* Thu Jul 03 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme

- re-add hmac-sha2-512 for backward compatibility [SME: 12968]

.gitignore

@@ -2,3 +2,4 @@
 *.log
 *spec-20*
 *.tar.xz
+*.bak

README.md

@@ -6,7 +6,14 @@ SMEServer Koozali developed git repo for smeserver-openssh smeserver
 <br />https://wiki.koozali.org/
 
 ## Bugzilla
-Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-openssh&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)\
+Show list of outstanding bugs:
+[All](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&bug_status=VERIFIED&cf_package=smeserver-openssh&classification=SME+Server&list_id=105756&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Confirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=CONFIRMED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Unconfirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Need info](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=NEEDINFO&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[In progress](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=IN_PROGRESS&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Resolved](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=RESOLVED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Verified](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=VERIFIED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)
 And a list of outstanding Legacy bugs: (e-smith-openssh) [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-openssh&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
 
 ## Description

createlinks

@@ -6,7 +6,8 @@ use esmith::Build::CreateLinks qw(:all);
 foreach (qw(
     /etc/ssh/sshd_config
     /etc/ssh/ssh_config    
-	))
+    /etc/pam.d/sshd
+))
 {
     templates2events("$_", qw(
 	console-save
@@ -16,22 +17,6 @@ foreach (qw(
 	));
 }
 
-foreach (qw(
-    /etc/rssh.conf
-	))
-{
-    templates2events("$_", qw(
-	bootstrap-console-save
-	password-modify
-	remoteaccess-update
-	user-lock
-	user-create
-	user-delete
-	user-modify
-	smeserver-openssh-update
-	));
-}
-
 foreach my $event (
     "console-save",
     "bootstrap-console-save",

root/etc/e-smith/db/accounts/migrate/50rsshRemoval

@@ -0,0 +1,15 @@
+{
+    # Remove AllowRSSH propertie
+    # Reset Shell property if /usr/bin/rssh
+
+    foreach my $account ($DB->get_all)
+    {
+    if (defined $account->prop('Shell') && ($account->prop('Shell') eq "/usr/bin/rssh") )
+        {
+        $account->delete_prop('Shell');
+        }
+    next unless (defined $account->prop('AllowRSSH'));
+    $account->delete_prop('AllowRSSH');
+    }
+}
+

root/etc/e-smith/events/actions/sshd-conf

@@ -83,6 +83,7 @@ SKIP: {
 =cut
 
 my $db = esmith::ConfigDB->open_ro or die "Could not open config db";
+my $comment = "root@" . $db->get('SystemName')->value . "." . $db->get('DomainName')->value;
 
 for my $typek (qw(dsa rsa ecdsa ed25519)) {
     # Recomment the key in case the SystemName or DomainName changed.
@@ -91,8 +92,8 @@ for my $typek (qw(dsa rsa ecdsa ed25519)) {
     
     esmith::util::backgroundCommand (0,
         "/usr/bin/ssh-keygen", @change, "-t", "$typek",
-        "-f", "/etc/ssh/ssh_host_key",
+        "-f", "/etc/ssh/ssh_host_${typek}_key",
-        "-C", "root@" . $db->get('SystemName')->value . "." . $db->get('DomainName')->value);
+        "-C", "comment");
 }
 exit (0);
 

root/etc/e-smith/templates/etc/pam.d/sshd/20auth

@@ -0,0 +1,3 @@
+#%PAM-1.0
+auth       substack     password-auth
+auth       include      postlogin

root/etc/e-smith/templates/etc/pam.d/sshd/30account

@@ -0,0 +1,3 @@
+account    required     pam_sepermit.so
+account    required     pam_nologin.so
+account    include      password-auth

root/etc/e-smith/templates/etc/pam.d/sshd/40password

@@ -0,0 +1 @@
+password   include      password-auth

root/etc/e-smith/templates/etc/pam.d/sshd/50session

@@ -0,0 +1,11 @@
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+#we use the sshd_config file to call motd
+#session    optional     pam_motd.so
+session    include      password-auth
+session    include      postlogin

root/etc/e-smith/templates/etc/rssh.conf/10logfacility

@@ -1 +0,0 @@
-logfacility = LOG_USER 

root/etc/e-smith/templates/etc/rssh.conf/10umask

@@ -1 +0,0 @@
-umask = 022

root/etc/e-smith/templates/etc/rssh.conf/40users

@@ -1,22 +0,0 @@
-{
-    use esmith::AccountsDB;
-
-    my $adb = esmith::AccountsDB->open_ro or die "Couldn't open AccountsDB\n";
-
-    $OUT = '';
-
-    for my $user ( $adb->users )
-    {
-	my %props = $user->props;
-	$props{AllowRSSH} ||= 'unknown';
-
-	next unless ($props{PasswordSet} eq 'yes');
-
-	next if ($props{AllowRSSH} eq 'no');
-
-	next unless ($props{AllowRSSH} eq 'yes' or
-		$props{VPNClientAccess} eq 'yes');
-
-	$OUT .= "user = " . $user->key . ":022:11111:" . "\n";
-    }
-}

