diff options
Diffstat (limited to 'source/n/openssh')
-rw-r--r-- | source/n/openssh/doinst.sh | 3 | ||||
-rwxr-xr-x | source/n/openssh/openssh.SlackBuild | 28 | ||||
-rw-r--r-- | source/n/openssh/sshd.pam | 14 | ||||
-rw-r--r-- | source/n/openssh/sshd_config-pam.diff | 12 |
4 files changed, 55 insertions, 2 deletions
diff --git a/source/n/openssh/doinst.sh b/source/n/openssh/doinst.sh index 08536ff6..ba1d1cdd 100644 --- a/source/n/openssh/doinst.sh +++ b/source/n/openssh/doinst.sh @@ -21,6 +21,9 @@ preserve_perms() { config ${NEW} } +if [ -r etc/pam.d/sshd.new ]; then + config etc/pam.d/sshd.new +fi config etc/default/sshd.new config etc/ssh/ssh_config.new config etc/ssh/sshd_config.new diff --git a/source/n/openssh/openssh.SlackBuild b/source/n/openssh/openssh.SlackBuild index 6b634a23..3c614d87 100755 --- a/source/n/openssh/openssh.SlackBuild +++ b/source/n/openssh/openssh.SlackBuild @@ -2,7 +2,7 @@ # Copyright 2000 BSDi, Inc. Concord, CA, USA # Copyright 2001, 2002, 2003, 2004 Slackware Linux, Inc. Concord, CA, USA -# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2018 Patrick J. Volkerding, Sebeka, MN, USA +# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2018, 2020 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -54,16 +54,22 @@ fi if [ "$ARCH" = "i586" ]; then SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" elif [ "$ARCH" = "s390" ]; then SLKCFLAGS="-O2" + LIBDIRSUFFIX="" elif [ "$ARCH" = "x86_64" ]; then SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" elif [ "$ARCH" = "arm" ]; then SLKCFLAGS="-O2 -march=armv4 -mtune=xscale" + LIBDIRSUFFIX="" elif [ "$ARCH" = "armel" ]; then SLKCFLAGS="-O2 -march=armv4t" + LIBDIRSUFFIX="" else SLKCFLAGS="-O2" + LIBDIRSUFFIX="" fi # Clean target location: @@ -80,6 +86,17 @@ chown -R root:root . # Restore support for tcpwrappers: zcat $CWD/openssh.tcp_wrappers.diff.gz | patch -p1 --verbose || exit 1 +# Choose correct options depending on whether PAM is installed: +if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then + PAM_OPTIONS="--with-pam --with-kerberos5" + unset SHADOW_OPTIONS + # Enable PAM in sshd_config: + zcat $CWD/sshd_config-pam.diff.gz | patch -p1 --verbose || exit 1 +else + unset PAM_OPTIONS + SHADOW_OPTIONS="--without-pam" +fi + autoreconf -vif # Compile package: @@ -88,7 +105,8 @@ CFLAGS="$SLKCFLAGS" \ --prefix=/usr \ --mandir=/usr/man \ --sysconfdir=/etc/ssh \ - --without-pam \ + $PAM_OPTIONS \ + $SHADOW_OPTIONS \ --with-md5-passwords \ --with-libedit \ --with-tcp-wrappers \ @@ -170,6 +188,12 @@ fi cat $CWD/rc.sshd > etc/rc.d/rc.sshd.new chmod 755 etc/rc.d/rc.sshd.new + if [ ! -z "$PAM_OPTIONS" ]; then + # Add the pam stuff: + mkdir -p etc/pam.d + cat $CWD/sshd.pam > etc/pam.d/sshd.new + fi + # Copy runtime installation files: mkdir -p install zcat $CWD/doinst.sh.gz > install/doinst.sh diff --git a/source/n/openssh/sshd.pam b/source/n/openssh/sshd.pam new file mode 100644 index 00000000..0c465192 --- /dev/null +++ b/source/n/openssh/sshd.pam @@ -0,0 +1,14 @@ +#%PAM-1.0 +# pam_securetty.so is commented out since sshd already does a good job of +# protecting itself. You may uncomment it if you like, but then you may +# need to add additional consoles to /etc/securetty if you want to allow +# root logins on them, such as: ssh, pts/0, :0, etc +#auth required pam_securetty.so +auth include system-auth +auth include postlogin +account required pam_nologin.so +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session required pam_loginuid.so diff --git a/source/n/openssh/sshd_config-pam.diff b/source/n/openssh/sshd_config-pam.diff new file mode 100644 index 00000000..d5198c2f --- /dev/null +++ b/source/n/openssh/sshd_config-pam.diff @@ -0,0 +1,12 @@ +diff -Nur openssh-6.6p1.orig/sshd_config openssh-6.6p1/sshd_config +--- openssh-6.6p1.orig/sshd_config 2014-01-12 02:20:47.000000000 -0600 ++++ openssh-6.6p1/sshd_config 2014-07-26 17:28:35.993833123 -0500 +@@ -94,7 +94,7 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. +-#UsePAM no ++UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes |