From 8e1394dd94db64b52518d834415ca585592c6c4d Mon Sep 17 00:00:00 2001 From: Kent Peacock Date: Aug 24 2022 20:37:41 +0000 Subject: Make recommended changes from review. --- diff --git a/openssh.spec b/openssh.spec index 3160fb7..806a78c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,5 +1,3 @@ -%global facebook_dev 0 - # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -7,6 +5,10 @@ %global WITH_SELINUX 0 %endif +# Useful development mode for porting patches from +# a different release +%global use_quilt 0 + %global _hardened_build 1 # OpenSSH privilege separation requires a user & group ID @@ -54,7 +56,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 %global openssh_rel 19 -%global hyperscale_rel 2 +%global hyperscale_rel 3 %global facebook_rel fb1 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -264,16 +266,32 @@ Patch1006: openssh-8.7p1-negotiate-supported-algs.patch # c9s specific logic factored out of openssh-7.7p1-fips.patch Patch2000: openssh-7.7p1-fips-warning.patch -%if %{facebook} && !%{facebook_dev} +%if %{facebook} && !%{use_quilt} +# Add a unique log session identifier to output messages for +# each sshd process and its children. Patch2010: fbpatches/fb87_log_session_id.patch +# Add structured logging Patch2011: fbpatches/fb87_slog.patch +# Add a log entry when a session is started over a local forward port. Patch2012: fbpatches/fb87_log_port_forwards.patch +# Add a log line when a session is started over a reverse port forward. Patch2013: fbpatches/fb87_070_logging_reverse_port_forward.patch +# Increase ssh cert max principals from 256 to 1024. Patch2014: fbpatches/fb87_810_increase_ssh_cert_max_principals.patch +# Output a line in the logs showing the command run, or shell request +# and the user. Patch2015: fbpatches/fb87_090_logging_shell_cmd_pty.patch +# Output a line in the logs showing which principal was matched when +# certificate authentication was used. Patch2016: fbpatches/fb87_080_logging_certificates.patch +# Add verbose logging for setting env variables. Patch2017: fbpatches/fb87_log_accept_env.patch +# Set an environment variable SSH_CERT_PRINCIPALS in the child process +# to be the full principal list of a user's SSH certificate when forced +# ommand is present and the user is authenticated by the certificate. Patch2018: fbpatches/fb87_pass_principals_to_child.patch +# Log extra authenticaton informatino to the auth_info structured +# logging field, and add tests for pubkey and cert auth. Patch2019: fbpatches/fb87_log_auth_info.patch %endif @@ -482,7 +500,7 @@ popd %patch100 -p1 -b .coverity -%if %{facebook} && !%{facebook_dev} +%if %{facebook} && !%{use_quilt} %patch2010 -p1 -b log_session_id %patch2011 -p1 -b slog %patch2012 -p1 -b log_port_forwards @@ -495,7 +513,7 @@ popd %patch2019 -p1 -b log_auth_info %endif -%if %{facebook} && %{facebook_dev} +%if %{facebook} && %{use_quilt} ln -sf ../../fbpatches patches quilt push -a %endif @@ -777,6 +795,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Wed Aug 24 2022 Kent Peacock 8.7p1-19.3 + 0.10.4-5.2 +- Set up local developer strategy using quilt and incorporate Meta patches + * Wed Jul 20 2022 Davide Cavalca - 8.7p1-19.2 + 0.10.4-5.2 - Refactor and reinstate FIPS patch for el8