root/etc/e-smith/templates/etc/ssh/sshd_config/29HostKeyAlgorithms

@@ -0,0 +1 @@
+HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

root/etc/e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms

@@ -1 +1 @@
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs

@@ -1 +1 @@
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512

root/usr/lib/systemd/system/sshd.service.d/50-koozali.conf

@@ -1,4 +1,8 @@
 [Service]
+# could introduce security issues
+# EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
+EnvironmentFile=
+EnvironmentFile=-/etc/sysconfig/sshd
 ExecStartPre=/sbin/e-smith/service-status sshd
 ExecStartPre=/sbin/e-smith/systemd/sshd-prepare
 ExecStartPre=-/sbin/e-smith/expand-template /etc/ssh/sshd_config

smeserver-openssh.spec

@@ -4,7 +4,7 @@ Summary: smeserver module to configure and enable ssh
 %define name smeserver-openssh
 Name: %{name}
 %define version 11.0.0
-%define release 8
+%define release 13
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -19,11 +19,66 @@ Requires: openssh >= 3.5
 Requires: openssh-clients
 Requires: openssh-server
 Requires: smeserver-lib >= 1.15.1-19
-Requires: runit
 Provides: e-smith-openssh
 AutoReqProv: no
 
+%description
+smeserver server enhancement to configure and enable openssh
+
+%prep
+%setup
+rm -rf  root/var/service root/service
+
+%build
+perl createlinks
+# build the test suite from embedded tests
+/sbin/e-smith/buildtests e-smith-openssh
+
+%install
+rm -rf $RPM_BUILD_ROOT
+( cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT )
+rm -f %{name}-%{version}-%{release}-filelist
+
+/sbin/e-smith/genfilelist \
+    --file '/sbin/e-smith/systemd/sshd-prepare' 'attr(0554,root,root)' \
+    --dir '/var/log/sshd' 'attr(2750,root,root)' \
+    --dir '/var/empty/sshd' 'attr(0711,root,root)' \
+    $RPM_BUILD_ROOT \
+    > %{name}-%{version}-%{release}-filelist
+
+echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files -f %{name}-%{version}-%{release}-filelist
+%defattr(-,root,root)
+
+%pre
+if [ $1 -gt 1 ] ; then
+  if [ -e /var/service/sshd/run ] ; then
+       /usr/bin/sv d sshd
+       /usr/bin/sv d sshd/log
+  fi
+fi
+
 %changelog
+* Thu Jul 03 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme
+- re-add hmac-sha2-512 for backward compatibility [SME: 12968]
+
+* Sat Mar 22 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
+- insecure cipher and MAC removed [SME: 12968]
+
+* Wed Jan 15 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme
+- remove Requires: runit [SME: 12566]
+
+* Tue Nov 12 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme
+- fix update of host keys comment [SME: 12759]
+
+* Sun Sep 22 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme
+- remove reference to deprecated rssh [SME: 12670]
+- template /etc/pam.d/sshd to remove motd [SME: 12740]
+
 * Tue Aug 13 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme
 - fix new log does not fill after log rotate [SME: 12690]
 
@@ -668,42 +723,3 @@ AutoReqProv: no
 * Thu May 11 2000 Charlie Brady <charlieb@e-smith.net>
 - Change rc?.d directory from 3 to 7.
 
-%description
-smeserver server enhancement to configure and enable openssh
-
-%prep
-%setup
-rm -rf  root/var/service root/service
-
-%build
-perl createlinks
-# build the test suite from embedded tests
-/sbin/e-smith/buildtests e-smith-openssh
-
-%install
-rm -rf $RPM_BUILD_ROOT
-( cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT )
-rm -f %{name}-%{version}-%{release}-filelist
-
-/sbin/e-smith/genfilelist \
-    --file '/sbin/e-smith/systemd/sshd-prepare' 'attr(0554,root,root)' \
-    --dir '/var/log/sshd' 'attr(2750,root,root)' \
-    --dir '/var/empty/sshd' 'attr(0711,root,root)' \
-    $RPM_BUILD_ROOT \
-    > %{name}-%{version}-%{release}-filelist
-
-echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%files -f %{name}-%{version}-%{release}-filelist
-%defattr(-,root,root)
-
-%pre
-if [ $1 -gt 1 ] ; then
-  if [ -e /var/service/sshd/run ] ; then
-       /usr/bin/sv d sshd
-       /usr/bin/sv d sshd/log
-  fi
-fi