initial commit of file from CVS for e-smith-openssh on Thu Jul 13 12:50:02 AEST 2023

This commit is contained in:
Trevor Batley 2023-07-13 12:50:02 +10:00
parent 0990ad9bc0
commit 5b637d96ad
90 changed files with 2123 additions and 2 deletions

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
*.rpm
*.log
*spec-20*
*.tar.xz

21
Makefile Normal file
View File

@ -0,0 +1,21 @@
# Makefile for source rpm: e-smith-openssh
# $Id: Makefile,v 1.1 2016/02/05 22:15:50 stephdl Exp $
NAME := e-smith-openssh
SPECFILE = $(firstword $(wildcard *.spec))
define find-makefile-common
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
endef
MAKEFILE_COMMON := $(shell $(find-makefile-common))
ifeq ($(MAKEFILE_COMMON),)
# attept a checkout
define checkout-makefile-common
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
endef
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
endif
include $(MAKEFILE_COMMON)

View File

@ -1,3 +1,17 @@
# e-smith-openssh # <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> e-smith-openssh
SMEServer Koozali developed git repo for e-smith-openssh smeserver SMEServer Koozali developed git repo for e-smith-openssh smeserver
## Wiki
<br />https://wiki.koozali.org/
## Bugzilla
Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-openssh&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
## Description
<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
*Once it has been checked, then this comment will be deleted*
<br />
E-Smith-OpenSSH is an open source software package capable of providing secure remote access to a networked computer. It is capable of providing secure remote shell access, secure file transfer, secure tunneling and secure communications between two computers. Using this software, users can securely access remote servers, which can be extremely useful in network management and administration. It is also highly customizable, allowing users to configure the software to their specific needs. Additionally, E-Smith-OpenSSH is available for Windows, Linux, Mac OS X and other operating systems. This makes it an excellent choice for users who require secure remote access to their networks.

