Message ID | 6d69e16d-e93b-6c91-a7c1-7731f821e537@link38.eu |
---|---|
State | Superseded |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.ipfire.org [IPv6:2001:470:7183:25::1]) by web02.i.ipfire.org (Postfix) with ESMTP id 4042160366 for <patchwork@web02.i.ipfire.org>; Tue, 1 May 2018 14:55:35 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 73150110933F; Tue, 1 May 2018 13:55:34 +0100 (BST) Authentication-Results: dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [37.120.167.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 3DA6C110933F for <development@lists.ipfire.org>; Tue, 1 May 2018 13:40:13 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1525178412; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=InTyX8je+5P4liwBHiDPijUtTL+naY5FonOJDFUSJG4=; b=+JddozpHVc63Bx8VMQSHZ/CN/X2kLc0XlwXLhIF987CrJwp5PiEOVI7YhUc02C3cnDiZY5 hsolGXIma+oR+x6INm0MonvpCZo1Jsbc8vv7oX36wxojJB1p42AyxlzxVirD75Sg5gI01v ssZ+9N1wPeJ582tXpE0kESZMpqipv2TplhsyrO9KswlwWAh9MsDAqJLP8ENz9QHmk5h2v/ x1QntKC1O/lM2byT+MbqoDlYTPfwZxvQalOIMRyF4pXU4l1bUx2JEZ4oFR+Y9V4W/FR1+M 1igHn2wLxu6AzshlyJ8J4Y8UjFhLi92RZ7X0QSqAMTwYduLBjHcF5Jzm0ZD2ZQ== To: "IPFire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu> Subject: [PATCH 1/3] apply logging settings for OpenSSH correctly Openpgp: preference=signencrypt Message-ID: <6d69e16d-e93b-6c91-a7c1-7731f821e537@link38.eu> Date: Tue, 1 May 2018 14:40:11 +0200 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="JXP6oS7q56gkbdSnC4CjlYh7YmtuD7gd6" X-Spamd-Result: default: False [-9.64 / 11.00]; IP_SCORE(-3.78)[ip: (-9.90), ipnet: 37.120.160.0/19(-4.95), asn: 197540(-3.96), country: DE(-0.09)]; RCVD_IN_DNSWL_MED(-2.00)[53.167.120.37.list.dnswl.org : 127.0.6.2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; HAS_ATTACHMENT(0.00)[]; BAYES_HAM(-3.00)[100.00%]; DKIM_TRACE(0.00)[link38.eu:+]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:37.120.167.53]; RCPT_COUNT_ONE(0.00)[1]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu]; ASN(0.00)[asn:197540, ipnet:37.120.160.0/19, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-9.64 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[1/3] apply logging settings for OpenSSH correctly
|
|
Commit Message
Peter Müller
May 1, 2018, 10:40 p.m. UTC
The logging settings for OpenSSH (log to syslog with "AUTH"
facility at "INFO" level) were not applied correctly. This
patch fixes that for both installed systems and the LFS file.
