Preprocess the configuration files to include crypto policies.

* The services are using ExecPre to start sshd-pre script
 * The sshd-pre script substitutes token in standard configuration file and writes a new on in /run
 * The services are using a file in /run as a sshd_config
This commit is contained in:
Jakub Jelen 2017-07-11 15:41:09 +02:00
parent be108c2c82
commit 1d8ffcfe05
6 changed files with 71 additions and 26 deletions

View File

@ -1,6 +1,6 @@
diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config diff -up openssh-7.5p1/ssh_config.redhat openssh-7.5p1/ssh_config
--- openssh-7.4p1/ssh_config.redhat 2016-12-19 05:59:41.000000000 +0100 --- openssh-7.5p1/ssh_config.redhat 2017-03-20 03:39:27.000000000 +0100
+++ openssh-7.4p1/ssh_config 2016-12-23 13:32:00.045220402 +0100 +++ openssh-7.5p1/ssh_config 2017-07-11 13:05:42.728031520 +0200
@@ -48,3 +48,7 @@ @@ -48,3 +48,7 @@
# VisualHostKey no # VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com # ProxyCommand ssh -q -W %h:%p gateway.example.com
@ -9,9 +9,9 @@ diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config
+# To modify the system-wide ssh configuration, create a *.conf file under +# To modify the system-wide ssh configuration, create a *.conf file under
+# /etc/ssh/ssh_config.d/ which will be automatically included below +# /etc/ssh/ssh_config.d/ which will be automatically included below
+Include /etc/ssh/ssh_config.d/*.conf +Include /etc/ssh/ssh_config.d/*.conf
diff -up openssh-7.4p1/ssh_config_redhat.redhat openssh-7.4p1/ssh_config_redhat diff -up openssh-7.5p1/ssh_config_redhat.redhat openssh-7.5p1/ssh_config_redhat
--- openssh-7.4p1/ssh_config_redhat.redhat 2016-12-23 13:32:00.045220402 +0100 --- openssh-7.5p1/ssh_config_redhat.redhat 2017-07-11 13:05:42.728031520 +0200
+++ openssh-7.4p1/ssh_config_redhat 2016-12-23 13:32:00.045220402 +0100 +++ openssh-7.5p1/ssh_config_redhat 2017-07-11 13:05:42.728031520 +0200
@@ -0,0 +1,20 @@ @@ -0,0 +1,20 @@
+# Follow system-wide Crypto Policy, if defined: +# Follow system-wide Crypto Policy, if defined:
+Include /etc/crypto-policies/back-ends/openssh.config +Include /etc/crypto-policies/back-ends/openssh.config
@ -33,10 +33,10 @@ diff -up openssh-7.4p1/ssh_config_redhat.redhat openssh-7.4p1/ssh_config_redhat
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS + SendEnv XMODIFIERS
diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0 diff -up openssh-7.5p1/sshd_config.0.redhat openssh-7.5p1/sshd_config.0
--- openssh-7.4p1/sshd_config.0.redhat 2016-12-19 06:21:22.000000000 +0100 --- openssh-7.5p1/sshd_config.0.redhat 2017-03-20 10:52:56.000000000 +0100
+++ openssh-7.4p1/sshd_config.0 2016-12-23 13:32:00.045220402 +0100 +++ openssh-7.5p1/sshd_config.0 2017-07-11 13:05:42.728031520 +0200
@@ -837,9 +837,9 @@ DESCRIPTION @@ -850,9 +850,9 @@ DESCRIPTION
SyslogFacility SyslogFacility
Gives the facility code that is used when logging messages from Gives the facility code that is used when logging messages from
@ -49,10 +49,10 @@ diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0
TCPKeepAlive TCPKeepAlive
Specifies whether the system should send TCP keepalive messages Specifies whether the system should send TCP keepalive messages
diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5 diff -up openssh-7.5p1/sshd_config.5.redhat openssh-7.5p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.redhat 2016-12-19 05:59:41.000000000 +0100 --- openssh-7.5p1/sshd_config.5.redhat 2017-03-20 03:39:27.000000000 +0100
+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:32:00.046220403 +0100 +++ openssh-7.5p1/sshd_config.5 2017-07-11 13:05:42.728031520 +0200
@@ -1393,7 +1393,7 @@ By default no subsystems are defined. @@ -1413,7 +1413,7 @@ By default no subsystems are defined.
.It Cm SyslogFacility .It Cm SyslogFacility
Gives the facility code that is used when logging messages from Gives the facility code that is used when logging messages from
.Xr sshd 8 . .Xr sshd 8 .
@ -61,10 +61,10 @@ diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH. The default is AUTH.
.It Cm TCPKeepAlive .It Cm TCPKeepAlive
diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config diff -up openssh-7.5p1/sshd_config.redhat openssh-7.5p1/sshd_config
--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100 --- openssh-7.5p1/sshd_config.redhat 2017-03-20 03:39:27.000000000 +0100
+++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100 +++ openssh-7.5p1/sshd_config 2017-07-11 13:10:44.967594004 +0200
@@ -10,21 +10,26 @@ @@ -10,21 +10,32 @@
# possible, but leave them commented. Uncommented options override the # possible, but leave them commented. Uncommented options override the
# default value. # default value.
@ -88,13 +88,19 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
# Ciphers and keying # Ciphers and keying
#RekeyLimit default none #RekeyLimit default none
+# System-wide Crypto policies:
+# The following macro will get expanded to the system-wide crypto policy
+# defaults. For more information, see manual page for update-crypto-policies(8).
+# To manually overwrite options defined here, write them BEFORE this block
+#{INCLUDE_CRYPTO_POLICY}#
+
# Logging # Logging
#SyslogFacility AUTH #SyslogFacility AUTH
+SyslogFacility AUTHPRIV +SyslogFacility AUTHPRIV
#LogLevel INFO #LogLevel INFO
# Authentication: # Authentication:
@@ -57,9 +62,11 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -57,9 +68,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes #PasswordAuthentication yes
#PermitEmptyPasswords no #PermitEmptyPasswords no
@ -106,7 +112,7 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@@ -68,8 +75,8 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -68,8 +81,8 @@ AuthorizedKeysFile .ssh/authorized_keys
#KerberosGetAFSToken no #KerberosGetAFSToken no
# GSSAPI options # GSSAPI options
@ -117,7 +123,7 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
@@ -80,12 +87,12 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -80,12 +93,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
@ -132,7 +138,7 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PermitTTY yes #PermitTTY yes
@@ -108,6 +115,12 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -107,6 +120,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path # no default banner path
#Banner none #Banner none

