* Sat Mar 22 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme

- insecure cipher and MAC removed [SME: 12968]
* Wed Jan 15 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme
2025-03-22 17:44:56 -04:00 · 2025-01-15 22:19:33 -05:00 · 2024-11-12 19:20:55 +00:00 · 2024-11-12 12:48:20 -05:00 · 2024-10-27 14:29:11 +00:00 · 2024-10-27 12:12:49 +00:00
20 changed files with 116 additions and 95 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 *.log
 *spec-20*
 *.tar.xz
+*.bak
--- a/README.md
+++ b/README.md
@@ -6,7 +6,14 @@ SMEServer Koozali developed git repo for smeserver-openssh smeserver
 <br />https://wiki.koozali.org/

 ## Bugzilla
-Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-openssh&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)\
+Show list of outstanding bugs:
+[All](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&bug_status=VERIFIED&cf_package=smeserver-openssh&classification=SME+Server&list_id=105756&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Confirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=CONFIRMED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Unconfirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Need info](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=NEEDINFO&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[In progress](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=IN_PROGRESS&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Resolved](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=RESOLVED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Verified](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=VERIFIED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)
 And a list of outstanding Legacy bugs: (e-smith-openssh) [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-openssh&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)

 ## Description
--- a/19
+++ b/19
@@ -6,7 +6,8 @@ use esmith::Build::CreateLinks qw(:all);
 foreach (qw(
    /etc/ssh/sshd_config
    /etc/ssh/ssh_config    
-	))
+    /etc/pam.d/sshd
+))
 {
    templates2events("$_", qw(
 	console-save
@@ -16,22 +17,6 @@ foreach (qw(
 	));
 }

-foreach (qw(
-    /etc/rssh.conf
-	))
-{
-    templates2events("$_", qw(
-	bootstrap-console-save
-	password-modify
-	remoteaccess-update
-	user-lock
-	user-create
-	user-delete
-	user-modify
-	smeserver-openssh-update
-	));
-}
-
 foreach my $event (
    "console-save",
    "bootstrap-console-save",
--- a/root/etc/e-smith/db/accounts/migrate/50rsshRemoval
+++ b/root/etc/e-smith/db/accounts/migrate/50rsshRemoval
@@ -0,0 +1,15 @@
+{
+    # Remove AllowRSSH propertie
+    # Reset Shell property if /usr/bin/rssh
+
+    foreach my $account ($DB->get_all)
+    {
+    if (defined $account->prop('Shell') && ($account->prop('Shell') eq "/usr/bin/rssh") )
+        {
+        $account->delete_prop('Shell');
+        }
+    next unless (defined $account->prop('AllowRSSH'));
+    $account->delete_prop('AllowRSSH');
+    }
+}
+
--- a/root/etc/e-smith/events/actions/sshd-conf
+++ b/root/etc/e-smith/events/actions/sshd-conf
@@ -83,6 +83,7 @@ SKIP: {
 =cut

 my $db = esmith::ConfigDB->open_ro or die "Could not open config db";
+my $comment = "root@" . $db->get('SystemName')->value . "." . $db->get('DomainName')->value;

 for my $typek (qw(dsa rsa ecdsa ed25519)) {
    # Recomment the key in case the SystemName or DomainName changed.
@@ -91,8 +92,8 @@ for my $typek (qw(dsa rsa ecdsa ed25519)) {
    
    esmith::util::backgroundCommand (0,
        "/usr/bin/ssh-keygen", @change, "-t", "$typek",
-        "-f", "/etc/ssh/ssh_host_key",
-        "-C", "root@" . $db->get('SystemName')->value . "." . $db->get('DomainName')->value);
+        "-f", "/etc/ssh/ssh_host_${typek}_key",
+        "-C", "comment");
 }
 exit (0);