340
additional/COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

View File

@ -0,0 +1,449 @@
Summary: e-smith module to configure and enable ssh
%define name e-smith-openssh
Name: %{name}
%define version 1.11.0
%define release 01
Version: %{version}
Release: %{release}
Copyright: GPL
Group: Networking/Daemons
Source: %{name}-%{version}.tar.gz
Packager: e-smith developers <bugs@e-smith.com>
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
BuildRequires: e-smith-devtools
BuildArchitectures: noarch
Requires: e-smith, openssl,
Requires: openssh >= 3.5, openssh-clients, openssh-server
Requires: e-smith-lib >= 1.13.1-33
Requires: e-smith-test >= 0.1.6-01
Requires: perl-Test-Simple >= 0.42
AutoReqProv: no
%changelog
* Thu Aug 21 2003 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-01]
- Changing version to development stream number - 1.11.0
* Thu Jun 26 2003 Charlie Brady <charlieb@e-smith.com>
- [1.10.0-01]
- Changing version to stable stream number - 1.10.0
* Mon Apr 21 2003 Mark Knox <markk@e-smith.com>
- [1.9.0-10]
- Enforce 0600 on sshd_config [markk 8407]
* Tue Apr 15 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.9.0-09]
- Add Compression and UsePrivilegeSeparation options [gordonr 8173]
* Tue Apr 8 2003 Michael Soulier <msoulier@e-smith.com>
- [1.9.0-08]
- Backed-out 1.9.0-07. [msoulier 5782]
* Tue Apr 8 2003 Michael Soulier <msoulier@e-smith.com>
- [1.9.0-07]
- Shut off tcp forwarding in the daemon. [msoulier 5782]
* Tue Apr 1 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.9.0-06]
- Actually reload ssh rather than restarting in sshd-reload [gordonr 7785]
* Tue Mar 18 2003 Lijie Deng <lijied@e-smith.com>
- [1.9.0-05]
- Deleted ./root/.ssh/config/template-begin [lijied 3295]
* Mon Mar 17 2003 Lijie Deng <lijied@e-smith.com>
- [1.9.0-04]
- Deleted template-begin/end file [lijied 3295]
* Tue Mar 4 2003 Charlie Brady <charlieb@e-smith.com>
- [1.9.0-03]
- s/HostsAllowSpec/hosts_allow_spec/ [charlieb 5650]
* Fri Feb 28 2003 Charlie Brady <charlieb@e-smith.com>
- [1.9.0-02]
- Re-do hosts.allow template to use esmith::ConfigDB::HostsAllowSpec.
Add dependency on up-to-date e-smith-lib. [charlieb 5650]
* Fri Feb 28 2003 Charlie Brady <charlieb@e-smith.com>
- [1.9.0-01]
- Roll development stream to 1.9.0
* Mon Feb 24 2003 Charlie Brady <charlieb@e-smith.com>
- [1.8.0-02]
- Allow MaxStartups to be tunable from the config DB [charlieb 7362]
* Fri Oct 11 2002 Charlie Brady <charlieb@e-smith.com>
- [1.8.0-01]
- Rolling stable version number to 1.8.0
* Wed Oct 2 2002 Mark Knox <markk@e-smith.com>
- [1.7.3-04]
- Remove stray braces in hosts.allow template [markk 3786]
* Mon Sep 23 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.3-03]
- Fix hosts.allow template problem introduced by last change [charlieb 3786]
* Tue Sep 10 2002 Mark Knox <markk@e-smith.com>
- [1.7.3-02]
- Remove deprecated split on pipe [markk 3786]
* Tue Aug 20 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.3-01]
- Add rc7.d symlink and don't set deprecated InitscriptsOrder property
[charlieb 4458]
- Change use of allow_tcp_in() function to allow dynamic reconfig.
[charlieb 4501]
* Thu Aug 8 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.2-01]
- Change masq script fragment to use allow_tcp_in() function. [charlieb 4499]
* Wed Jul 17 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.1-01]
- Change masq script fragment to use iptables. [charlieb 1268]
* Wed Jun 5 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.0-01]
- Changing version to maintained stream number to 1.7.0
* Fri May 31 2002 Charlie Brady <charlieb@e-smith.com>
- [1.6.0-01]
- Changing version to maintained stream number to 1.6.0
* Thu May 23 2002 Gordon Rowell <gordonr@e-smith.com>
- [1.5.6-01]
- RPM rebuild forced by cvsroot2rpm
* Mon May 13 2002 Kirrily Robert <skud@e-smith.com>
- [1.5.5-01]
- Added buildtests [skud 2932]
* Fri Apr 26 2002 Tony Clayton <apc@e-smith.com>
- [1.5.4-01]
- add -t option to ssh-keygen call in sshd-conf [tonyc]
* Fri Mar 6 2002 Michael G Schwern <schwern@e-smith.com>
- [1.5.3-01]
- Tested & documented sshd-reload action [schwern 2932]
- Tested & documented sshd-conf and sshd-conf-startup actions [schwern 2932]
- Changed all actions to use esmith::ConfigDB [schwern 2932]
- Fixed dependencies. [schwern]
* Thu Feb 14 2002 Kirrily Robert <skud@e-smith.com>
- [1.5.2-01]
- CVS testing
* Thu Feb 14 2002 Kirrily Robert <skud@e-smith.com>
- [1.5.0-01]
- rollRPM: Rolled version number to 1.5.0-01. Includes patches up to 1.4.0-06.
* Mon Nov 05 2001 Charlie Brady <charlieb@e-smith.com>
- [1.4.0-06]
- Remove obsoleted "CheckMail no" fragment from sshd_config template.
* Tue Aug 28 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.4.0-05]
- Removed links from deprecated post-restore event
* Fri Aug 17 2001 gordonr
- [1.4.0-04]
- Autorebuild by rebuildRPM
* Tue Aug 14 2001 Charlie Brady <charlieb@e-smith.com>
- [1.4.0-03]
- Change back to Protocol 1 until known_hosts2 and authorized_keys2 files are
implemented on both sides.
* Tue Aug 14 2001 Charlie Brady <charlieb@e-smith.com>
- [1.4.0-02]
- Add template fragements to generate /root/.ssh/config host
config sections for any hostnames added to %e_smith_hosts by
other fragements numbered between 00 and 19.
- Delete useless template-end for /root/.ssh/config.
* Wed Aug 8 2001 Charlie Brady <charlieb@e-smith.com>
- [1.4.0-01]
- Rolled version number to 1.4.0-01. Includes patches upto 1.3.0-10.
* Wed Aug 8 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-10]
- Use restart instead of reload as some initscripts don't have the latter
* Sun Jul 8 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-09]
- Check "access" property of sshd service
* Fri Jul 6 2001 Peter Samuel <peters@e-smith.com>
- [1.3.0-08]
- Changed license to GPL
* Thu Jul 05 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-07]
- Explicitly disable ChallengeResponseAuthentication and
KbdInteractiveAuthentication
* Wed May 30 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-06]
- Added HostKey line for /etc/ssh/ssh_host_rsa_key for SSH version 2
* Tue May 29 2001 Tony Clayton <tonyc@e-smith.com>
- [1.3.0-05]
- fixed actions that had tied %conf when calling serviceControl (2 actions)
* Mon May 21 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-04]
- Added links to /usr/libexec and /usr/local/libexec to enable
sftp for more client systems under protocol V1
* Mon May 21 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-03]
- Revised after comments from Charlie
- Added documentation for MaxStartups and cleaner perl idiom for
SubsystemSftp test
* Mon May 21 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-02]
- Enabled sftp subsystem by default with correct path to sftp-server
- Added MaxStartups configuration
* Mon May 21 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-01]
- Rolled version number to 1.3.0-01. Includes patches upto 1.2.0-06.
* Wed May 09 2001 Tony Clayton <tonyc@e-smith.com>
- [1.2.0-06]
- Forgot to add last patch to %setup. Adding it now.
* Wed May 09 2001 Tony Clayton <tonyc@e-smith.com>
- [1.2.0-05]
- Add /root/.ssh/config template-{begin,end} fragments
- Expand config template from sshd-conf
* Thu Apr 27 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.2.0-04]
- Rolled version for GPG signing - no change
* Mon Apr 9 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.2.0-03]
- Extra HostKey line for openssh-2.5
* Thu Feb 8 2001 Adrian Chung <adrianc@e-smith.com>
- [1.2.0-02]
- Rolling release number for GPG signing.
* Thu Jan 25 2001 Peter Samuel <peters@e-smith.com>
- [1.2.0-01]
- Rolled version number to 1.2.0-01. Includes patches upto 1.1.0-23.
* Thu Jan 11 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-23]
- use serviceControl()
* Thu Jan 11 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-22]
- reload sshd (and possibly kill it off) in post-restore
* Thu Jan 11 2001 Adrian Chung <adrianc@e-smith.com>
- [1.1.0-21]
- fully qualify path to killall in sshd-reload
* Wed Jan 10 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-20]
- Kill existing ssh sessions if we have just stopped the service
* Wed Jan 10 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-19]
- Use sshd reload instead of killall -HUP - that closes current connections
* Tue Jan 9 2001 Charlie Brady <charlieb@e-smith.com>
- [1.1.0-18]
- Make new bootstrap-console-save event - the Lite version
- Make sshd-reload shut down sshd if it has been disabled
- Don't redo conf-sshd-startup with every console-save
* Fri Jan 5 2001 Peter Samuel <peters@e-smith.com>
- [1.1.0-17]
- Added missing use esmith::util to sshd-reload
* Thu Jan 04 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-16]
- Added missing use esmith::db
* Wed Jan 03 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-15]
- sshd-reload now starts sshd if not running and service enabled
* Thu Dec 28 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-14]
- Process sshd_config template in remoteaccess-update
* Thu Dec 28 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-13]
- Provide defaults for PermitRootLogin and PasswordAuthentication properties
* Thu Dec 21 2000 Charlie Brady <charlieb@e-smith.com>
- [1.1.0-12]
- Don't restart sshd after config change, just reload config.
* Sat Dec 16 2000 Charlie Brady <charlieb@e-smith.com>
- [1.1.0-11]
- Fix typo
* Fri Dec 15 2000 Charlie Brady <charlieb@e-smith.com>
- [1.1.0-10]
- Move AllowSSH packet filter template fragment here.
* Wed Dec 13 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-9]
- Disable ssh by default
* Wed Dec 13 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-8]
- Fixed typo in hosts.allow fragment for private access
* Wed Dec 13 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-7]
- Added sshd-restart to remoteaccess-update event (and others)
- Renamed scripts to sshd-{conf,conf-startup,restart}
- Enable private ssh access by default
* Tue Dec 12 2000 Adrian Chung <adrianc@e-smith.com>
- [1.1.0-6]
- fixed location of ssh_host_key in 20HostKey fragment
* Wed Dec 06 2000 Peter Samuel <peters@e-smith.com
- [1.1.0-5]
- Fixed sshd_config templates for PermitRootLogin and
PasswordAuthentication
* Wed Dec 06 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-4]
- conf-ssh-startup: PasswordAuthentication=yes and RootLogin=no
- Fixed ordering of Port/Listen fragments
* Tue Dec 05 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-3]
- Changed sshd_config into a directory template
- Used services notation to enable/disable
- sshd_config: PasswordAuthentication and RootLogin - both disabled by default
* Tue Dec 05 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-1]
- Rolled version to 1.1.0. Includes patches up to 0.6-3
* Tue Oct 31 2000 Charlie Brady <charlieb@e-smith.com>
- Ensure that conf-ssh-startup is run during post-upgrade event.
- Fix missing " in hosts.allow template.
* Tue Oct 31 2000 Charlie Brady <charlieb@e-smith.com>
- Merge services database back into configuration database.
* Thu Oct 26 2000 Peter Samuel <peters@e-smith.com>
- Rolled version to 0.6. Includes patches up to 0.5-17
* Fri Oct 06 2000 Adrian Chung <adrian.chung@e-smith.com>
- Fixed a typo in conf-ssh-startup.
* Fri Oct 06 2000 Adrian Chung <adrian.chung@e-smith.com>
- Move %post code to conf-ssh-startup instead
- Default to enabled for sshd in services database if not
already set.
* Thu Oct 05 2000 Adrian Chung <adrian.chung@e-smith.com>
- Change %post to setdefault ... enabled.
* Wed Oct 4 2000 Charlie Brady <charlieb@e-smith.com>
- Use db_get_type to get service status - to be safe against
defined service properties
- Do not init services database during post-install event -
it is done during %post action.
* Wed Oct 4 2000 Charlie Brady <charlieb@e-smith.com>
- Only initialise services database during post-install action.
- Only expand hosts.allow/sshd if sshd service is enabled.
* Wed Oct 4 2000 Charlie Brady <charlieb@e-smith.com>
- Fix typo
* Tue Oct 3 2000 Charlie Brady <charlieb@e-smith.com>
- Update services database when enabling startup
* Mon Oct 2 2000 Gordon Rowell <gordonr@e-smith.com>
- rewrote spec file to use e-smith-devtools
* Mon Sep 25 2000 Paul Nebsit <pkn@e-smith.com>
- updated contact and URL info
* Thu Sep 14 2000 Gordon Rowell <gordonr@e-smith.com>
- Removed obsolete rc7.d symlink from createlinks
* Thu Sep 14 2000 Gordon Rowell <gordonr@e-smith.com>
- Rebuilt using latest e-smith-devtools - hosts.allow template fragment missing
* Tue Aug 30 2000 Paul Nesbit <pkn@e-smith.com>
- added 'use e-smith::util' line to conf-ssh-startup
* Thu Aug 24 2000 Gordon Rowell <gordonr@e-smith.com>
- Rewrote conf-ssh-startup to use serviceControl()
* Sun Jul 2 2000 Charlie Brady <charlieb@e-smith.net>
- Make S85sshd symlink absolute so that RPM verifies
* Sat Jun 17 2000 Charlie Brady <charlieb@e-smith.net>
- Rewrite createlinks in perl
- Add sshd template for /etc/hosts.allow
- Fix ssh-keygen options code
* Mon Jun 12 2000 Charlie Brady <charlieb@e-smith.net>
- Remove /etc/rc.d/rc7.d symlink before (re-)creating it. Avoids logfile mess.
- Change backgroundCommand call to use array instead of string - avoid shell
parsing.
* Thu May 11 2000 Charlie Brady <charlieb@e-smith.net>
- Change rc?.d directory from 3 to 7.
%description
e-smith server enhancement to configure and enable openssh
%prep
%setup
%build
for i in console-save \
post-install \
post-upgrade \
remoteaccess-update \
bootstrap-console-save
do
mkdir -p root/etc/e-smith/events/$i
done
perl createlinks
# build the test suite from embedded tests
/sbin/e-smith/buildtests e-smith-openssh
# Compatibilty symlinks to allow sftp to work with more clients under
# protocol version 1
for dir in usr/libexec usr/local/libexec
do
mkdir -p root/$dir
ln -s /usr/libexec/openssh/sftp-server root/$dir/sftp-server
done
mkdir -p root/etc/rc.d/rc7.d
ln -s /etc/rc.d/init.d/e-smith-service root/etc/rc.d/rc7.d/S85sshd
%install
rm -rf $RPM_BUILD_ROOT
( cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT )
rm -f %{name}-%{version}-%{release}-filelist
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
> %{name}-%{version}-%{release}-filelist
echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
%clean
rm -rf $RPM_BUILD_ROOT
%files -f %{name}-%{version}-%{release}-filelist
%defattr(-,root,root)