View File

@ -90,6 +90,7 @@ Source12: sshd-keygen@.service
Source13: sshd-keygen Source13: sshd-keygen
Source14: sshd.tmpfiles Source14: sshd.tmpfiles
Source15: sshd-keygen.target Source15: sshd-keygen.target
Source16: sshd-pre.sh
# Internal debug # Internal debug
Patch0: openssh-5.9p1-wIm.patch Patch0: openssh-5.9p1-wIm.patch
@ -155,7 +156,7 @@ Patch702: openssh-5.1p1-askpass-progress.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=198332 #https://bugzilla.redhat.com/show_bug.cgi?id=198332
Patch703: openssh-4.3p2-askpass-grab-info.patch Patch703: openssh-4.3p2-askpass-grab-info.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
Patch707: openssh-6.6p1-redhat.patch Patch707: openssh-7.5p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
Patch708: openssh-6.6p1-entropy.patch Patch708: openssh-6.6p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
@ -634,6 +635,7 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
mkdir -p -m755 $RPM_BUILD_ROOT/run/openssh
make install DESTDIR=$RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
@ -652,6 +654,7 @@ install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
install -m744 %{SOURCE16} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-pre
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
@ -750,10 +753,12 @@ getent passwd sshd >/dev/null || \
%if ! %{rescue} %if ! %{rescue}
%files server %files server
%dir %attr(0711,root,root) %{_var}/empty/sshd %dir %attr(0711,root,root) %{_var}/empty/sshd
%dir %attr(0755,root,root) /run/openssh
%attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_sbindir}/sshd
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac %attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-pre
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man5/moduli.5* %attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man8/sshd.8* %attr(0644,root,root) %{_mandir}/man8/sshd.8*

31
sshd-pre.sh Normal file
View File

@ -0,0 +1,31 @@
#!/bin/bash
# simple helper script, which substitutes a token in configuration file with
# system wide crypto policy, if installed. If not, this script just copies the
# configuration file to the runtime file, that will be used by the SSHD daemon.
SSHD_CONFIG="/etc/ssh/sshd_config"
SSHD_CONFIG_RUNTIME="/run/openssh/sshd_config"
CRYPTO_POLICIES="/etc/crypto-policies/back-ends/openssh.config"
if [ ! -f "$CRYPTO_POLICIES" ]; then
# if not installed, copy just the template
# (to overwrite potential old policy)
cat "$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
else
# do the substitution.
sed -e '/#{INCLUDE_CRYPTO_POLICY}#/ {' -e "r $CRYPTO_POLICIES" -e 'd' -e '}' \
"$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
fi
# XXX should be taken care of in SELinux somehow
# set reasonable label if it gets the default (do not overwrite fixed)
ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME
# makes sure we have sane permissions as the original file has.
chmod 600 $SSHD_CONFIG_RUNTIME
# reload the service if requested
if [ "$1" = "reload" ]; then
/bin/kill -HUP $2
fi

View File

@ -7,8 +7,9 @@ Wants=sshd-keygen.target
[Service] [Service]
Type=notify Type=notify
EnvironmentFile=-/etc/sysconfig/sshd EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS ExecStartPre=/usr/libexec/openssh/sshd-pre
ExecReload=/bin/kill -HUP $MAINPID ExecStart=/usr/sbin/sshd -D $OPTIONS -f /run/openssh/sshd_config
ExecReload=/usr/libexec/openssh/sshd-pre reload $MAINPID
KillMode=process KillMode=process
Restart=on-failure Restart=on-failure
RestartSec=42s RestartSec=42s

View File

@ -1 +1,2 @@
d /var/empty/sshd 711 root root - d /var/empty/sshd 711 root root -
d /run/openssh 755 root root -

View File

@ -6,5 +6,6 @@ After=sshd-keygen.target
[Service] [Service]
EnvironmentFile=-/etc/sysconfig/sshd EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=-/usr/sbin/sshd -i $OPTIONS ExecStartPre=/usr/libexec/openssh/sshd-pre
ExecStart=-/usr/sbin/sshd -i $OPTIONS -f /run/openssh/sshd_config
StandardInput=socket StandardInput=socket