Sep 17 00:00:00 2001 -From: Scott Little -Date: Mon, 2 Oct 2017 15:32:16 -0400 -Subject: [2/6] WRS: openssh-spec-file-add-init.patch - ---- - SPECS/openssh.spec | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec -index e137156..d10e73e 100644 ---- a/SPECS/openssh.spec -+++ b/SPECS/openssh.spec -@@ -719,9 +719,6 @@ getent passwd sshd >/dev/null || \ - %preun server - %systemd_preun sshd.service sshd.socket - --%postun server --%systemd_postun_with_restart sshd.service -- - %files - %defattr(-,root,root) - %{!?_licensedir:%global license %%doc} -@@ -784,8 +781,6 @@ getent passwd sshd >/dev/null || \ - %attr(0644,root,root) %{_unitdir}/sshd.socket - %attr(0644,root,root) %{_unitdir}/sshd-keygen.service - --%files server-sysvinit --%defattr(-,root,root) - %attr(0755,root,root) /etc/rc.d/init.d/sshd - %endif - --- -2.7.4 - diff --git a/base/openssh/centos/meta_patches/spec-harden-server-and-client-config.patch b/base/openssh/centos/meta_patches/spec-harden-server-and-client-config.patch deleted file mode 100644 index 91af3edd1..000000000 --- a/base/openssh/centos/meta_patches/spec-harden-server-and-client-config.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 857b95ac924a980c60d894148d3c5d41aca8447d Mon Sep 17 00:00:00 2001 -From: Andy Ning -Date: Thu, 22 Mar 2018 11:45:26 -0400 -Subject: [PATCH] CGTS-9265: patch to harden server and client config - -Replace the hardcoded sshd_config and ssh_config files with patches -to openssh. - -Signed-off-by: Andy Ning ---- - SPECS/openssh.spec | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec -index 442261e..c62e6c8 100644 ---- a/SPECS/openssh.spec -+++ b/SPECS/openssh.spec -@@ -251,6 +251,9 @@ Patch959: openssh-7.4p1-authorized_keys_command.patch - # Fix for CVE-2017-15906 (#1517226) - Patch960: openssh-7.5p1-sftp-empty-files.patch - -+# WRS: harden server and client config -+Patch1000: harden-server-and-client-config.patch -+ - License: BSD - Group: Applications/Internet - BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -@@ -511,6 +514,9 @@ popd - - %patch100 -p1 -b .coverity - -+# WRS -+%patch1000 -p1 -b .harden -+ - %if 0 - # Nothing here yet - %endif --- -2.7.4 - diff --git a/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch b/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch new file mode 100644 index 000000000..0a361ef97 --- /dev/null +++ b/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch @@ -0,0 +1,54 @@ +From 788beea32cfa09f61c27db117ec3b3b0500fbad8 Mon Sep 17 00:00:00 2001 +From: Scott Little +Date: Mon, 2 Oct 2017 15:32:16 -0400 +Subject: spec-include-TiS-changes.patch + +Signed-off-by: zhipengl +--- + SPECS/openssh.spec | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec +index 0a91b56..bbae9d7 100644 +--- a/SPECS/openssh.spec ++++ b/SPECS/openssh.spec +@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch + Patch959: openssh-7.4p1-authorized_keys_command.patch + # Fix for CVE-2017-15906 (#1517226) + Patch960: openssh-7.5p1-sftp-empty-files.patch ++# WRS: harden server and client config ++Patch1000: harden-server-and-client-config.patch + + License: BSD + Group: Applications/Internet +@@ -510,6 +512,8 @@ popd + %patch700 -p1 -b .fips + + %patch100 -p1 -b .coverity ++# WRS ++%patch1000 -p1 -b .harden + + %if 0 + # Nothing here yet +@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \ + %preun server + %systemd_preun sshd.service sshd.socket + +-%postun server +-%systemd_postun_with_restart sshd.service +- + %files + %defattr(-,root,root) + %{!?_licensedir:%global license %%doc} +@@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \ + %attr(0644,root,root) %{_unitdir}/sshd.socket + %attr(0644,root,root) %{_unitdir}/sshd-keygen.service + +-%files server-sysvinit +-%defattr(-,root,root) + %attr(0755,root,root) /etc/rc.d/init.d/sshd + %endif + +-- +1.8.3.1 + diff --git a/base/openssh/centos/meta_patches/sshd-pam-use-common-includes.patch b/base/openssh/centos/meta_patches/sshd-pam-use-common-includes.patch deleted file mode 100644 index ada8bfc94..000000000 --- a/base/openssh/centos/meta_patches/sshd-pam-use-common-includes.patch +++ /dev/null @@ -1,58 +0,0 @@ -From e5e0631b4568821e63cf676c425ed13873e98b0a Mon Sep 17 00:00:00 2001 -From: Scott Little -Date: Mon, 2 Oct 2017 15:32:15 -0400 -Subject: [PATCH 2/7] WRS: sshd-pam-use-common-includes.patch - ---- - SOURCES/sshd.pam | 38 +++++++++++++++++++++----------------- - 1 file changed, 21 insertions(+), 17 deletions(-) - -diff --git a/SOURCES/sshd.pam b/SOURCES/sshd.pam -index 0f5c061..72303eb 100644 ---- a/SOURCES/sshd.pam -+++ b/SOURCES/sshd.pam -@@ -1,20 +1,24 @@ - #%PAM-1.0 --auth required pam_sepermit.so --auth substack password-auth --auth include postlogin --# Used with polkit to reauthorize users in remote sessions ---auth optional pam_reauthorize.so prepare -+ -+auth include common-auth - account required pam_nologin.so --account include password-auth --password include password-auth --# pam_selinux.so close should be the first session rule --session required pam_selinux.so close --session required pam_loginuid.so --# pam_selinux.so open should only be followed by sessions to be executed in the user context --session required pam_selinux.so open env_params --session required pam_namespace.so -+ -+# SELinux needs to be the first session rule. This ensures that any -+# lingering context has been cleared. Without out this it is possible -+# that a module could execute code in the wrong domain. -+# When the module is present, "required" would be sufficient (When SELinux -+# is disabled, this returns success.) -+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close -+ -+account include common-account -+password include common-password - session optional pam_keyinit.so force revoke --session include password-auth --session include postlogin --# Used with polkit to reauthorize users in remote sessions ---session optional pam_reauthorize.so prepare -+session include common-session -+session required pam_loginuid.so -+ -+# SELinux needs to intervene at login time to ensure that the process -+# starts in the proper default security context. Only sessions which are -+# intended to run in the user's context should be run after this. -+# When the module is present, "required" would be sufficient (When SELinux -+# is disabled, this returns success.) -+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open --- -1.9.1 - diff --git a/centos_iso_image.inc b/centos_iso_image.inc index 086e527c0..52fc021b5 100644 --- a/centos_iso_image.inc +++ b/centos_iso_image.inc @@ -187,6 +187,7 @@ dhcp-config openssh openssh-clients openssh-server +openssh-config # facter facter diff --git a/centos_pkg_dirs b/centos_pkg_dirs index f1b80a530..7eabfd567 100644 --- a/centos_pkg_dirs +++ b/centos_pkg_dirs @@ -10,6 +10,7 @@ filesystem/nfs-utils-config base/dhcp base/dhcp-config base/openssh +base/openssh-config config/facter virt/qemu filesystem/nfscheck