1
contriborbase Normal file
View File

@ -0,0 +1 @@
sme10

58
createlinks Executable file
View File

@ -0,0 +1,58 @@
#!/usr/bin/perl -w
use strict;
use esmith::Build::CreateLinks qw(:all);
foreach (qw(
/etc/ssh/sshd_config
/etc/ssh/ssh_config
))
{
templates2events("$_", qw(
console-save
bootstrap-console-save
remoteaccess-update
e-smith-openssh-update
));
}
foreach (qw(
/etc/rssh.conf
))
{
templates2events("$_", qw(
bootstrap-console-save
password-modify
remoteaccess-update
user-lock
user-create
user-delete
user-modify
e-smith-openssh-update
));
}
foreach my $event (
"console-save",
"bootstrap-console-save",
"remoteaccess-update",
"e-smith-openssh-update"
)
{
event_link("sshd-conf", $event, "65");
}
foreach my $event (
"console-save",
"remoteaccess-update")
{
safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/sshd");
}
my $event="e-smith-openssh-update";
# systemd-specific action mandatory for this package-update event
event_link("systemd-reload", $event, "89");
event_link("systemd-default", $event, "88");
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/sshd");
templates2events("/etc/rsyslog.conf",$event);
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/rsyslog");

679
e-smith-openssh.spec Normal file
View File

@ -0,0 +1,679 @@
# $Id: e-smith-openssh.spec,v 1.12 2023/07/13 02:38:42 trevorb Exp $
Summary: e-smith module to configure and enable ssh
%define name e-smith-openssh
Name: %{name}
%define version 2.6.0
%define release 8
Version: %{version}
Release: %{release}%{?dist}
License: GPL
Group: Networking/Daemons
Source: %{name}-%{version}.tar.xz
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
BuildRequires: e-smith-devtools
BuildArchitectures: noarch
Requires: e-smith, openssl,
Requires: openssh >= 3.5
Requires: openssh-clients
Requires: openssh-server
Requires: e-smith-lib >= 1.15.1-19
Requires: runit
AutoReqProv: no
%changelog
* Thu Jul 13 2023 cvs2git.sh aka Brian Read <brianr@koozali.org> 2.6.0-8.sme
- Roll up patches and move to git repo [SME: 12338]
* Thu Jul 13 2023 BogusDateBot
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
by assuming the date is correct and changing the weekday.
Tue Aug 30 2000 --> Tue Aug 29 2000 or Wed Aug 30 2000 or Tue Sep 05 2000 or ....
Thu Apr 27 2001 --> Thu Apr 26 2001 or Fri Apr 27 2001 or Thu May 03 2001 or ....
* Tue Mar 16 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.6.0-7.sme
- clean rsyslog syntax for sshd [SME: 11422]
* Thu Feb 18 2021 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-6.sme
- increase default host key size [SME: 11359]
- redirect logging to /var/log/sshd/sshd.log and logrotate [SME: 11256]
* Fri Dec 11 2020 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-4.sme
- add support for denyhost [SME: 10939]
- move sshd to systemd [SME: 11109]
- create -update event [SME: 11147]
- add ed25519 and ecdsa hostkeys [SME: 10940]
* Sun May 03 2020 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-3.sme
- add Whitelist to AutoBlock using property sshd ValidFrom [SME: 9893]
* Sat May 02 2020 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-2.sme
- update client ciphers to use [SME: 10621]
- add ciphers, macs and KexAlgorithms for server [SME: 10937]
* Fri Feb 05 2016 stephane de Labrusse <stephdl@de-labrusse.fr> 2.6.0-1.sme
- Initial release to sme10
* Thu Jun 25 2015 stephane de Labrusse <stephdl@de-labrusse.fr> 2.4.0-6.sme
- enabled the motd message [SME: 8939]
- Code done by John Crisp <jcrisp@safeandsoundit.co.uk> and
- Stefano Zamboni <zamboni@mind-at-work.it>
* Sun Apr 6 2014 Charlie Brady <charlie_brady@mitel.com> 2.4.0-5.sme
- Fix use of uninitialized variables in last change. [SME: 8313]
- Fix error with flush of xt_recent SSH connections. [SME: 8314]
* Sat Apr 5 2014 Chris Burnat <devlist@burnat.com> 2.4.0-4.sme
- Add ssh-autoblock for external interface - patch by Chris Maltby [SME: 8258]
* Fri Nov 1 2013 Chris Burnat <devlist@burnat.com> 2.4.0-3.sme
- Remove SSH v1 legacy support - patch by Daniel Berteaud [SME: 6381]
* Sat Mar 16 2013 Daniel Berteaud <daniel@firewall-services.com> 2.4.0-2.sme
- Make rsyslog listen to our socket [SME: 7221]
* Wed Feb 13 2013 Shad L. Lords <slords@mail.com> 2.4.0-1.sme
- Roll new stream for sme9
* Tue Mar 1 2011 Jonathan Martens <smesevrer-contribs@snetram.nl> 2.2.0-5.sme
- Obsolete KeepAlive and replace ClientAliveInterval and ClientAliveCountMax [SME: 6380]
* Fri Nov 26 2010 Ian Wells <esmith@wellsi.com> 2.2.0-4.sme
- Change permissions of ssh_config file to 644 [SME: 43]
* Thu Nov 25 2010 Ian Wells <esmith@wellsi.com> 2.2.0-3.sme
- Template ssh_config with improved defaults [SME: 43]
* Sun Dec 28 2008 Jonathan Martens <smesevrer-contribs@snetram.nl> 2.2.0-2.sme
- Template sshd login grace time, kept default at 600s [SME: 4903]
* Tue Oct 7 2008 Shad L. Lords <slords@mail.com> 2.2.0-1.sme
- Roll new stream to separate sme7/sme8 trees [SME: 4633]
* Wed Jan 09 2008 Stephen Noble <support@dungog.net> 1.12.0-13
- Remove template fragments for /root/.ssh/config [SME: 513]
* Tue Dec 18 2007 Shad L. Lords <slords@mail.com> 1.12.0-12
- Actually apply previous patch [SME: 3678]
* Mon Dec 17 2007 Shad L. Lords <slords@mail.com> 1.12.0-11
- Allow root to be key based login only [SME: 3678]
* Tue Oct 23 2007 Charlie Brady <charlie_brady@mitel.com> 1.12.0-10
- Prevent rkhunter false positive if ssh is disabled but
PermitRootLogin is enabled in config. [SME: 166]
* Sun Apr 29 2007 Shad L. Lords <slords@mail.com>
- Clean up spec so package can be built by koji/plague
* Sun Apr 08 2007 Shad L. Lords <slords@mail.com> 1.12.0-9
- Adjust permissions on empty/sshd directory again [SME: 2711]
* Fri Apr 06 2007 Shad L. Lords <slords@mail.com> 1.12.0-8
- Adjust permissions on empty/sshd directory [SME: 2711]
* Tue Mar 06 2007 Shad L. Lords <slords@mail.com> 1.12.0-7
- Adjust sftp-server path in sshd_config to match openssh-servers [SME: 2470]
* Thu Dec 07 2006 Shad L. Lords <slords@mail.com>
- Update to new release naming. No functional changes.
- Make Packager generic
* Tue Jul 25 2006 Gordon Rowell <gordonr@gormand.com.au> 1.12.0-05
- Use sshd{TCPPort} for listen Port - thanks MasterSleepy [SME: 1774]
* Tue Jul 18 2006 Charlie Brady <charlie_brady@mitel.com> 1.12.0-04
- Allow "UsePAM" setting to be controlled from db. [SME: 1744]
* Wed Apr 5 2006 Gordon Rowell <gordonr@gormand.com.au> 1.12.0-03
- Add newline after user entries in rssh.conf [SME: 877]
* Wed Mar 29 2006 Gordon Rowell <gordonr@gormand.com.au> 1.12.0-02
- Don't display /etc/motd contents from ssh [SME: 718]
* Tue Mar 14 2006 Charlie Brady <charlie_brady@mitel.com> 1.12.0-01
- Roll stable stream version. [SME: 1016]
* Mon Mar 13 2006 Gordon Rowell <gordonr@gormand.com.au> 1.11.0-29
- Expand /etc/rssh.conf in user-{create,delete,lock,modify} [SME: 877]
* Mon Mar 13 2006 Gordon Rowell <gordonr@gormand.com.au> 1.11.0-28
- A user is allowed access to rssh protocols if:
- They have PasswordSet==yes
- They have AllowRSSH==yes or
VPNClientAccess==yes but not AllowRSSH==no [SME: 877]
* Mon Mar 13 2006 Gordon Rowell <gordonr@gormand.com.au> 1.11.0-27
- Remove defaults for sshd{Allow*} and the templates for rssh.conf [SME: 877]
- Allow a user all of the rssh protocols if AllowSSH is yes [SME: 877]
* Thu Mar 02 2006 Gordon Rowell <gordonr@gormand.com.au> 1.11.0-26
- Adjust sftp-server path in sshd_config to match rssh [SME: 924]
* Wed Mar 01 2006 Charlie Brady <charlie_brady@mitel.com> 1.11.0-25
- Add syslog socket inside privsep chroot jail [SME: 916]
* Tue Jan 24 2006 Gordon Rowell <gordonr@gormand.com.au> 1.11.0-24
- Default sshd{AllowRSYNC} == yes [SME: 42]
* Mon Jan 23 2006 Gordon Rowell <gordonr@gormand.com.au> 1.11.0-23
- Add template for /etc/rssh.conf [SME: 42]
- Default sshd{AllowSCP, AllowSFTP} == yes [SME: 532]
- Default sshd{AllowRDIST,AllowRSYNC,AllowCVS} == no
* Fri Jan 6 2006 Gordon Rowell <gordonr@gormand.com.au> 1.11.0-22
- Default sshd{PasswordAuthentication} to "no" [SME: 377]
* Wed Nov 30 2005 Gordon Rowell <gordonr@gormand.com.au> 1.11.0-21
- Bump release number only
* Wed Aug 10 2005 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-20]
- Delete test related requires (not really required) and add runit.