--- a/root/etc/e-smith/templates/etc/pam.d/sshd/20auth
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/20auth
@@ -0,0 +1,3 @@
+#%PAM-1.0
+auth       substack     password-auth
+auth       include      postlogin
--- a/root/etc/e-smith/templates/etc/pam.d/sshd/30account
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/30account
@@ -0,0 +1,3 @@
+account    required     pam_sepermit.so
+account    required     pam_nologin.so
+account    include      password-auth
--- a/root/etc/e-smith/templates/etc/pam.d/sshd/40password
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/40password
@@ -0,0 +1 @@
+password   include      password-auth
--- a/root/etc/e-smith/templates/etc/pam.d/sshd/50session
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/50session
@@ -0,0 +1,11 @@
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+#we use the sshd_config file to call motd
+#session    optional     pam_motd.so
+session    include      password-auth
+session    include      postlogin
--- a/root/etc/e-smith/templates/etc/pam.d/sshd/template-begin
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/template-begin
--- a/root/etc/e-smith/templates/etc/rssh.conf/10logfacility
+++ b/root/etc/e-smith/templates/etc/rssh.conf/10logfacility
@@ -1 +0,0 @@
-logfacility = LOG_USER 
--- a/root/etc/e-smith/templates/etc/rssh.conf/10umask
+++ b/root/etc/e-smith/templates/etc/rssh.conf/10umask
@@ -1 +0,0 @@
-umask = 022
--- a/root/etc/e-smith/templates/etc/rssh.conf/40users
+++ b/root/etc/e-smith/templates/etc/rssh.conf/40users
@@ -1,22 +0,0 @@
-{
-    use esmith::AccountsDB;
-
-    my $adb = esmith::AccountsDB->open_ro or die "Couldn't open AccountsDB\n";
-
-    $OUT = '';
-
-    for my $user ( $adb->users )
-    {
-	my %props = $user->props;
-	$props{AllowRSSH} ||= 'unknown';
-
-	next unless ($props{PasswordSet} eq 'yes');
-
-	next if ($props{AllowRSSH} eq 'no');
-
-	next unless ($props{AllowRSSH} eq 'yes' or
-		$props{VPNClientAccess} eq 'yes');
-
-	$OUT .= "user = " . $user->key . ":022:11111:" . "\n";
-    }
-}
--- a/root/etc/e-smith/templates/etc/ssh/sshd_config/29HostKeyAlgorithms
+++ b/root/etc/e-smith/templates/etc/ssh/sshd_config/29HostKeyAlgorithms
@@ -0,0 +1 @@
+HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
--- a/root/etc/e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms
+++ b/root/etc/e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms
@@ -1 +1 @@
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
--- a/root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs
+++ b/root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs
@@ -1 +1 @@
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
--- a/root/etc/e-smith/templates/etc/ssh/sshd_config/40UsePrivilegeSeparation
+++ b/root/etc/e-smith/templates/etc/ssh/sshd_config/40UsePrivilegeSeparation
@@ -1,2 +0,0 @@
-# Deprecated in Rocky 8
-# UsePrivilegeSeparation yes
--- a/root/etc/logrotate.d/sshd
+++ b/root/etc/logrotate.d/sshd
@@ -7,7 +7,7 @@
    su root root
    create 600 root root
    postrotate
-        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
+        /usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>&1 || true
    endscript
 }

--- a/root/usr/lib/systemd/system/sshd.service.d/50-koozali.conf
+++ b/root/usr/lib/systemd/system/sshd.service.d/50-koozali.conf
@@ -1,4 +1,8 @@
 [Service]
+# could introduce security issues
+# EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
+EnvironmentFile=
+EnvironmentFile=-/etc/sysconfig/sshd
 ExecStartPre=/sbin/e-smith/service-status sshd
 ExecStartPre=/sbin/e-smith/systemd/sshd-prepare
 ExecStartPre=-/sbin/e-smith/expand-template /etc/ssh/sshd_config
--- a/smeserver-openssh.spec
+++ b/smeserver-openssh.spec
@@ -4,7 +4,7 @@ Summary: smeserver module to configure and enable ssh
 %define name smeserver-openssh
 Name: %{name}
 %define version 11.0.0
-%define release 7
+%define release 12
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -19,23 +19,78 @@ Requires: openssh >= 3.5
 Requires: openssh-clients
 Requires: openssh-server
 Requires: smeserver-lib >= 1.15.1-19
-Requires: runit
 Provides: e-smith-openssh
 AutoReqProv: no

+%description
+smeserver server enhancement to configure and enable openssh
+
+%prep
+%setup
+rm -rf  root/var/service root/service
+
+%build
+perl createlinks
+# build the test suite from embedded tests
+/sbin/e-smith/buildtests e-smith-openssh
+
+%install
+rm -rf $RPM_BUILD_ROOT
+( cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT )
+rm -f %{name}-%{version}-%{release}-filelist
+
+/sbin/e-smith/genfilelist \
+    --file '/sbin/e-smith/systemd/sshd-prepare' 'attr(0554,root,root)' \
+    --dir '/var/log/sshd' 'attr(2750,root,root)' \
+    --dir '/var/empty/sshd' 'attr(0711,root,root)' \
+    $RPM_BUILD_ROOT \
+    > %{name}-%{version}-%{release}-filelist
+
+echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files -f %{name}-%{version}-%{release}-filelist
+%defattr(-,root,root)
+
+%pre
+if [ $1 -gt 1 ] ; then
+  if [ -e /var/service/sshd/run ] ; then
+       /usr/bin/sv d sshd
+       /usr/bin/sv d sshd/log
+  fi
+fi
+
 %changelog
+* Sat Mar 22 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
+- insecure cipher and MAC removed [SME: 12968]
+
+* Wed Jan 15 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme
+- remove Requires: runit [SME: 12566]
+
+* Tue Nov 12 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme
+- fix update of host keys comment [SME: 12759]
+
+* Sun Sep 22 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme
+- remove reference to deprecated rssh [SME: 12670]
+- template /etc/pam.d/sshd to remove motd [SME: 12740]
+
+* Tue Aug 13 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme
+- fix new log does not fill after log rotate [SME: 12690]
+
 * Sat Apr 13 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-7.sme
 - fix script to recomment keys [SME: 12612]
  now comments rsa, dsa, ecdsa,ed25519. dropped rsa1

