From ad40d2a62a3d9772ffd95038a73f7e957c39950b Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Thu, 2 Feb 2023 22:52:48 +0000 Subject: Thu Feb 2 22:52:48 UTC 2023 patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz: Upgraded. This release contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable, but upstream reports most network-reachable memory faults as security bugs. This update contains some potentially incompatible changes regarding the scp utility. For more information, see: https://www.openssh.com/releasenotes.html#9.0 For more information, see: https://www.openssh.com/releasenotes.html#9.2 (* Security fix *) --- .../packages/openssh-9.2p1-x86_64-1_slack15.0.txt | 11 ++ patches/source/openssh/doinst.sh | 53 ++++++ patches/source/openssh/openssh.SlackBuild | 206 +++++++++++++++++++++ patches/source/openssh/openssh.tcp_wrappers.diff | 139 ++++++++++++++ patches/source/openssh/openssh.url | 1 + patches/source/openssh/rc.sshd | 64 +++++++ patches/source/openssh/slack-desc | 19 ++ patches/source/openssh/sshd.default | 10 + patches/source/openssh/sshd.pam | 23 +++ patches/source/openssh/sshd_config-pam.diff | 11 ++ 10 files changed, 537 insertions(+) create mode 100644 patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt create mode 100644 patches/source/openssh/doinst.sh create mode 100755 patches/source/openssh/openssh.SlackBuild create mode 100644 patches/source/openssh/openssh.tcp_wrappers.diff create mode 100644 patches/source/openssh/openssh.url create mode 100644 patches/source/openssh/rc.sshd create mode 100644 patches/source/openssh/slack-desc create mode 100644 patches/source/openssh/sshd.default create mode 100644 patches/source/openssh/sshd.pam create mode 100644 patches/source/openssh/sshd_config-pam.diff (limited to 'patches') diff --git a/patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt b/patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt new file mode 100644 index 000000000..dca51ed45 --- /dev/null +++ b/patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt @@ -0,0 +1,11 @@ +openssh: openssh (Secure Shell daemon and clients) +openssh: +openssh: ssh (Secure Shell) is a program for logging into a remote machine and +openssh: for executing commands on a remote machine. It is intended to replace +openssh: rlogin and rsh, and provide secure encrypted communications between +openssh: two untrusted hosts over an insecure network. sshd (SSH Daemon) is +openssh: the daemon program for ssh. OpenSSH is based on the last free version +openssh: of Tatu Ylonen's SSH, further enhanced and cleaned up by Aaron +openssh: Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and +openssh: Dug Song. It has a homepage at http://www.openssh.com/ +openssh: diff --git a/patches/source/openssh/doinst.sh b/patches/source/openssh/doinst.sh new file mode 100644 index 000000000..ba1d1cdd3 --- /dev/null +++ b/patches/source/openssh/doinst.sh @@ -0,0 +1,53 @@ +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} +preserve_perms() { + NEW="$1" + OLD="$(dirname ${NEW})/$(basename ${NEW} .new)" + if [ -e ${OLD} ]; then + cp -a ${OLD} ${NEW}.incoming + cat ${NEW} > ${NEW}.incoming + touch -r ${NEW} ${NEW}.incoming + mv ${NEW}.incoming ${NEW} + fi + config ${NEW} +} + +if [ -r etc/pam.d/sshd.new ]; then + config etc/pam.d/sshd.new +fi +config etc/default/sshd.new +config etc/ssh/ssh_config.new +config etc/ssh/sshd_config.new +preserve_perms etc/rc.d/rc.sshd.new +if [ -e etc/rc.d/rc.sshd.new ]; then + mv etc/rc.d/rc.sshd.new etc/rc.d/rc.sshd +fi + +# If the sshd user/group/shadow don't exist, add them: + +if ! grep -q "^sshd:" etc/passwd ; then + echo "sshd:x:33:33:sshd:/:" >> etc/passwd +fi + +if ! grep -q "^sshd:" etc/group ; then + echo "sshd::33:sshd" >> etc/group +fi + +if ! grep -q "^sshd:" etc/shadow ; then + echo "sshd:*:9797:0:::::" >> etc/shadow +fi + +# Add a btmp file to store login failure if one doesn't exist: +if [ ! -r var/log/btmp ]; then + ( cd var/log ; umask 077 ; touch btmp ) +fi + diff --git a/patches/source/openssh/openssh.SlackBuild b/patches/source/openssh/openssh.SlackBuild new file mode 100755 index 000000000..aa6b09b87 --- /dev/null +++ b/patches/source/openssh/openssh.SlackBuild @@ -0,0 +1,206 @@ +#!/bin/bash + +# Copyright 2000 BSDi, Inc. Concord, CA, USA +# Copyright 2001, 2002, 2003, 2004 Slackware Linux, Inc. Concord, CA, USA +# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2018, 2020, 2021 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +cd $(dirname $0) ; CWD=$(pwd) + +# Set initial variables: +TMP=${TMP:-/tmp} +PKG=$TMP/package-openssh + +PKGNAM=openssh +VERSION=${VERSION:-$(echo openssh-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-1_slack15.0} + +NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i586 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac +fi + +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz" + exit 0 +fi + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +elif [ "$ARCH" = "arm" ]; then + SLKCFLAGS="-O2 -march=armv4 -mtune=xscale" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "armel" ]; then + SLKCFLAGS="-O2 -march=armv4t" + LIBDIRSUFFIX="" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +# Clean target location: +rm -rf $PKG +mkdir -p $PKG + +# Prepare the framework and extract the package: +cd $TMP +rm -rf $PKG openssh-$VERSION +tar xvf $CWD/openssh-$VERSION.tar.?z || tar xvf $CWD/openssh-$VERSION.tar.bz2 || exit 1 +cd openssh-$VERSION || exit 1 +chown -R root:root . + +# Restore support for tcpwrappers: +zcat $CWD/openssh.tcp_wrappers.diff.gz | patch -p1 --verbose || exit 1 + +# Choose correct options depending on whether PAM is installed: +if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then + PAM_OPTIONS="--with-pam --with-kerberos5" + unset SHADOW_OPTIONS + # Enable PAM in sshd_config: + zcat $CWD/sshd_config-pam.diff.gz | patch -p1 --verbose || exit 1 +else + unset PAM_OPTIONS + SHADOW_OPTIONS="--without-pam" +fi + +autoreconf -vif + +# Compile package: +CFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --mandir=/usr/man \ + --sysconfdir=/etc/ssh \ + $PAM_OPTIONS \ + $SHADOW_OPTIONS \ + --with-md5-passwords \ + --with-libedit \ + --with-tcp-wrappers \ + --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \ + --with-privsep-path=/var/empty \ + --with-privsep-user=sshd \ + --build=$ARCH-slackware-linux || exit 1 + +make $NUMJOBS || make || exit 1 + +# Install the package: +make install DESTDIR=$PKG || exit 1 + +find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + +# Compress and if needed symlink the man pages: +if [ -d $PKG/usr/man ]; then + ( cd $PKG/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1) ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.? + ) + done + ) +fi + +# Install directory used with PrivilegeSeparation option: +mkdir -p $PKG/var/empty +chmod 755 $PKG/var/empty + +# Install defaults file +mkdir -p $PKG/etc/default +cat $CWD/sshd.default > $PKG/etc/default/sshd.new + +# Install docs: +mkdir -p $PKG/usr/doc/openssh-$VERSION +cp -a \ + CREDITS ChangeLog INSTALL LICENCE OVERVIEW \ + README README.privsep README.smartcard RFC.nroff TODO WARNING.RNG \ + $PKG/usr/doc/openssh-$VERSION +chmod 644 $PKG/usr/doc/openssh-$VERSION/* + +# If there's a ChangeLog, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r ChangeLog ]; then + DOCSDIR=$(echo $PKG/usr/doc/*-$VERSION) + cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog + touch -r ChangeLog $DOCSDIR/ChangeLog +fi + +# Install also 'ssh-copy-id' and its manpage from contrib: +( cd contrib + cp -a ssh-copy-id $PKG/usr/bin/ssh-copy-id + chmod 755 $PKG/usr/bin/ssh-copy-id + cat ssh-copy-id.1 | gzip -9c > $PKG/usr/man/man1/ssh-copy-id.1.gz +) + +( cd $PKG + + # Ditch the new host keys, since these have to be uniquely prepared on each machine: + rm -f etc/ssh/ssh_host_dsa_key + rm -f etc/ssh/ssh_host_dsa_key.pub + rm -f etc/ssh/ssh_host_rsa_key + rm -f etc/ssh/ssh_host_rsa_key.pub + rm -f etc/ssh/ssh_host_key + rm -f etc/ssh/ssh_host_key.pub + + # Set up the config script installation: + mv etc/ssh/ssh_config etc/ssh/ssh_config.new + mv etc/ssh/sshd_config etc/ssh/sshd_config.new + + # Add the init script: + mkdir -p etc/rc.d + cat $CWD/rc.sshd > etc/rc.d/rc.sshd.new + chmod 755 etc/rc.d/rc.sshd.new + + if [ ! -z "$PAM_OPTIONS" ]; then + # Add the pam stuff: + mkdir -p etc/pam.d + cat $CWD/sshd.pam > etc/pam.d/sshd.new + fi + + # Copy runtime installation files: + mkdir -p install + zcat $CWD/doinst.sh.gz > install/doinst.sh + cat $CWD/slack-desc > install/slack-desc +) + +# Create the package itself: +cd $PKG +/sbin/makepkg -l y -c n $TMP/openssh-$VERSION-$ARCH-$BUILD.txz + diff --git a/patches/source/openssh/openssh.tcp_wrappers.diff b/patches/source/openssh/openssh.tcp_wrappers.diff new file mode 100644 index 000000000..3b530a5b7 --- /dev/null +++ b/patches/source/openssh/openssh.tcp_wrappers.diff @@ -0,0 +1,139 @@ +--- ./sshd.8.orig 2022-02-23 05:31:11.000000000 -0600 ++++ ./sshd.8 2022-02-24 13:28:36.533888569 -0600 +@@ -908,6 +908,12 @@ + This file should be writable only by the user, and need not be + readable by anyone else. + .Pp ++.It Pa /etc/hosts.allow ++.It Pa /etc/hosts.deny ++Access controls that should be enforced by tcp-wrappers are defined here. ++Further details are described in ++.Xr hosts_access 5 . ++.Pp + .It Pa /etc/hosts.equiv + This file is for host-based authentication (see + .Xr ssh 1 ) . +@@ -1010,6 +1016,7 @@ + .Xr ssh-keygen 1 , + .Xr ssh-keyscan 1 , + .Xr chroot 2 , ++.Xr hosts_access 5 , + .Xr login.conf 5 , + .Xr moduli 5 , + .Xr sshd_config 5 , +--- ./configure.ac.orig 2022-02-23 05:31:11.000000000 -0600 ++++ ./configure.ac 2022-02-24 13:30:10.535883370 -0600 +@@ -1599,6 +1599,62 @@ + AC_MSG_RESULT([no]) + fi + ++# Check whether user wants TCP wrappers support ++TCPW_MSG="no" ++AC_ARG_WITH([tcp-wrappers], ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], ++ [ ++ if test "x$withval" != "xno" ; then ++ saved_LIBS="$LIBS" ++ saved_LDFLAGS="$LDFLAGS" ++ saved_CPPFLAGS="$CPPFLAGS" ++ if test -n "${withval}" && \ ++ test "x${withval}" != "xyes"; then ++ if test -d "${withval}/lib"; then ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval}/lib ${LDFLAGS}" ++ fi ++ else ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval} ${LDFLAGS}" ++ fi ++ fi ++ if test -d "${withval}/include"; then ++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" ++ else ++ CPPFLAGS="-I${withval} ${CPPFLAGS}" ++ fi ++ fi ++ LIBS="-lwrap -lnsl $LIBS" ++ AC_MSG_CHECKING([for libwrap]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++#include ++#include ++#include ++#include ++int deny_severity = 0, allow_severity = 0; ++ ]], [[ ++ hosts_access(0); ++ ]])], [ ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE([LIBWRAP], [1], ++ [Define if you want ++ TCP Wrappers