Refactor patches for openssh package

Use openssh-config package to package config and service files
for openssh package.
Merge adding source patch and spec related change to one meta
patch named spec-include-Tis-chnages.patch.

Deployment test and ping test between VMs pass
Config files check pass.

Story: 2003768
Task: 27588

Change-Id: I77cd054707d11dace1c47e8477d0e30b69719a38
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
This commit is contained in:
zhipengl 2018-11-21 01:22:11 +08:00 committed by zhipeng liu
parent 2bd19e3f8f
commit 1c8c71654f
14 changed files with 145 additions and 179 deletions

View File

@ -0,0 +1,2 @@
SRC_DIR="files"
TIS_PATCH_VER=0

View File

@ -0,0 +1,40 @@
Summary: openssh-config
Name: openssh-config
Version: 1.0
Release: %{tis_patch_ver}%{?_tis_dist}
License: Apache-2.0
Group: base
Packager: StarlingX
URL: unknown
BuildArch: noarch
Source: %name-%version.tar.gz
Requires: %{_bindir}/systemctl
Requires: openssh
Summary: package StarlingX configuration files of openssh to system folder.
%description
package StarlingX configuration files of openssh to system folder.
%prep
%setup
%build
%install
%{__install} -d %{buildroot}%{_datadir}/starlingx
%{__install} -d %{buildroot}%{_sysconfdir}/systemd/system
%{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam
%{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service
%post
%define _pamconfdir %{_sysconfdir}/pam.d
if [ $1 -eq 1 ] ; then
# Initial installation
cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd
fi
%{_bindir}/systemctl disable sshd.service > /dev/null 2>&1 || :
%files
%{_datadir}/starlingx/sshd.pam
%{_sysconfdir}/systemd/system/sshd.service

View File

@ -0,0 +1,24 @@
# WRSM-1.0
auth include common-auth
account required pam_nologin.so
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without out this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
session required pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

View File

@ -0,0 +1,18 @@
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/etc/init.d/sshd start
ExecStop=/etc/init.d/sshd stop
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/var/run/sshd.pid
KillMode=none
#Restart=on-failure
#RestartSec=42s
[Install]
WantedBy=multi-user.target

View File

@ -1,14 +1,15 @@
From 4da56227f47a96f37eb0e46e0222f7e1d2f95c2b Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:32:16 -0400
Subject: [3/6] WRS: 0001-Update-package-versioning-for-TIS-format.patch
Subject: 0001-Update-package-versioning-for-TIS-format.patch
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
---
SPECS/openssh.spec | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index d10e73e..be83a63 100644
index 5c030bc..0a91b56 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -71,7 +71,7 @@
@ -30,5 +31,5 @@ index d10e73e..be83a63 100644
%description
--
2.7.4
1.8.3.1

View File

@ -1,6 +1,3 @@
sshd-pam-use-common-includes.patch
openssh-service-file.patch
openssh-spec-file-add-init.patch
0001-Update-package-versioning-for-TIS-format.patch
spec-include-TiS-changes.patch
openssh-init-script-kill-old-instances-on-start.patch
spec-harden-server-and-client-config.patch

View File

@ -29,4 +29,3 @@ index 8901b4f..cd8b4ab 100755
RETVAL=$?
--
1.9.1

View File

@ -1,38 +0,0 @@
From 136246c027dedb5c22c7a50ce8beebdecf85defe Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:32:15 -0400
Subject: [PATCH 3/7] WRS: openssh-service-file.patch
Conflicts:
SOURCES/sshd.service
---
SOURCES/sshd.service | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/SOURCES/sshd.service b/SOURCES/sshd.service
index af7845c..5cba529 100644
--- a/SOURCES/sshd.service
+++ b/SOURCES/sshd.service
@@ -5,13 +5,14 @@ After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
-Type=notify
EnvironmentFile=/etc/sysconfig/sshd
-ExecStart=/usr/sbin/sshd -D $OPTIONS
+ExecStart=/etc/init.d/sshd start
+ExecStop=/etc/init.d/sshd stop
ExecReload=/bin/kill -HUP $MAINPID
-KillMode=process
-Restart=on-failure
-RestartSec=42s
+PIDFile=/var/run/sshd.pid
+KillMode=none
+#Restart=on-failure
+#RestartSec=42s
[Install]
WantedBy=multi-user.target
--
1.9.1