 * Fri Apr 12 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 11.0.0-6.sme
- Remove option UsePrivilegeSeparation  [SME: 12564]
+- Remove option UsePrivilegeSeparation [SME: 12564]

 * Thu Apr 04 2024 Brian Read <brianr@koozali.org> 11.0.0-5.sme
- Update createlinks to create smeserver-package-update event  [SME: 12579]
+- Update createlinks to create smeserver-package-update event [SME: 12579]

 * Thu Apr 04 2024 Brian Read <brianr@koozali.org> 11.0.0-4.sme
- Set license file to GPL2.0  [SME: 12577]
+- Set license file to GPL2.0 [SME: 12577]

 * Tue Mar 26 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-3.sme
 - remove RSA1 support which prevents service start  [SME: 12553]
@@ -47,7 +102,6 @@ AutoReqProv: no
 - Update Release and Version to base version and 1st release for SME11 [SME: 12518]
 - Move Provides: from after Changelog 

-
 * Mon Mar 11 2024 rename-e-smith-pkg.sh by Trevor Batley <trevor@batley.id.au> 2.6.0-9.sme
 - Rename to smeserver-openssh [SME: 12359]

@@ -384,7 +438,7 @@ AutoReqProv: no
 - [1.5.4-01]
 - add -t option to ssh-keygen call in sshd-conf [tonyc]

-* Fri Mar  6 2002 Michael G Schwern <schwern@e-smith.com>
+* Fri Mar  8 2002 Michael G Schwern <schwern@e-smith.com>
 - [1.5.3-01]
 - Tested & documented sshd-reload action [schwern 2932]
 - Tested & documented sshd-conf and sshd-conf-startup actions [schwern 2932]
@@ -666,42 +720,3 @@ AutoReqProv: no
 * Thu May 11 2000 Charlie Brady <charlieb@e-smith.net>
 - Change rc?.d directory from 3 to 7.

-%description
-smeserver server enhancement to configure and enable openssh
-
-%prep
-%setup
-rm -rf  root/var/service root/service
-
-%build
-perl createlinks
-# build the test suite from embedded tests
-/sbin/e-smith/buildtests e-smith-openssh
-
-%install
-rm -rf $RPM_BUILD_ROOT
-( cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT )
-rm -f %{name}-%{version}-%{release}-filelist
-
-/sbin/e-smith/genfilelist \
-    --file '/sbin/e-smith/systemd/sshd-prepare' 'attr(0554,root,root)' \
-    --dir '/var/log/sshd' 'attr(2750,root,root)' \
-    --dir '/var/empty/sshd' 'attr(0711,root,root)' \
-    $RPM_BUILD_ROOT \
-    > %{name}-%{version}-%{release}-filelist
-
-echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%files -f %{name}-%{version}-%{release}-filelist
-%defattr(-,root,root)
-
-%pre
-if [ $1 -gt 1 ] ; then
-  if [ -e /var/service/sshd/run ] ; then
-       /usr/bin/sv d sshd
-       /usr/bin/sv d sshd/log
-  fi
-fi
Author	SHA1	Message	Date
Jean-Philippe Pialasse	4dc55725a6	* Sat Mar 22 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme - insecure cipher and MAC removed [SME: 12968]	2025-03-22 17:44:56 -04:00
Jean-Philippe Pialasse	add4e66024	* Wed Jan 15 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme - remove Requires: runit [SME: 12566]	2025-01-15 22:19:33 -05:00
Brian Read	04253ae613	Add *.bak to .gitignore	2024-11-12 19:20:55 +00:00
Jean-Philippe Pialasse	7a00907a30	* Tue Nov 12 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme - fix update of host keys comment [SME: 12759]	2024-11-12 12:48:20 -05:00
Brian Read	fe19270a45	Update README with specific Bugzilla links with status options	2024-10-27 14:29:11 +00:00
Brian Read	91727c8f3d	Update readme bugzilla link to show all outstanding bugs	2024-10-27 12:12:49 +00:00
Jean-Philippe Pialasse	84bf8e5c22	* Sun Sep 22 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme - remove reference to deprecated rssh [SME: 12670] - template /etc/pam.d/sshd to remove motd [SME: 12740]	2024-09-22 22:43:22 -04:00
Jean-Philippe Pialasse	beb0afe727	* Tue Aug 13 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme - fix new log does not fill after log rotate [SME: 12690]	2024-09-22 22:07:00 -04:00
Jean-Philippe Pialasse	85ee14e7df	space tidying	2024-04-13 00:30:34 -04:00
Jean-Philippe Pialasse	eee11216ae	deleting file not used anymore since 11.0.0-6	2024-04-13 00:28:54 -04:00
Jean-Philippe Pialasse	2923236197	* Sat Apr 13 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-7.sme - fix script to recomment keys [SME: 12612] now comments rsa, dsa, ecdsa,ed25519. dropped rsa1	2024-04-13 00:12:53 -04:00
				`@@ -0,0 +1 @@`
				`HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256`