* Wed Jul 20 2005 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-19]
- Set $sshd{TCPPort} and remove obsolete masq template fragment. [SF: 1241409]
* Tue Jul 19 2005 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-18]
- Update to current db access APIs. [SF: 1216546]
* Tue Jul 5 2005 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-17]
- Configure MaxAuthTries (our default is 2). [SF: 1232544]
* Thu Jun 16 2005 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-16]
- Ensure that 'status' property is recognised at startup. [MN00061795]
* Tue May 17 2005 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-15]
- Default to protocol 2 only on new installs, and '2,1' for
upgrades where $sshd{Protocol} is not defined.
* Mon Mar 14 2005 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-14]
- Use generic_template_expand action for all template expansions from
sshd-conf. Update e-smith-lib dependency. [MN00064130]
- Replace sshd-reload with call to 'adjust-services'. [MN00065576]
* Tue Sep 28 2004 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-13]
- Updated requires with new perl dependencies. [charlieb MN00040240]
- Clean BuildRequires. [charlieb MN00043055]
* Mon Dec 22 2003 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-12]
- Added host key generation code to run script. [msoulier 9549]
* Wed Dec 10 2003 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-11]
- Fixed a bug in the genfilelist options. [msoulier 9549]
* Fri Dec 5 2003 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-10]
- Put full path to sshd in run script to work around assumption of full path
in sshd sighup handler. [msoulier 9549]
* Fri Dec 5 2003 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-09]
- Updated sshd-reload to use daemontools wrapper. [msoulier 9549]
* Fri Dec 5 2003 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-08]
- Moved the shebang line to a place where it actually matters. Tell me it's
friday. [msoulier 9549]
* Fri Dec 5 2003 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-07]
- Fixed a couple of typos preventing multilog from starting. [msoulier 9549]
* Fri Dec 5 2003 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-06]
- Moved initscript to /etc/init.d/supervise/sshd. [msoulier 9549]
* Fri Dec 5 2003 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-05]
- Fixed a couple of specfile typos. [msoulier 9549]
* Fri Dec 5 2003 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-04]
- Adding supervision of sshd. [msoulier 9549]
- Updated createlinks to latest api.
* Tue Sep 16 2003 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-03]
- Remove deprecated RhostsAuthentication from sshd_config. [charlieb 10014]
* Thu Aug 21 2003 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-02]
- Replace sshd-conf-startup action with default db fragments.
[charlieb 9553]
* Thu Aug 21 2003 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-01]
- Changing version to development stream number - 1.11.0
* Thu Jun 26 2003 Charlie Brady <charlieb@e-smith.com>
- [1.10.0-01]
- Changing version to stable stream number - 1.10.0
* Mon Apr 21 2003 Mark Knox <markk@e-smith.com>
- [1.9.0-10]
- Enforce 0600 on sshd_config [markk 8407]
* Tue Apr 15 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.9.0-09]
- Add Compression and UsePrivilegeSeparation options [gordonr 8173]
* Tue Apr 8 2003 Michael Soulier <msoulier@e-smith.com>
- [1.9.0-08]
- Backed-out 1.9.0-07. [msoulier 5782]
* Tue Apr 8 2003 Michael Soulier <msoulier@e-smith.com>
- [1.9.0-07]
- Shut off tcp forwarding in the daemon. [msoulier 5782]
* Tue Apr 1 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.9.0-06]
- Actually reload ssh rather than restarting in sshd-reload [gordonr 7785]
* Tue Mar 18 2003 Lijie Deng <lijied@e-smith.com>
- [1.9.0-05]
- Deleted ./root/.ssh/config/template-begin [lijied 3295]
* Mon Mar 17 2003 Lijie Deng <lijied@e-smith.com>
- [1.9.0-04]
- Deleted template-begin/end file [lijied 3295]
* Tue Mar 4 2003 Charlie Brady <charlieb@e-smith.com>
- [1.9.0-03]
- s/HostsAllowSpec/hosts_allow_spec/ [charlieb 5650]
* Fri Feb 28 2003 Charlie Brady <charlieb@e-smith.com>
- [1.9.0-02]
- Re-do hosts.allow template to use esmith::ConfigDB::HostsAllowSpec.
Add dependency on up-to-date e-smith-lib. [charlieb 5650]
* Fri Feb 28 2003 Charlie Brady <charlieb@e-smith.com>
- [1.9.0-01]
- Roll development stream to 1.9.0
* Mon Feb 24 2003 Charlie Brady <charlieb@e-smith.com>
- [1.8.0-02]
- Allow MaxStartups to be tunable from the config DB [charlieb 7362]
* Fri Oct 11 2002 Charlie Brady <charlieb@e-smith.com>
- [1.8.0-01]
- Rolling stable version number to 1.8.0
* Wed Oct 2 2002 Mark Knox <markk@e-smith.com>
- [1.7.3-04]
- Remove stray braces in hosts.allow template [markk 3786]
* Mon Sep 23 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.3-03]
- Fix hosts.allow template problem introduced by last change [charlieb 3786]
* Tue Sep 10 2002 Mark Knox <markk@e-smith.com>
- [1.7.3-02]
- Remove deprecated split on pipe [markk 3786]
* Tue Aug 20 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.3-01]
- Add rc7.d symlink and don't set deprecated InitscriptsOrder property
[charlieb 4458]
- Change use of allow_tcp_in() function to allow dynamic reconfig.
[charlieb 4501]
* Thu Aug 8 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.2-01]
- Change masq script fragment to use allow_tcp_in() function. [charlieb 4499]
* Wed Jul 17 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.1-01]
- Change masq script fragment to use iptables. [charlieb 1268]
* Wed Jun 5 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.0-01]
- Changing version to maintained stream number to 1.7.0
* Fri May 31 2002 Charlie Brady <charlieb@e-smith.com>
- [1.6.0-01]
- Changing version to maintained stream number to 1.6.0
* Thu May 23 2002 Gordon Rowell <gordonr@e-smith.com>
- [1.5.6-01]
- RPM rebuild forced by cvsroot2rpm
* Mon May 13 2002 Kirrily Robert <skud@e-smith.com>
- [1.5.5-01]
- Added buildtests [skud 2932]
* Fri Apr 26 2002 Tony Clayton <apc@e-smith.com>
- [1.5.4-01]
- add -t option to ssh-keygen call in sshd-conf [tonyc]
* Fri Mar 6 2002 Michael G Schwern <schwern@e-smith.com>
- [1.5.3-01]
- Tested & documented sshd-reload action [schwern 2932]
- Tested & documented sshd-conf and sshd-conf-startup actions [schwern 2932]
- Changed all actions to use esmith::ConfigDB [schwern 2932]
- Fixed dependencies. [schwern]
* Thu Feb 14 2002 Kirrily Robert <skud@e-smith.com>
- [1.5.2-01]
- CVS testing
* Thu Feb 14 2002 Kirrily Robert <skud@e-smith.com>
- [1.5.0-01]
- rollRPM: Rolled version number to 1.5.0-01. Includes patches up to 1.4.0-06.
* Mon Nov 05 2001 Charlie Brady <charlieb@e-smith.com>
- [1.4.0-06]
- Remove obsoleted "CheckMail no" fragment from sshd_config template.
* Tue Aug 28 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.4.0-05]
- Removed links from deprecated post-restore event
* Fri Aug 17 2001 gordonr
- [1.4.0-04]
- Autorebuild by rebuildRPM
* Tue Aug 14 2001 Charlie Brady <charlieb@e-smith.com>
- [1.4.0-03]
- Change back to Protocol 1 until known_hosts2 and authorized_keys2 files are
implemented on both sides.
* Tue Aug 14 2001 Charlie Brady <charlieb@e-smith.com>
- [1.4.0-02]
- Add template fragements to generate /root/.ssh/config host
config sections for any hostnames added to %e_smith_hosts by
other fragements numbered between 00 and 19.
- Delete useless template-end for /root/.ssh/config.
* Wed Aug 8 2001 Charlie Brady <charlieb@e-smith.com>
- [1.4.0-01]
- Rolled version number to 1.4.0-01. Includes patches upto 1.3.0-10.
* Wed Aug 8 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-10]
- Use restart instead of reload as some initscripts don't have the latter
* Sun Jul 8 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-09]
- Check "access" property of sshd service
* Fri Jul 6 2001 Peter Samuel <peters@e-smith.com>
- [1.3.0-08]
- Changed license to GPL
* Thu Jul 05 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-07]
- Explicitly disable ChallengeResponseAuthentication and
KbdInteractiveAuthentication
* Wed May 30 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-06]
- Added HostKey line for /etc/ssh/ssh_host_rsa_key for SSH version 2
