openssh/openssh-7.7p1-redhat.patch

diff -up openssh/ssh_config.redhat openssh/ssh_config
--- openssh/ssh_config.redhat	2020-02-11 23:28:35.000000000 +0100
+++ openssh/ssh_config	2020-02-13 18:13:39.180641839 +0100
@@ -43,3 +43,10 @@
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+#
+# This system is following system-wide crypto policy.
+# To modify the crypto properties (Ciphers, MACs, ...), create a  *.conf
+#  file under  /etc/ssh/ssh_config.d/  which will be automatically
+# included below. For more information, see manual page for
+#  update-crypto-policies(8)  and  ssh_config(5).
+Include /etc/ssh/ssh_config.d/*.conf
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
--- openssh/ssh_config_redhat.redhat	2020-02-13 18:13:39.180641839 +0100
+++ openssh/ssh_config_redhat	2020-02-13 18:13:39.180641839 +0100
@@ -0,0 +1,21 @@
+# The options here are in the "Match final block" to be applied as the last
+# options and could be potentially overwritten by the user configuration
+Match final all
+	# Follow system-wide Crypto Policy, if defined:
+	Include /etc/crypto-policies/back-ends/openssh.config
+
+	GSSAPIAuthentication yes
+
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+	ForwardX11Trusted yes
+
+# Send locale-related environment variables
+	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+	SendEnv XMODIFIERS
+
+# Uncomment this if you want to use .local domain
+# Host *.local
diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
--- openssh/sshd_config.0.redhat	2020-02-12 14:30:04.000000000 +0100
+++ openssh/sshd_config.0	2020-02-13 18:13:39.181641855 +0100
@@ -970,9 +970,9 @@ DESCRIPTION
 
      SyslogFacility
              Gives the facility code that is used when logging messages from
-             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
-             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
-             default is AUTH.
+             sshd(8).  The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+             The default is AUTH.
 
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
--- openssh/sshd_config.5.redhat	2020-02-11 23:28:35.000000000 +0100
+++ openssh/sshd_config.5	2020-02-13 18:13:39.181641855 +0100
@@ -1614,7 +1614,7 @@ By default no subsystems are defined.
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm TCPKeepAlive
diff -up openssh/sshd_config.redhat openssh/sshd_config
--- openssh/sshd_config.redhat	2020-02-11 23:28:35.000000000 +0100
+++ openssh/sshd_config	2020-02-13 18:20:16.349913681 +0100
@@ -10,6 +10,10 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
@@ -114,3 +118,7 @@ Subsystem	sftp	/usr/libexec/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
+
+# To modify the system-wide sshd configuration, create a  *.conf  file under
+#  /etc/ssh/sshd_config.d/  which will be automatically included below
+Include /etc/ssh/sshd_config.d/*.conf
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
--- openssh/sshd_config_redhat.redhat	2020-02-13 18:14:02.268006439 +0100
+++ openssh/sshd_config_redhat	2020-02-13 18:19:20.765035947 +0100
@@ -0,0 +1,28 @@
+# This system is following system-wide crypto policy. The changes to
+# crypto properties (Ciphers, MACs, ...) will not have any effect here.
+# They will be overridden by command-line options passed to the server
+# on command line.
+# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
+
+SyslogFacility AUTHPRIV
+
+PasswordAuthentication yes
+ChallengeResponseAuthentication no
+
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+
+UsePAM yes
+
+X11Forwarding yes
+
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
+# as it is more configurable and versatile than the built-in version.
+PrintMotd no
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`diff -up openssh/ssh_config.redhat openssh/ssh_config`
			`--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100`
			`+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100`
Simplify references to crypto policies in configuration files (#1812854) 2020-03-16 10:02:42 +00:00			`@@ -43,3 +43,10 @@`
Comments for patches, merge ssh_config from localdomain to redhat patch (ssh_config related) 2016-06-03 14:22:59 +00:00			`# VisualHostKey no`
			`# ProxyCommand ssh -q -W %h:%p gateway.example.com`
			`# RekeyLimit 1G 1h`
			`+#`
Simplify references to crypto policies in configuration files (#1812854) 2020-03-16 10:02:42 +00:00			`+# This system is following system-wide crypto policy.`
			`+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf`
			`+# file under /etc/ssh/ssh_config.d/ which will be automatically`
			`+# included below. For more information, see manual page for`
			`+# update-crypto-policies(8) and ssh_config(5).`
Create include directory with example content (redhat modifications) 2016-08-04 08:57:32 +00:00			`+Include /etc/ssh/ssh_config.d/*.conf`
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat`
			`--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100`
			`+++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100`
Enclose redhat specific configuration with Match final block This allows users to specify options in user configuration files overwriting the defaults we propose without ovewriting them in the shipped configuration file and without opting out from the crypto policy altogether. Resolves: rhbz#1438326 rhbz#1630166 2019-01-23 14:35:07 +00:00			`@@ -0,0 +1,21 @@`
			`+# The options here are in the "Match final block" to be applied as the last`
			`+# options and could be potentially overwritten by the user configuration`
			`+Match final all`
			`+ # Follow system-wide Crypto Policy, if defined:`
			`+ Include /etc/crypto-policies/back-ends/openssh.config`
Include client Crypto Policy (#1225752) 2016-09-29 09:26:06 +00:00			`+`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+ GSSAPIAuthentication yes`
Create include directory with example content (redhat modifications) 2016-08-04 08:57:32 +00:00			`+`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+# If this option is set to yes then remote X11 clients will have full access`
			`+# to the original X11 display. As virtually no X11 client supports the untrusted`
			`+# mode correctly we set this to yes.`
			`+ ForwardX11Trusted yes`
Create include directory with example content (redhat modifications) 2016-08-04 08:57:32 +00:00			`+`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+# Send locale-related environment variables`
rebase for openssh-6.3p1, remove unused patches (#1007769) 2013-10-14 13:54:41 +00:00			`+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES`
			`+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE`
			`+ SendEnv XMODIFIERS`
Enclose redhat specific configuration with Match final block This allows users to specify options in user configuration files overwriting the defaults we propose without ovewriting them in the shipped configuration file and without opting out from the crypto policy altogether. Resolves: rhbz#1438326 rhbz#1630166 2019-01-23 14:35:07 +00:00			`+`
			`+# Uncomment this if you want to use .local domain`
			`+# Host *.local`
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0`
			`--- openssh/sshd_config.0.redhat 2020-02-12 14:30:04.000000000 +0100`
			`+++ openssh/sshd_config.0 2020-02-13 18:13:39.181641855 +0100`
			`@@ -970,9 +970,9 @@ DESCRIPTION`
rebase to openssh-7.4p1-1 * Drop unaccepted (unapplying) coverity patches * Drop server support for SSH1 (server) * Workaround #2641 for systemd * UseLogin is gone * Drop upstream commit 28652bca * Tighten seccomp filter (cache credentials before entering sandbox) (#1395288) 2017-01-02 14:42:13 +00:00
			`SyslogFacility`
			`Gives the facility code that is used when logging messages from`
			`- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,`
			`- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The`
			`- default is AUTH.`
			`+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,`
			`+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.`
			`+ The default is AUTH.`