support]) ++ SSHDLIBS="$SSHDLIBS -lwrap -lnsl" ++ TCPW_MSG="yes" ++ ], [ ++ AC_MSG_ERROR([*** libwrap missing]) ++ ++ ]) ++ LIBS="$saved_LIBS" ++ fi ++ ] ++) ++ + # Check whether user wants to use ldns + LDNS_MSG="no" + AC_ARG_WITH(ldns, +@@ -5593,6 +5649,7 @@ + echo " OSF SIA support: $SIA_MSG" + echo " KerberosV support: $KRB5_MSG" + echo " SELinux support: $SELINUX_MSG" ++echo " TCP Wrappers support: $TCPW_MSG" + echo " libedit support: $LIBEDIT_MSG" + echo " libldns support: $LDNS_MSG" + echo " Solaris process contract support: $SPC_MSG" +--- ./sshd.c.orig 2022-02-23 05:31:11.000000000 -0600 ++++ ./sshd.c 2022-02-24 13:28:36.533888569 -0600 +@@ -129,6 +129,13 @@ + #include "srclimit.h" + #include "dh.h" + ++#ifdef LIBWRAP ++#include ++#include ++int allow_severity; ++int deny_severity; ++#endif /* LIBWRAP */ ++ + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) + #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) +@@ -2138,6 +2145,26 @@ + the_active_state = ssh; + ssh_packet_set_server(ssh); + ++/* Moved LIBWRAP check here */ ++#ifdef LIBWRAP ++ allow_severity = options.log_facility|LOG_INFO; ++ deny_severity = options.log_facility|LOG_WARNING; ++ /* Check whether logins are denied from this host. */ ++ if (ssh_packet_connection_is_on_socket(ssh)) { /* This check must be after ssh_packet_set_connection() */ ++ struct request_info req; ++ ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); ++ fromhost(&req); ++ ++ if (!hosts_access(&req)) { ++ debug("Connection refused by tcp wrapper"); ++ refuse(&req); ++ /* NOTREACHED */ ++ fatal("libwrap refuse returns"); ++ } ++ } ++#endif /* LIBWRAP */ ++ + check_ip_options(ssh); + + /* Prepare the channels layer */ diff --git a/patches/source/openssh/openssh.url b/patches/source/openssh/openssh.url new file mode 100644 index 000000000..9c8a0ceaf --- /dev/null +++ b/patches/source/openssh/openssh.url @@ -0,0 +1 @@ +https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ diff --git a/patches/source/openssh/rc.sshd b/patches/source/openssh/rc.sshd new file mode 100644 index 000000000..eea6c6a74 --- /dev/null +++ b/patches/source/openssh/rc.sshd @@ -0,0 +1,64 @@ +#!/bin/sh +# Start/stop/restart the secure shell server: + +# Source options +if [ -r /etc/default/sshd ]; then + . /etc/default/sshd +fi + +sshd_start() { + # Create host keys if needed. + if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then + /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' + fi + if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then + /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' + fi + if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then + /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' + fi + if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then + /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' + fi + # Catch any new host key types not yet created above: + /usr/bin/ssh-keygen -A + # Start the sshd daemon: + /usr/sbin/sshd $SSHD_OPTS +} + +sshd_stop() { + killall sshd +} + +sshd_restart() { + if [ -r /var/run/sshd.pid ]; then + echo "WARNING: killing listener process only. To kill every sshd process, you must" + echo " use 'rc.sshd stop'. 