* Tue May 29 2001 Tony Clayton <tonyc@e-smith.com>
- [1.3.0-05]
- fixed actions that had tied %conf when calling serviceControl (2 actions)
* Mon May 21 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-04]
- Added links to /usr/libexec and /usr/local/libexec to enable
sftp for more client systems under protocol V1
* Mon May 21 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-03]
- Revised after comments from Charlie
- Added documentation for MaxStartups and cleaner perl idiom for
SubsystemSftp test
* Mon May 21 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-02]
- Enabled sftp subsystem by default with correct path to sftp-server
- Added MaxStartups configuration
* Mon May 21 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-01]
- Rolled version number to 1.3.0-01. Includes patches upto 1.2.0-06.
* Wed May 09 2001 Tony Clayton <tonyc@e-smith.com>
- [1.2.0-06]
- Forgot to add last patch to %setup. Adding it now.
* Wed May 09 2001 Tony Clayton <tonyc@e-smith.com>
- [1.2.0-05]
- Add /root/.ssh/config template-{begin,end} fragments
- Expand config template from sshd-conf
* Fri Apr 27 2001 Gordon Rowell <gordonr@e-smith.com>
Thu Apr 27 2001 --> Thu Apr 26 2001 or Fri Apr 27 2001 or Thu May 03 2001 or ....
- [1.2.0-04]
- Rolled version for GPG signing - no change
* Mon Apr 9 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.2.0-03]
- Extra HostKey line for openssh-2.5
* Thu Feb 8 2001 Adrian Chung <adrianc@e-smith.com>
- [1.2.0-02]
- Rolling release number for GPG signing.
* Thu Jan 25 2001 Peter Samuel <peters@e-smith.com>
- [1.2.0-01]
- Rolled version number to 1.2.0-01. Includes patches upto 1.1.0-23.
* Thu Jan 11 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-23]
- use serviceControl()
* Thu Jan 11 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-22]
- reload sshd (and possibly kill it off) in post-restore
* Thu Jan 11 2001 Adrian Chung <adrianc@e-smith.com>
- [1.1.0-21]
- fully qualify path to killall in sshd-reload
* Wed Jan 10 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-20]
- Kill existing ssh sessions if we have just stopped the service
* Wed Jan 10 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-19]
- Use sshd reload instead of killall -HUP - that closes current connections
* Tue Jan 9 2001 Charlie Brady <charlieb@e-smith.com>
- [1.1.0-18]
- Make new bootstrap-console-save event - the Lite version
- Make sshd-reload shut down sshd if it has been disabled
- Don't redo conf-sshd-startup with every console-save
* Fri Jan 5 2001 Peter Samuel <peters@e-smith.com>
- [1.1.0-17]
- Added missing use esmith::util to sshd-reload
* Thu Jan 04 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-16]
- Added missing use esmith::db
* Wed Jan 03 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-15]
- sshd-reload now starts sshd if not running and service enabled
* Thu Dec 28 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-14]
- Process sshd_config template in remoteaccess-update
* Thu Dec 28 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-13]
- Provide defaults for PermitRootLogin and PasswordAuthentication properties
* Thu Dec 21 2000 Charlie Brady <charlieb@e-smith.com>
- [1.1.0-12]
- Don't restart sshd after config change, just reload config.
* Sat Dec 16 2000 Charlie Brady <charlieb@e-smith.com>
- [1.1.0-11]
- Fix typo
* Fri Dec 15 2000 Charlie Brady <charlieb@e-smith.com>
- [1.1.0-10]
- Move AllowSSH packet filter template fragment here.
* Wed Dec 13 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-9]
- Disable ssh by default
* Wed Dec 13 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-8]
- Fixed typo in hosts.allow fragment for private access
* Wed Dec 13 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-7]
- Added sshd-restart to remoteaccess-update event (and others)
- Renamed scripts to sshd-{conf,conf-startup,restart}
- Enable private ssh access by default
* Tue Dec 12 2000 Adrian Chung <adrianc@e-smith.com>
- [1.1.0-6]
- fixed location of ssh_host_key in 20HostKey fragment
* Wed Dec 06 2000 Peter Samuel <peters@e-smith.com
- [1.1.0-5]
- Fixed sshd_config templates for PermitRootLogin and
PasswordAuthentication
* Wed Dec 06 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-4]
- conf-ssh-startup: PasswordAuthentication=yes and RootLogin=no
- Fixed ordering of Port/Listen fragments
* Tue Dec 05 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-3]
- Changed sshd_config into a directory template
- Used services notation to enable/disable
- sshd_config: PasswordAuthentication and RootLogin - both disabled by default
* Tue Dec 05 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-1]
- Rolled version to 1.1.0. Includes patches up to 0.6-3
* Tue Oct 31 2000 Charlie Brady <charlieb@e-smith.com>
- Ensure that conf-ssh-startup is run during post-upgrade event.
- Fix missing " in hosts.allow template.
* Tue Oct 31 2000 Charlie Brady <charlieb@e-smith.com>
- Merge services database back into configuration database.
* Thu Oct 26 2000 Peter Samuel <peters@e-smith.com>
- Rolled version to 0.6. Includes patches up to 0.5-17
* Fri Oct 06 2000 Adrian Chung <adrian.chung@e-smith.com>
- Fixed a typo in conf-ssh-startup.
* Fri Oct 06 2000 Adrian Chung <adrian.chung@e-smith.com>
- Move %post code to conf-ssh-startup instead
- Default to enabled for sshd in services database if not
already set.
* Thu Oct 05 2000 Adrian Chung <adrian.chung@e-smith.com>
- Change %post to setdefault ... enabled.
* Wed Oct 4 2000 Charlie Brady <charlieb@e-smith.com>
- Use db_get_type to get service status - to be safe against
defined service properties
- Do not init services database during post-install event -
it is done during %post action.
* Wed Oct 4 2000 Charlie Brady <charlieb@e-smith.com>
- Only initialise services database during post-install action.
- Only expand hosts.allow/sshd if sshd service is enabled.
* Wed Oct 4 2000 Charlie Brady <charlieb@e-smith.com>
- Fix typo
* Tue Oct 3 2000 Charlie Brady <charlieb@e-smith.com>
- Update services database when enabling startup
* Mon Oct 2 2000 Gordon Rowell <gordonr@e-smith.com>
- rewrote spec file to use e-smith-devtools
* Mon Sep 25 2000 Paul Nebsit <pkn@e-smith.com>
- updated contact and URL info
* Thu Sep 14 2000 Gordon Rowell <gordonr@e-smith.com>
- Removed obsolete rc7.d symlink from createlinks
* Thu Sep 14 2000 Gordon Rowell <gordonr@e-smith.com>
- Rebuilt using latest e-smith-devtools - hosts.allow template fragment missing
* Wed Aug 30 2000 Paul Nesbit <pkn@e-smith.com>
Tue Aug 30 2000 --> Tue Aug 29 2000 or Wed Aug 30 2000 or Tue Sep 05 2000 or ....
- added 'use e-smith::util' line to conf-ssh-startup
* Thu Aug 24 2000 Gordon Rowell <gordonr@e-smith.com>
- Rewrote conf-ssh-startup to use serviceControl()
* Sun Jul 2 2000 Charlie Brady <charlieb@e-smith.net>
- Make S85sshd symlink absolute so that RPM verifies
* Sat Jun 17 2000 Charlie Brady <charlieb@e-smith.net>
- Rewrite createlinks in perl
- Add sshd template for /etc/hosts.allow
- Fix ssh-keygen options code
* Mon Jun 12 2000 Charlie Brady <charlieb@e-smith.net>
- Remove /etc/rc.d/rc7.d symlink before (re-)creating it. Avoids logfile mess.
- Change backgroundCommand call to use array instead of string - avoid shell
parsing.
* Thu May 11 2000 Charlie Brady <charlieb@e-smith.net>
- Change rc?.d directory from 3 to 7.
%description
e-smith server enhancement to configure and enable openssh
%prep
%setup
rm -rf root/var/service root/service
%build
perl createlinks
# build the test suite from embedded tests
/sbin/e-smith/buildtests e-smith-openssh
%install
rm -rf $RPM_BUILD_ROOT
( cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT )
rm -f %{name}-%{version}-%{release}-filelist
/sbin/e-smith/genfilelist \
--file '/sbin/e-smith/systemd/sshd-prepare' 'attr(0554,root,root)' \
--dir '/var/log/sshd' 'attr(2750,root,root)' \
--dir '/var/empty/sshd' 'attr(0711,root,root)' \
$RPM_BUILD_ROOT \
> %{name}-%{version}-%{release}-filelist
echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
%clean
rm -rf $RPM_BUILD_ROOT
%files -f %{name}-%{version}-%{release}-filelist
%defattr(-,root,root)
%pre
if [ $1 -gt 1 ] ; then
if [ -e /var/service/sshd/run ] ; then
/usr/bin/sv d sshd
/usr/bin/sv d sshd/log
fi
fi