View File

@ -1,35 +0,0 @@
From 788beea32cfa09f61c27db117ec3b3b0500fbad8 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:32:16 -0400
Subject: [2/6] WRS: openssh-spec-file-add-init.patch
---
SPECS/openssh.spec | 5 -----
1 file changed, 5 deletions(-)
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index e137156..d10e73e 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -719,9 +719,6 @@ getent passwd sshd >/dev/null || \
%preun server
%systemd_preun sshd.service sshd.socket
-%postun server
-%systemd_postun_with_restart sshd.service
-
%files
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc}
@@ -784,8 +781,6 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
-%files server-sysvinit
-%defattr(-,root,root)
%attr(0755,root,root) /etc/rc.d/init.d/sshd
%endif
--
2.7.4

View File

@ -1,40 +0,0 @@
From 857b95ac924a980c60d894148d3c5d41aca8447d Mon Sep 17 00:00:00 2001
From: Andy Ning <andy.ning@windriver.com>
Date: Thu, 22 Mar 2018 11:45:26 -0400
Subject: [PATCH] CGTS-9265: patch to harden server and client config
Replace the hardcoded sshd_config and ssh_config files with patches
to openssh.
Signed-off-by: Andy Ning <andy.ning@windriver.com>
---
SPECS/openssh.spec | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index 442261e..c62e6c8 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -251,6 +251,9 @@ Patch959: openssh-7.4p1-authorized_keys_command.patch
# Fix for CVE-2017-15906 (#1517226)
Patch960: openssh-7.5p1-sftp-empty-files.patch
+# WRS: harden server and client config
+Patch1000: harden-server-and-client-config.patch
+
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -511,6 +514,9 @@ popd
%patch100 -p1 -b .coverity
+# WRS
+%patch1000 -p1 -b .harden
+
%if 0
# Nothing here yet
%endif
--
2.7.4

View File

@ -0,0 +1,54 @@
From 788beea32cfa09f61c27db117ec3b3b0500fbad8 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:32:16 -0400
Subject: spec-include-TiS-changes.patch
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
---
SPECS/openssh.spec | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index 0a91b56..bbae9d7 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch
Patch959: openssh-7.4p1-authorized_keys_command.patch
# Fix for CVE-2017-15906 (#1517226)
Patch960: openssh-7.5p1-sftp-empty-files.patch
+# WRS: harden server and client config
+Patch1000: harden-server-and-client-config.patch
License: BSD
Group: Applications/Internet
@@ -510,6 +512,8 @@ popd
%patch700 -p1 -b .fips
%patch100 -p1 -b .coverity
+# WRS
+%patch1000 -p1 -b .harden
%if 0
# Nothing here yet
@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \
%preun server
%systemd_preun sshd.service sshd.socket
-%postun server
-%systemd_postun_with_restart sshd.service
-
%files
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc}
@@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
-%files server-sysvinit
-%defattr(-,root,root)
%attr(0755,root,root) /etc/rc.d/init.d/sshd
%endif
--
1.8.3.1

View File

@ -1,58 +0,0 @@
From e5e0631b4568821e63cf676c425ed13873e98b0a Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:32:15 -0400
Subject: [PATCH 2/7] WRS: sshd-pam-use-common-includes.patch
---
SOURCES/sshd.pam | 38 +++++++++++++++++++++-----------------
1 file changed, 21 insertions(+), 17 deletions(-)
diff --git a/SOURCES/sshd.pam b/SOURCES/sshd.pam
index 0f5c061..72303eb 100644
--- a/SOURCES/sshd.pam
+++ b/SOURCES/sshd.pam
@@ -1,20 +1,24 @@
#%PAM-1.0
-auth required pam_sepermit.so
-auth substack password-auth
-auth include postlogin
-# Used with polkit to reauthorize users in remote sessions
--auth optional pam_reauthorize.so prepare
+
+auth include common-auth
account required pam_nologin.so
-account include password-auth
-password include password-auth
-# pam_selinux.so close should be the first session rule
-session required pam_selinux.so close
-session required pam_loginuid.so
-# pam_selinux.so open should only be followed by sessions to be executed in the user context
-session required pam_selinux.so open env_params
-session required pam_namespace.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+account include common-account
+password include common-password
session optional pam_keyinit.so force revoke
-session include password-auth
-session include postlogin
-# Used with polkit to reauthorize users in remote sessions
--session optional pam_reauthorize.so prepare
+session include common-session
+session required pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
--
1.9.1

View File

@ -187,6 +187,7 @@ dhcp-config
openssh
openssh-clients
openssh-server
openssh-config
# facter
facter

View File

@ -10,6 +10,7 @@ filesystem/nfs-utils-config
base/dhcp
base/dhcp-config
base/openssh
base/openssh-config
config/facter
virt/qemu
filesystem/nfscheck