			`TCPKeepAlive`
			`Specifies whether the system should send TCP keepalive messages`
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5`
			`--- openssh/sshd_config.5.redhat 2020-02-11 23:28:35.000000000 +0100`
			`+++ openssh/sshd_config.5 2020-02-13 18:13:39.181641855 +0100`
			`@@ -1614,7 +1614,7 @@ By default no subsystems are defined.`
rebase to openssh-7.4p1-1 * Drop unaccepted (unapplying) coverity patches * Drop server support for SSH1 (server) * Workaround #2641 for systemd * UseLogin is gone * Drop upstream commit 28652bca * Tighten seccomp filter (cache credentials before entering sandbox) (#1395288) 2017-01-02 14:42:13 +00:00			`.It Cm SyslogFacility`
			`Gives the facility code that is used when logging messages from`
			`.Xr sshd 8 .`
			`-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,`
			`+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,`
			`LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.`
			`The default is AUTH.`
			`.It Cm TCPKeepAlive`
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`diff -up openssh/sshd_config.redhat openssh/sshd_config`
			`--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100`
			`+++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100`
Do not extensively modify sshd_config -- DSA keys are not loaded for some time already 2019-11-19 12:16:28 +00:00			`@@ -10,6 +10,10 @@`
add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port (#861400) 2012-10-26 14:34:55 +00:00			`# possible, but leave them commented. Uncommented options override the`
			`# default value.`

			`+# If you want to change the port on a SELinux system, you have to tell`
			`+# SELinux about this change.`
			`+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER`
			`+#`
			`#Port 22`
			`#AddressFamily any`
			`#ListenAddress 0.0.0.0`
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`@@ -114,3 +118,7 @@ Subsystem sftp /usr/libexec/sftp-server`
			`# AllowTcpForwarding no`
			`# PermitTTY no`
			`# ForceCommand cvs server`
			`+`
Simplify references to crypto policies in configuration files (#1812854) 2020-03-16 10:02:42 +00:00			`+# To modify the system-wide sshd configuration, create a *.conf file under`
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`+# /etc/ssh/sshd_config.d/ which will be automatically included below`
			`+Include /etc/ssh/sshd_config.d/*.conf`
			`diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat`
			`--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100`
			`+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100`
Simplify references to crypto policies in configuration files (#1812854) 2020-03-16 10:02:42 +00:00			`@@ -0,0 +1,28 @@`
Disable manual reading of MOTD by default 2018-07-03 09:26:01 +00:00			`+# This system is following system-wide crypto policy. The changes to`
Simplify references to crypto policies in configuration files (#1812854) 2020-03-16 10:02:42 +00:00			`+# crypto properties (Ciphers, MACs, ...) will not have any effect here.`
			`+# They will be overridden by command-line options passed to the server`
			`+# on command line.`
			`+# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).`
Another approach for crypto policies (#1479271) 2017-08-09 13:14:13 +00:00			`+`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+SyslogFacility AUTHPRIV`
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`+`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+PasswordAuthentication yes`
			`+ChallengeResponseAuthentication no`
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`+`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+GSSAPIAuthentication yes`
don't clean up gssapi credentials by default (#1055016) 2014-02-26 16:08:07 +00:00			`+GSSAPICleanupCredentials no`
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`+`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+UsePAM yes`
openssh-8.2p1-1 + 0.10.3-9 2020-02-17 10:57:13 +00:00			`+`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+X11Forwarding yes`
Disable manual reading of MOTD by default 2018-07-03 09:26:01 +00:00			`+`
Reference the correct file in configuration file (#1643274) 2018-10-26 12:02:32 +00:00			`+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,`
Disable manual reading of MOTD by default 2018-07-03 09:26:01 +00:00			`+# as it is more configurable and versatile than the built-in version.`
			`+PrintMotd no`
			`+`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+# Accept locale-related environment variables`
			`+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES`
			`+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT`
			`+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE`
			`+AcceptEnv XMODIFIERS`
			`+`