View File

@ -0,0 +1 @@
enabled

View File

@ -0,0 +1 @@
900

View File

@ -0,0 +1 @@
4

View File

@ -0,0 +1 @@
600

View File

@ -0,0 +1 @@
2

View File

@ -0,0 +1 @@
enabled

View File

@ -0,0 +1 @@
no

View File

@ -0,0 +1 @@
22

View File

@ -0,0 +1 @@
private

View File

@ -0,0 +1 @@
disabled

View File

@ -0,0 +1 @@
service

View File

@ -0,0 +1,97 @@
#!/usr/bin/perl -w
#----------------------------------------------------------------------
# copyright (C) 1999-2005 Mitel Networks Corporation
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
#----------------------------------------------------------------------
package esmith;
use strict;
use Errno;
use esmith::ConfigDB;
use esmith::util;
=head1 NAME
sshd-conf - action to reconfigure sshd
=head1 SYNOPSIS
sshd-conf
=head1 DESCRIPTION
Generates the sshd host key with no passphrase. If one already
exists it simply makes sure the comment in the ssh_host_key is
correct.
=head1 FILES
The following files are affected.
/etc/ssh/ssh_host_key
=begin testing
use esmith::ConfigDB;
SKIP: {
my $db;
skip "You have to be able to read the config DB to test this", 4
unless $db = esmith::ConfigDB->open;
$Destruct_Ok = $db->get('testing')->prop('destruction');
SKIP: {
skip "sshd reconfiguration would be destructive", 7
unless $Destruct_Ok;
# Call ourself.
system $^X, $Original_File;
is( $@, '', 'ran myself ok' );
sleep 1;
foreach my $file (qw(
/etc/ssh/ssh_host_key
) )
{
cmp_ok( -M $file, '<', 0, "$file rewritten" );
cmp_ok( -s $file, '>', 0, "$file is not empty" );
}
}
}
=end testing
=cut
my $db = esmith::ConfigDB->open_ro or die "Could not open config db";
# Recomment the key in case the SystemName or DomainName changed.
my @change = (-f "/etc/ssh/ssh_host_key") ? ("-c", "-P", "")
: ("-q", "-N", "");
esmith::util::backgroundCommand (0,
"/usr/bin/ssh-keygen", @change, "-t", "rsa1",
"-f", "/etc/ssh/ssh_host_key",
"-C", "root@" . $db->get('SystemName')->value . "." . $db->get('DomainName')->value);
exit (0);

