From 470ebd7abcd41c17607441ff2d34697c22cf78c5 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Oct 26 2012 14:34:55 +0000 Subject: add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port (#861400) --- diff --git a/openssh-5.9p1-redhat.patch b/openssh-5.9p1-redhat.patch deleted file mode 100644 index 6a564de..0000000 --- a/openssh-5.9p1-redhat.patch +++ /dev/null @@ -1,106 +0,0 @@ -diff -up openssh-5.9p1/ssh_config.redhat openssh-5.9p1/ssh_config ---- openssh-5.9p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 -+++ openssh-5.9p1/ssh_config 2012-02-06 17:32:43.428032471 +0100 -@@ -45,3 +45,14 @@ - # PermitLocalCommand no - # VisualHostKey no - # ProxyCommand ssh -q -W %h:%p gateway.example.com -+Host * -+ GSSAPIAuthentication yes -+# If this option is set to yes then remote X11 clients will have full access -+# to the original X11 display. As virtually no X11 client supports the untrusted -+# mode correctly we set this to yes. -+ ForwardX11Trusted yes -+# Send locale-related environment variables -+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+ SendEnv XMODIFIERS -diff -up openssh-5.9p1/sshd_config.redhat openssh-5.9p1/sshd_config ---- openssh-5.9p1/sshd_config.redhat 2012-02-06 17:32:43.427032448 +0100 -+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:15.356783832 +0100 -@@ -32,6 +32,7 @@ - # Logging - # obsoletes QuietMode and FascistLogging - #SyslogFacility AUTH -+SyslogFacility AUTHPRIV - #LogLevel INFO - - # Authentication: -@@ -65,9 +66,11 @@ AuthorizedKeysFile .ssh/authorized_keys - # To disable tunneled clear text passwords, change to no here! - #PasswordAuthentication yes - #PermitEmptyPasswords no -+PasswordAuthentication yes - - # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes -+ChallengeResponseAuthentication no - - # Kerberos options - #KerberosAuthentication no -@@ -77,7 +80,9 @@ AuthorizedKeysFile .ssh/authorized_keys - - # GSSAPI options - #GSSAPIAuthentication no -+GSSAPIAuthentication yes - #GSSAPICleanupCredentials yes -+GSSAPICleanupCredentials yes - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -@@ -89,11 +94,13 @@ AuthorizedKeysFile .ssh/authorized_keys - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. - #UsePAM no -+UsePAM yes - - #AllowAgentForwarding yes - #AllowTcpForwarding yes - #GatewayPorts no - #X11Forwarding no -+X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PrintMotd yes -@@ -114,6 +121,12 @@ AuthorizedKeysFile .ssh/authorized_keys - # no default banner path - #Banner none - -+# Accept locale-related environment variables -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+AcceptEnv XMODIFIERS -+ - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server - -diff -up openssh-5.9p1/sshd_config.0.redhat openssh-5.9p1/sshd_config.0 ---- openssh-5.9p1/sshd_config.0.redhat 2012-02-06 17:32:43.302970171 +0100 -+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:32:43.428032471 +0100 -@@ -581,9 +581,9 @@ DESCRIPTION - - SyslogFacility - Gives the facility code that is used when logging messages from -- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, -- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The -- default is AUTH. -+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, -+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. -+ The default is AUTH. - - TCPKeepAlive - Specifies whether the system should send TCP keepalive messages -diff -up openssh-5.9p1/sshd_config.5.redhat openssh-5.9p1/sshd_config.5 ---- openssh-5.9p1/sshd_config.5.redhat 2012-02-06 17:32:43.303971959 +0100 -+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:32:43.429032398 +0100 -@@ -1019,7 +1019,7 @@ Note that this option applies to protoco - .It Cm SyslogFacility - Gives the facility code that is used when logging messages from - .Xr sshd 8 . --The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, - LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. - The default is AUTH. - .It Cm TCPKeepAlive diff --git a/openssh-6.1p1-redhat.patch b/openssh-6.1p1-redhat.patch new file mode 100644 index 0000000..a1fa0e5 --- /dev/null +++ b/openssh-6.1p1-redhat.patch @@ -0,0 +1,117 @@ +diff -up openssh-6.1p1/ssh_config.redhat openssh-6.1p1/ssh_config +--- openssh-6.1p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 ++++ openssh-6.1p1/ssh_config 2012-10-26 16:28:51.820340584 +0200 +@@ -45,3 +45,14 @@ + # PermitLocalCommand no + # VisualHostKey no + # ProxyCommand ssh -q -W %h:%p gateway.example.com ++Host * ++ GSSAPIAuthentication yes ++# If this option is set to yes then remote X11 clients will have full access ++# to the original X11 display. As virtually no X11 client supports the untrusted ++# mode correctly we set this to yes. ++ ForwardX11Trusted yes ++# Send locale-related environment variables ++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++ SendEnv XMODIFIERS +diff -up openssh-6.1p1/sshd_config.0.redhat openssh-6.1p1/sshd_config.0 +--- openssh-6.1p1/sshd_config.0.redhat 2012-10-26 16:28:51.762340584 +0200 ++++ openssh-6.1p1/sshd_config.0 2012-10-26 16:28:51.821340584 +0200 +@@ -583,9 +583,9 @@ DESCRIPTION + + SyslogFacility + Gives the facility code that is used when logging messages from +- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, +- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The +- default is AUTH. ++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, ++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. ++ The default is AUTH. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages +diff -up openssh-6.1p1/sshd_config.5.redhat openssh-6.1p1/sshd_config.5 +--- openssh-6.1p1/sshd_config.5.redhat 2012-10-26 16:28:51.763340584 +0200 ++++ openssh-6.1p1/sshd_config.5 2012-10-26 16:28:51.822340584 +0200 +@@ -1015,7 +1015,7 @@ Note that this option applies to protoco + .It Cm SyslogFacility + Gives the facility code that is used when logging messages from + .Xr sshd 8 . +-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, ++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. + .It Cm TCPKeepAlive +diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config +--- openssh-6.1p1/sshd_config.redhat 2012-10-26 16:28:51.819340584 +0200 ++++ openssh-6.1p1/sshd_config 2012-10-26 16:31:44.773340564 +0200 +@@ -10,6 +10,10 @@ + # possible, but leave them commented. Uncommented options override the + # default value. + ++# If you want to change the port on a SELinux system, you have to tell ++# SELinux about this change. ++# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER ++# + #Port 22 + #AddressFamily any + #ListenAddress 0.0.0.0 +@@ -32,6 +36,7 @@ + # Logging + # obsoletes QuietMode and FascistLogging + #SyslogFacility AUTH ++SyslogFacility AUTHPRIV + #LogLevel INFO + + # Authentication: +@@ -67,9 +72,11 @@ AuthorizedKeysFile .ssh/authorized_keys + # To disable tunneled clear text passwords, change to no here! + #PasswordAuthentication yes + #PermitEmptyPasswords no ++PasswordAuthentication yes + + # Change to no to disable s/key passwords + #ChallengeResponseAuthentication yes ++ChallengeResponseAuthentication no + + # Kerberos options + #KerberosAuthentication no +@@ -79,7 +86,9 @@ AuthorizedKeysFile .ssh/authorized_keys + + # GSSAPI options + #GSSAPIAuthentication no ++GSSAPIAuthentication yes + #GSSAPICleanupCredentials yes ++GSSAPICleanupCredentials yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +@@ -91,11 +100,13 @@ AuthorizedKeysFile .ssh/authorized_keys + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. + #UsePAM no ++UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes + #GatewayPorts no + #X11Forwarding no ++X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PrintMotd yes +@@ -117,6 +128,12 @@ UsePrivilegeSeparation sandbox # Defaul + # no default banner path + #Banner none + ++# Accept locale-related environment variables ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++AcceptEnv XMODIFIERS ++ + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server + diff --git a/openssh.spec b/openssh.spec index e14ea9c..81a6b15 100644 --- a/openssh.spec +++ b/openssh.spec @@ -184,7 +184,7 @@ Patch705: openssh-5.1p1-scp-manpage.patch #? Patch706: openssh-5.8p1-localdomain.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) -Patch707: openssh-5.9p1-redhat.patch +Patch707: openssh-6.1p1-redhat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) Patch708: openssh-6.0p1-entropy.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)