Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-01-26 14:45:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Tue Jan 26 14:45:54 2021 rev:148 rq:866401 version:8.4p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-19 16:00:54.711263653 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes 2021-01-26 14:49:43.407675456 +0100 @@ -1,0 +2,32 @@ +Sat Jan 23 18:28:19 UTC 2021 - Hans Petter Jansson <h...@suse.com> + +- Add openssh-fix-ssh-copy-id.patch, which fixes breakage + introduced in 8.4p1 (bsc#1181311). + +------------------------------------------------------------------- +Fri Jan 22 21:06:42 UTC 2021 - Hans Petter Jansson <h...@suse.com> + +- Improve robustness of sshd init detection when upgrading from + a pre-systemd distribution. + +------------------------------------------------------------------- +Fri Jan 22 03:30:59 UTC 2021 - Hans Petter Jansson <h...@suse.com> + +- Add openssh-reenable-dh-group14-sha1-default.patch, which adds + diffie-hellman-group14-sha1 key exchange back to the default + list (bsc#1180958). This is needed for backwards compatibility + with older platforms. + +------------------------------------------------------------------- +Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson <h...@suse.com> + +- Make sure sshd is enabled correctly when upgrading from a + pre-systemd distribution (bsc#1180083). + +------------------------------------------------------------------- +Mon Jan 18 11:04:41 UTC 2021 - Thorsten Kukuk <ku...@suse.com> + +- sysusers-sshd.conf: use sysusers.d configuration file to create + sshd user (avoid hard dependency on shadow). + +------------------------------------------------------------------- New: ---- openssh-fix-ssh-copy-id.patch openssh-reenable-dh-group14-sha1-default.patch sysusers-sshd.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.vDHfiZ/_old 2021-01-26 14:49:44.487676928 +0100 +++ /var/tmp/diff_new_pack.vDHfiZ/_new 2021-01-26 14:49:44.487676928 +0100 @@ -58,6 +58,7 @@ Source11: README.FIPS Source12: cavs_driver-ssh.pl Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring +Source14: sysusers-sshd.conf Patch0: openssh-7.7p1-allow_root_password_login.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch @@ -107,6 +108,8 @@ Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch Patch41: openssh-fips-ensure-approved-moduli.patch Patch42: openssh-link-with-sk.patch +Patch43: openssh-reenable-dh-group14-sha1-default.patch +Patch44: openssh-fix-ssh-copy-id.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -119,6 +122,8 @@ BuildRequires: zlib-devel BuildRequires: pkgconfig(libfido2) BuildRequires: pkgconfig(libsystemd) +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools Requires: %{name}-clients = %{version}-%{release} Requires: %{name}-server = %{version}-%{release} %if %{with tirpc} @@ -129,6 +134,8 @@ %else BuildRequires: krb5-mini-devel %endif +Requires(pre): findutils +Requires(pre): grep %description SSH (Secure Shell) is a program for logging into and executing commands @@ -166,10 +173,12 @@ Group: Productivity/Networking/SSH Requires: %{name}-common = %{version}-%{release} Recommends: audit -Requires(pre): shadow +Requires(pre): findutils +Requires(pre): grep Requires(post): %fillup_prereq Requires(post): permissions Provides: openssh:%{_sbindir}/sshd +%sysusers_requires %description server SSH (Secure Shell) is a program for logging into and executing commands @@ -287,6 +296,7 @@ --target=%{_target_cpu}-suse-linux %make_build +%sysusers_generate_pre %{SOURCE14} sshd %install %make_install @@ -322,6 +332,10 @@ # sshd keys generator wrapper install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start +# Install sysusers.d config for sshd user +mkdir -p %{buildroot}%{_sysusersdir} +install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf + # the hmac hashes - taken from openssl # # re-define the __os_install_post macro: the macro strips @@ -346,24 +360,29 @@ # %%service_add_post scriptlet (in %%post server) will see it as a new service # and apply the preset, disabling it. We need to reenable it afterwards if # necessary. +mkdir -p %{_tmpenableddir} || : if [ -x %{_bindir}/systemctl ]; then - mkdir -p %{_tmpenableddir} || : %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : +else + if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \ + -exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1 + then echo "enabled" > %{_tmpenabledfile} || :; fi fi -%pre server -getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd -getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstatedir}/lib/sshd -s /bin/false -c "SSH daemon" sshd +%pre server -f sshd.pre %if %{defined _distconfdir} # move outdated pam.d/*.rpmsave file away test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||: %endif - # See %%pre. +mkdir -p %{_tmpenableddir} || : if [ -x %{_bindir}/systemctl ]; then - mkdir -p %{_tmpenableddir} || : %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : +else + if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \ + -exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1 + then echo "enabled" > %{_tmpenabledfile} || :; fi fi %service_add_pre sshd.service @@ -434,6 +453,7 @@ %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd %endif %attr(0644,root,root) %{_unitdir}/sshd.service +%attr(0644,root,root) %{_sysusersdir}/sshd.conf %attr(0444,root,root) %{_mandir}/man5/sshd_config* %attr(0444,root,root) %{_mandir}/man8/sftp-server.8* %attr(0444,root,root) %{_mandir}/man8/sshd.8* ++++++ openssh-fix-ssh-copy-id.patch ++++++ >From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001 From: Oleg <fall...@users.noreply.github.com> Date: Thu, 1 Oct 2020 12:09:08 +0300 Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id --- contrib/ssh-copy-id | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index 392f64f94..a76907717 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -247,7 +247,7 @@ installkeys_sh() { # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing # the cat adds the keys we're getting via STDIN # and if available restorecon is used to restore the SELinux context - INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF) + INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF cd; umask 077; mkdir -p $(dirname "${AUTH_KEY_FILE}") && @@ -258,6 +258,7 @@ installkeys_sh() { restorecon -F .ssh ${AUTH_KEY_FILE}; fi EOF + ) # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; printf "exec sh -c '%s'" "${INSTALLKEYS_SH}" ++++++ openssh-reenable-dh-group14-sha1-default.patch ++++++ diff --git a/myproposal.h b/myproposal.h index 5312e60..83fd62d 100644 --- a/myproposal.h +++ b/myproposal.h @@ -33,7 +33,8 @@ "diffie-hellman-group-exchange-sha256," \ "diffie-hellman-group16-sha512," \ "diffie-hellman-group18-sha512," \ - "diffie-hellman-group14-sha256" + "diffie-hellman-group14-sha256," \ + "diffie-hellman-group14-sha1" #define KEX_CLIENT_KEX KEX_SERVER_KEX diff --git a/ssh_config.5 b/ssh_config.5 index d5888f2..100563e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1170,7 +1170,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, -diffie-hellman-group14-sha256 +diffie-hellman-group14-sha256, +diffie-hellman-group14-sha1 .Ed .Pp The list of available key exchange algorithms may also be obtained using diff --git a/sshd_config.5 b/sshd_config.5 index 0f5fe53..97364f5 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -986,7 +986,7 @@ curve25519-sha256,curve25519-sha...@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, -diffie-hellman-group14-sha256 +diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 .Ed .Pp The list of available key exchange algorithms may also be obtained using ++++++ sysusers-sshd.conf ++++++ # Type Name ID GECOS [HOME] u sshd - "SSH daemon" /var/lib/sshd