View File

View File

View File

View File

View File

@ -0,0 +1 @@
PERMS=0644

View File

@ -0,0 +1 @@
PERMS=0600

View File

@ -0,0 +1,4 @@
{
$OUT .= $DB->hosts_allow_spec('sshd');
$OUT .= " EXCEPT /etc/hosts.deny_ssh" if ( ( -f "/etc/hosts.deny_ssh") && ($denyhosts{'status'} || 'disabled') eq "enabled" );
}

View File

@ -0,0 +1,25 @@
{
my $abtries = ${'sshd'}{'AutoBlockTries'} || "4";
my $abtime = ${'sshd'}{'AutoBlockTime'} || "900";
my $sshd_port = ${'sshd'}{'TCPPort'} || "22";
$OUT .=<<"EOF";
# Create a whitelist
/sbin/iptables --new-chain SSH_Whitelist
/sbin/iptables --new-chain SSH_Whitelist_1
/sbin/iptables --append SSH_Whitelist -j SSH_Whitelist_1
# Use recent packets match to block SSH from sites generating
# $abtries connections within $abtime seconds
# Check/clear IP block status in /proc/net/xt_recent/SSH
/sbin/iptables --new-chain SSH_Autoblock
# First check if not whitelisted
/sbin/iptables --append SSH_Autoblock --proto tcp --dport $sshd_port \\
-m state --state NEW -j SSH_Whitelist
/sbin/iptables --append SSH_Autoblock -m recent --set --name SSH
/sbin/iptables --append SSH_Autoblock -m recent --rcheck --rttl \\
--seconds $abtime --hitcount $abtries --name SSH -j denylog
EOF
}

View File

@ -0,0 +1,13 @@
{
my $sshd_autoblock = ${'sshd'}{'AutoBlock'} || "enabled";
my $sshd_public = ${'sshd'}{'access'} || "private";
my $sshd_port = ${'sshd'}{'TCPPort'} || "22";
if ($sshd_autoblock eq "enabled" && $sshd_public eq "public" ) {
$OUT = " # SSH autoblock enabled - send new SSH connects through recent IPs filter\n";
$OUT .= " /sbin/iptables --append \$NEW_InboundTCP --proto tcp --dport $sshd_port \\\n";
$OUT .= " -m state --state NEW -j SSH_Autoblock\n"
} else {
$OUT = " # SSH autoblock disabled or sshd access is private\n";
}
}

View File

@ -0,0 +1,44 @@
{
# SSH_Whitelist
my $sshd_port = ${'sshd'}{'TCPPort'} || "22";
# Find the current SSH_Whitelit_$$ chain, and create a new one.
$OUT .=<<'EOF';
OLD_SSH_Whitelist=$(get_safe_id SSH_Whitelist filter find)
NEW_SSH_Whitelist=$(get_safe_id SSH_Whitelist filter new)
/sbin/iptables --new-chain $NEW_SSH_Whitelist
EOF
# here we add the content from sshd ValidFrom
# or create a new one dedicated for sshd
my @vals = split ",", ($sshd{ValidFrom} || '');
#$OUT .="#sshd whitelist content : "
#$OUT .= join " ", @vals;
foreach my $ip ( @vals ){
$OUT .= " /sbin/iptables --append \$NEW_SSH_Whitelist -s $ip";
$OUT .= " -p tcp";
$OUT .= " --dport $sshd_port" ;
$OUT .= " -j ACCEPT\n";
}
$OUT .= " /sbin/iptables --append \$NEW_SSH_Whitelist" .
" -j RETURN\n";
# Having created a new SSH_Whitelist chain, activate it and destroy the old one.
$OUT .=<<'EOF';
/sbin/iptables --replace SSH_Whitelist 1 \
--jump $NEW_SSH_Whitelist
/sbin/iptables --flush $OLD_SSH_Whitelist
/sbin/iptables --delete-chain $OLD_SSH_Whitelist
EOF
# SSH_Autoblock
my $abtries = ${'sshd'}{'AutoBlockTries'} || "4";
my $abtime = ${'sshd'}{'AutoBlockTime'} || "900";
$OUT .=<<"EOF";
/sbin/iptables --replace SSH_Autoblock 3 -m recent --rcheck --rttl \\
--seconds $abtime --hitcount $abtries --name SSH -j denylog
# Clear SSH_Autoblock site history too
echo / > /proc/net/xt_recent/SSH
EOF
}

View File

@ -0,0 +1 @@
logfacility = LOG_USER

View File

@ -0,0 +1 @@
umask = 022

View File

@ -0,0 +1,22 @@
{
use esmith::AccountsDB;
my $adb = esmith::AccountsDB->open_ro or die "Couldn't open AccountsDB\n";
$OUT = '';
for my $user ( $adb->users )
{
my %props = $user->props;
$props{AllowRSSH} ||= 'unknown';
next unless ($props{PasswordSet} eq 'yes');
next if ($props{AllowRSSH} eq 'no');
next unless ($props{AllowRSSH} eq 'yes' or
$props{VPNClientAccess} eq 'yes');
$OUT .= "user = " . $user->key . ":022:11111:" . "\n";
}
}

View File

@ -0,0 +1 @@
$AddUnixListenSocket /var/empty/sshd/dev/log

View File

@ -0,0 +1,6 @@
#sshd
if $programname == 'sshd' and $syslogfacility-text == 'authpriv' then /var/log/secure
:programname, isequal, "sshd" /var/log/sshd/sshd.log
& stop

View File

@ -0,0 +1 @@
Host *

View File

@ -0,0 +1 @@
Port 22

View File

@ -0,0 +1 @@
Protocol 2

View File

@ -0,0 +1 @@
Cipher blowfish

View File

@ -0,0 +1 @@
Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc

View File

@ -0,0 +1 @@
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

View File

@ -0,0 +1 @@
GSSAPIAuthentication yes

View File

@ -0,0 +1,5 @@
#ForwardX11 no
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes

View File

@ -0,0 +1,5 @@
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

View File

@ -0,0 +1,5 @@
{
my $ssh_port = $sshd{'TCPPort'} || 22;
$OUT = "Port $ssh_port";
}

View File

@ -0,0 +1,10 @@
{
my $access = $sshd{'access'} || 'private';
my $address = ($access eq "public") ? "0.0.0.0" : "$LocalIP";
$OUT .= "ListenAddress $address";
# Another alternative is: "ListenAddress ::"
}

View File

@ -0,0 +1 @@
HostKey /etc/ssh/ssh_host_key

View File

@ -0,0 +1 @@
HostKey /etc/ssh/ssh_host_dsa_key

View File

@ -0,0 +1 @@
HostKey /etc/ssh/ssh_host_ecdsa_key

View File

@ -0,0 +1,2 @@
HostKey /etc/ssh/ssh_host_ed25519_key

View File

@ -0,0 +1 @@
HostKey /etc/ssh/ssh_host_rsa_key

View File

@ -0,0 +1,4 @@
{
my $LoginGraceTime = $sshd{LoginGraceTime} || "600";
$OUT = "LoginGraceTime $LoginGraceTime";
}