'rc.sshd restart' kills only the parent sshd to" + echo " allow an admin logged in through sshd to use 'rc.sshd restart' without" + echo " being cut off. If sshd has been upgraded, new connections will now" + echo " use the new version, which should be a safe enough approach." + kill `cat /var/run/sshd.pid` + else + echo "WARNING: There does not appear to be a parent instance of sshd running." + echo " If you really want to kill all running instances of sshd (including" + echo " any sessions currently in use), run '/etc/rc.d/rc.sshd stop' instead." + exit 1 + fi + sleep 1 + sshd_start +} + +case "$1" in +'start') + sshd_start + ;; +'stop') + sshd_stop + ;; +'restart') + sshd_restart + ;; +*) + echo "usage $0 start|stop|restart" +esac + diff --git a/patches/source/openssh/slack-desc b/patches/source/openssh/slack-desc new file mode 100644 index 000000000..6d5aec5e6 --- /dev/null +++ b/patches/source/openssh/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' on +# the right side marks the last column you can put a character in. You must make +# exactly 11 lines for the formatting to be correct. It's also customary to +# leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +openssh: openssh (Secure Shell daemon and clients) +openssh: +openssh: ssh (Secure Shell) is a program for logging into a remote machine and +openssh: for executing commands on a remote machine. It is intended to replace +openssh: rlogin and rsh, and provide secure encrypted communications between +openssh: two untrusted hosts over an insecure network. sshd (SSH Daemon) is +openssh: the daemon program for ssh. OpenSSH is based on the last free version +openssh: of Tatu Ylonen's SSH, further enhanced and cleaned up by Aaron +openssh: Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and +openssh: Dug Song. It has a homepage at http://www.openssh.com/ +openssh: diff --git a/patches/source/openssh/sshd.default b/patches/source/openssh/sshd.default new file mode 100644 index 000000000..6cab3ba31 --- /dev/null +++ b/patches/source/openssh/sshd.default @@ -0,0 +1,10 @@ +# Optional arguments to start sshd with. +# +# Note that using the -p flag causes any Port directives +# in sshd_config(5) to be ignored. +# +# If you want to run sshd on non-standard port(s), use: +#SSHD_OPTS="-p 12345 -p 6789" +# +# If you want to use non-standard sshd_config, use: +#SSHD_OPTS="-f /some/other/sshd_config" diff --git a/patches/source/openssh/sshd.pam b/patches/source/openssh/sshd.pam new file mode 100644 index 000000000..cc188fa56 --- /dev/null +++ b/patches/source/openssh/sshd.pam @@ -0,0 +1,23 @@ +#%PAM-1.0 +# pam_securetty.so is commented out since sshd already does a good job of +# protecting itself. You may uncomment it if you like, but then you may +# need to add additional consoles to /etc/securetty if you want to allow +# root logins on them, such as: ssh, pts/0, :0, etc +#auth required pam_securetty.so +# When using pam_faillock, print a message to the user if the account is +# locked. This lets the user know what is going on, but it also potentially +# gives additional information to attackers: +#auth requisite pam_faillock.so preauth +auth include system-auth +# To set a limit on failed authentications, the pam_faillock module +# can be enabled. See pam_faillock(8) for more information. +#auth [default=die] pam_faillock.so authfail +#auth sufficient pam_faillock.so authsucc +auth include postlogin +account required pam_nologin.so +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session required pam_loginuid.so +-session optional pam_elogind.so diff --git a/patches/source/openssh/sshd_config-pam.diff b/patches/source/openssh/sshd_config-pam.diff new file mode 100644 index 000000000..ec3cab2d1 --- /dev/null +++ b/patches/source/openssh/sshd_config-pam.diff @@ -0,0 +1,11 @@ +--- ./sshd_config.orig 2021-08-19 23:03:49.000000000 -0500 ++++ ./sshd_config 2021-08-20 22:22:55.125351390 -0500 +@@ -79,7 +79,7 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes -- cgit v1.2.3-79-gdb01