View File

@ -0,0 +1 @@
Protocol 2

View File

@ -0,0 +1,4 @@
{
my $pam = $sshd{UsePAM} || "no";
$OUT = "UsePAM $pam";
}

View File

@ -0,0 +1 @@
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

View File

@ -0,0 +1 @@
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

View File

@ -0,0 +1 @@
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

View File

@ -0,0 +1 @@
ChallengeResponseAuthentication no

View File

@ -0,0 +1 @@
Compression yes

View File

@ -0,0 +1,4 @@
{ #
# Don't read ~/.rhosts and ~/.shosts files
}
IgnoreRhosts yes

View File

@ -0,0 +1,4 @@
{
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
}

View File

@ -0,0 +1 @@
KbdInteractiveAuthentication no

View File

@ -0,0 +1,7 @@
{
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
}

View File

@ -0,0 +1,4 @@
{
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
}

View File

@ -0,0 +1,8 @@
{
# MaxAuthTries specifies the maximum number of authentication
# attempts permitted per connection. Once the number of failures
# reaches half this value, additional failures are logged. The
# sshd default is 6 - we consider that too many.
my $MaxAuthTries = $sshd{MaxAuthTries} || "2";
$OUT = "MaxAuthTries $MaxAuthTries";
}

View File

@ -0,0 +1,9 @@
{
# Maximum number of concurrent unauthenticated connections
# The values are start:rate:full - start is when the rate limiter
# will kick in, rate is the percentage of new connections dropped and
# full is when all new connections are refused
# See sshd(1) for more details.
my $MaxStartups = $sshd{MaxStartups} || "10:30:60";
$OUT = "MaxStartups $MaxStartups";
}

View File

@ -0,0 +1,6 @@
{ # To disable tunneled clear text passwords, change to no here!
my $PasswordAuthentication = $sshd{'PasswordAuthentication'} || 'no';
$OUT = "PasswordAuthentication ";
$OUT .= ($PasswordAuthentication eq "yes") ? "yes" : "no";
}

View File

@ -0,0 +1 @@
PermitEmptyPasswords no

View File

@ -0,0 +1,14 @@
{
my $PermitRootLogin = $sshd{'PermitRootLogin'} || "no";
my $status = $sshd{'status'} || 'disabled';
$OUT .= "PermitRootLogin ";
if ( $status ne 'enabled' ) {
$OUT .= 'no';
} elsif ( $PermitRootLogin eq 'yes' ) {
$OUT .= 'yes';
} elsif ( $PermitRootLogin eq 'key' || $PermitRootLogin eq 'nopass' ) {
$OUT .= 'without-password';
} else {
$OUT .= 'no';
}
}

View File

@ -0,0 +1,5 @@
{
# Uncomment to disable s/key passwords
#SkeyAuthentication no
#KbdInteractiveAuthentication yes
}

View File

@ -0,0 +1 @@
StrictModes yes

View File

@ -0,0 +1 @@
UsePrivilegeSeparation yes

View File

@ -0,0 +1,11 @@
{
# NOTE: This just provides a path independent way to access the sftp server
# With this disabled, you can still specify a path to the sftp client
# so we default to enabling sftp
my $SubsystemSftp = $sshd{"SubsystemSftp"} || "yes";
$OUT = ($SubsystemSftp eq "yes") ?
"Subsystem sftp /usr/libexec/openssh/sftp-server" :
"# The sftp Subsystem is disabled in the configuration database";
}

View File

@ -0,0 +1 @@
X11DisplayOffset 10

View File

@ -0,0 +1 @@
X11Forwarding no

View File

@ -0,0 +1,5 @@
{
my $count = $sshd{ClientAliveCountMax} || 3;
$OUT = "ClientAliveCountMax $count\n";
}

View File

@ -0,0 +1,5 @@
{
my $interval = $sshd{ClientAliveInterval} || 15;
$OUT = "ClientAliveInterval $interval\n";
}

View File

@ -0,0 +1,13 @@
{
my $MotdStatus = $sshd{'MotdStatus'} || 'enabled';
if ( $MotdStatus eq 'disabled' )
{
$OUT .= "PrintMotd no\n";
}
else
{
$OUT .= "PrintMotd yes\n";
}
}

View File

@ -0,0 +1,3 @@
{
#UseLogin no
}

View File

@ -0,0 +1,4 @@
{ # Logging }
SyslogFacility AUTH
LogLevel INFO
{ #obsoletes QuietMode and FascistLogging }

View File

@ -0,0 +1,48 @@
# Welcome to the Wonderful World of Glassbox Testing.
#
# Load up esmith::util/system and override them with testing stubs.
use Test::More 'no_plan';
# Here we tell the test to not use any numbers (because there were
# probably tests output'd before us) and to not do end-of-test
# checks.
my $TB = Test::More->builder;
$TB->use_numbers(0);
$TB->no_ending(1);
use esmith::util;
use esmith::util::system;
package esmith::util;
::can_ok('esmith::util', 'serviceControl');
no warnings 'redefine';
sub serviceControl {
my(%params) = @_;
::pass('service control called');
::is( $params{NAME}, 'sshd', 'serviceControl NAME == sshd' );
::is( $params{ACTION}, 'stop', ' ACTION == stop' );
return 1;
}
package esmith::util::system;
::can_ok('esmith::util::system', 'killall');
no warnings 'redefine';
sub killall {
my($sig, @commands) = @_;
::pass('killall called');
::is( $sig, 'HUP', ' with a HUP' );
::is( @commands, 1, ' one command' );
::is( $commands[0], 'sshd', ' for sshd' );
return 1;
}

View File

@ -0,0 +1 @@
sshd=service|InitscriptOrder|85|PasswordAuthentication|yes|PermitRootLogin|yes|access|private

View File

@ -0,0 +1 @@
sshd=service|InitscriptOrder|85|PasswordAuthentication|yes|PermitRootLogin|yes|access|private|status|disabled

13
root/etc/logrotate.d/sshd Normal file
View File

@ -0,0 +1,13 @@
/var/log/sshd/sshd.log
{
missingok
notifempty
sharedscripts
delaycompress
su root root
create 600 root root
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}

View File

@ -0,0 +1,97 @@
#!/bin/sh
# Generate host keys if they are not already present. Taken from sshd
# initscript.
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
echo "Success: RSA1 key generation"
echo
else
echo "Failure: RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -b 4096 -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
echo "Success: RSA key generation"
echo
else
echo "Failure: RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $"Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
echo "Success: DSA key generation"
echo
else
echo "Failure: DSA key generation"
echo
exit 1
fi
fi
}
do_ecdsa_keygen() {
if [ ! -s $ECDSA_KEY ]; then
echo -n $"Generating SSH2 ECDSA host key: "
if $KEYGEN -q -t ecdsa -b 521 -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $ECDSA_KEY
chmod 644 $ECDSA_KEY.pub
echo "Success: ECDSA key generation"
echo
else
echo "Failure: ECDSA key generation"
echo
exit 1
fi
fi
}
do_ed25519_keygen() {
if [ ! -s $ED25519_KEY ]; then
echo -n $"Generating SSH2 ED25519 host key: "
if $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
chmod 600 $ED25519_KEY
chmod 644 $ED25519_KEY.pub
echo "Success: ED25519 key generation"
echo
else
echo "Failure: ED25519 key generation"
echo
exit 1
fi
fi
}
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen
do_ecdsa_keygen
do_ed25519_keygen
exit 0;

View File

@ -0,0 +1,7 @@
[Service]
ExecStartPre=/sbin/e-smith/service-status sshd
ExecStartPre=/sbin/e-smith/systemd/sshd-prepare
ExecStartPre=-/sbin/e-smith/expand-template /etc/ssh/sshd_config
[Install]
WantedBy=sme-server.target

0
root/var/empty/sshd/dev/.gitignore vendored Normal file
View File

0
root/var/log/sshd/.gitignore vendored Normal file
View File