Partially addresses #11538.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
config/rootfiles/core/121/update.sh | 6 ++++++
lfs/openssh | 4 ++--
2 files changed, 8 insertions(+), 2 deletions(-)
Comments
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I guess this looks good. The problem here certainly was that editing a file that comes from upstream with sed is not a good idea. One line changed can cause the sed to do nothing and we won't even notice it. Therefore, in the future, I will only accept patches for changes like this. Those won't apply and then we can investigate why. Best, - -Michael On Tue, 2018-05-01 at 14:40 +0200, Peter Müller wrote: > The logging settings for OpenSSH (log to syslog with "AUTH" > facility at "INFO" level) were not applied correctly. This > patch fixes that for both installed systems and the LFS file. > > Partially addresses #11538. > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > --- > config/rootfiles/core/121/update.sh | 6 ++++++ > lfs/openssh | 4 ++-- > 2 files changed, 8 insertions(+), 2 deletions(-) > > diff --git a/config/rootfiles/core/121/update.sh > b/config/rootfiles/core/121/update.sh > index 87d5f6ebd..5b8f2c86e 100644 > --- a/config/rootfiles/core/121/update.sh > +++ b/config/rootfiles/core/121/update.sh > @@ -56,7 +56,13 @@ rm -rvf \ > /usr/share/nagios/ \ > /var/nagios/ > > +# Update SSH configuration > +sed -i /etc/ssh/sshd_config \ > + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ > + -e 's/^#LogLevel INFO$/LogLevel INFO/' > + > # Start services > +/etc/init.d/sshd restart > /etc/init.d/apache restart > > # This update needs a reboot... > diff --git a/lfs/openssh b/lfs/openssh > index 203446370..46561953d 100644 > --- a/lfs/openssh > +++ b/lfs/openssh > @@ -91,8 +91,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts > yes/' \ > -e 's/^#\?UsePAM .*$$//' \ > -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ > - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ > - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ > + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ > + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ > -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ > -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ > -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlsOiw4ACgkQgHnw/2+Q CQdTEw//YlhxZ+tWo9FosukgobdG6nh2bSc9dNm2VDu7e3mXiYp4jjKipW06cBzT 53X0CNDyLLlCxMoU+KX4UzMVsGLi0MIQDXc6cFYxnnjM32r4/yvVEuKN1QcdHXXG aZcdDgQvpoN2Ao0wIWBAmyY6GkKmXBhdM0PMy7367xpKnGfyr/9uucW25j8vo8Lp qmGbai52/Eg0lCBgWHNh3P9EqMS8ddjop90a/MKVY+CCQY0DsxN/z4Ijqgx1GApn 39C/mosCE+Wt0rOdJiomVLEvV7bR0SBe3S3j6J2/0er4RVnTb3X74JvBsIsn1RNl rU5UY35eaBSNGDLrGrpYsJ/0L5NVzqMFFxZnKAy150Ge3Gc/fjZ94q4gV+j2R8SH FNbsEXCMkX06SnLK1WaMpvbCu0SivS7DCphE1SWcX3rGHrcPrQh2bqTEw62sgGQM IeSTKlO+1ZSODQbP8byYCgqnjRmsP2xLQLbkcgkMPExkXaLqG/sK+mWaJPGr/Rjf y9rOlWgWliv6jDbfDjQjHI+VINuPJNm0qn7ZVTQC9EB+/Xt/D33Z7zbmfATTmHHg wgPbIyTULlRjo9aulpPCx2hEp7lVWH5OMkFtBI5u9PwDnlmxHCQLdb/kV+gLOX2+ C42G09Ils+8rvkiQZUFN2pHNake3URdRu0SYwuPJROO8pvjGHjs= =9jb+ -----END PGP SIGNATURE-----
Hello Michael, since we edit a lot of settings in the sshd_config file (and perhaps in the ssh_config file, too, when it comes to cipher selection), should we introduce a completely own config file? If so, how do I do so? We still need to manipulate it via sed for existing installations (via the update.sh script), but we could omit the procedure during building the package. As most of the config file is commented out by default, it could also be made much smaller and easier to read, only containing settings different than the defaults. Best regards, Peter Müller > I guess this looks good. > > The problem here certainly was that editing a file that comes from upstream with > sed is not a good idea. One line changed can cause the sed to do nothing and we > won't even notice it. Therefore, in the future, I will only accept patches for > changes like this. Those won't apply and then we can investigate why. > > Best, > -Michael > > On Tue, 2018-05-01 at 14:40 +0200, Peter Müller wrote: >> The logging settings for OpenSSH (log to syslog with "AUTH" >> facility at "INFO" level) were not applied correctly. This >> patch fixes that for both installed systems and the LFS file. > >> Partially addresses #11538. > >> Signed-off-by: Peter Müller <peter.mueller@link38.eu> >> --- >> config/rootfiles/core/121/update.sh | 6 ++++++ >> lfs/openssh | 4 ++-- >> 2 files changed, 8 insertions(+), 2 deletions(-) > >> diff --git a/config/rootfiles/core/121/update.sh >> b/config/rootfiles/core/121/update.sh >> index 87d5f6ebd..5b8f2c86e 100644 >> --- a/config/rootfiles/core/121/update.sh >> +++ b/config/rootfiles/core/121/update.sh >> @@ -56,7 +56,13 @@ rm -rvf \ >> /usr/share/nagios/ \ >> /var/nagios/ > >> +# Update SSH configuration >> +sed -i /etc/ssh/sshd_config \ >> + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ >> + -e 's/^#LogLevel INFO$/LogLevel INFO/' >> + >> # Start services >> +/etc/init.d/sshd restart >> /etc/init.d/apache restart > >> # This update needs a reboot... >> diff --git a/lfs/openssh b/lfs/openssh >> index 203446370..46561953d 100644 >> --- a/lfs/openssh >> +++ b/lfs/openssh >> @@ -91,8 +91,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts >> yes/' \ >> -e 's/^#\?UsePAM .*$$//' \ >> -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ >> - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ >> - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ >> + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ >> + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ >> -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ >> -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ >> -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Wed, 2018-05-30 at 21:47 +0200, Peter Müller wrote: > Hello Michael, > > since we edit a lot of settings in the sshd_config file (and perhaps in > the ssh_config file, too, when it comes to cipher selection), should we > introduce a completely own config file? If so, how do I do so? Well, write a new configuration file and a script that takes the settings from the previous one and changes it accordingly. Those settings should also be in /var/ipfire/remote/settings. > We still need to manipulate it via sed for existing installations (via > the update.sh script), but we could omit the procedure during building > the package. Yes. > As most of the config file is commented out by default, it could > also be made much smaller and easier to read, only containing settings > different than the defaults. Yes, we can remove lots here. I think we should keep this as easy as possible because we got loads of other things to take care of. Best, - -Michael > > Best regards, > Peter Müller > > > I guess this looks good. > > > > The problem here certainly was that editing a file that comes from upstream > > with > > sed is not a good idea. One line changed can cause the sed to do nothing and > > we > > won't even notice it. Therefore, in the future, I will only accept patches > > for > > changes like this. Those won't apply and then we can investigate why. > > > > Best, > > -Michael > > > > On Tue, 2018-05-01 at 14:40 +0200, Peter Müller wrote: > > > The logging settings for OpenSSH (log to syslog with "AUTH" > > > facility at "INFO" level) were not applied correctly. This > > > patch fixes that for both installed systems and the LFS file. > > > Partially addresses #11538. > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > > --- > > > config/rootfiles/core/121/update.sh | 6 ++++++ > > > lfs/openssh | 4 ++-- > > > 2 files changed, 8 insertions(+), 2 deletions(-) > > > diff --git a/config/rootfiles/core/121/update.sh > > > b/config/rootfiles/core/121/update.sh > > > index 87d5f6ebd..5b8f2c86e 100644 > > > --- a/config/rootfiles/core/121/update.sh > > > +++ b/config/rootfiles/core/121/update.sh > > > @@ -56,7 +56,13 @@ rm -rvf \ > > > /usr/share/nagios/ \ > > > /var/nagios/ > > > +# Update SSH configuration > > > +sed -i /etc/ssh/sshd_config \ > > > + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ > > > + -e 's/^#LogLevel INFO$/LogLevel INFO/' > > > + > > > # Start services > > > +/etc/init.d/sshd restart > > > /etc/init.d/apache restart > > > # This update needs a reboot... > > > diff --git a/lfs/openssh b/lfs/openssh > > > index 203446370..46561953d 100644 > > > --- a/lfs/openssh > > > +++ b/lfs/openssh > > > @@ -91,8 +91,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > > -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts > > > yes/' \ > > > -e 's/^#\?UsePAM .*$$//' \ > > > -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ > > > - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' > > > \ > > > - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ > > > + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ > > > + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ > > > -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' > > > \ > > > -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ > > > -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ > > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlsPz1UACgkQgHnw/2+Q CQf/bQ//WJsgSR+unMsIFby8diKw6knYkbN2sW/ODN5DLn6bLfAiO59Xdma6FhUP iLH2T8ftoCDwn/6ScHPhSmmlFl4j7P6Vqaagz7uykI5ul62+VLhqhViqS9FVI6qb GD4OdZ8VvrXfl/DNHd9fSoNp2eUzYBWoyqajA1vIyNMfldhRMOFe49VOprOm3HBB nVFKbScjeW6m+FCAVSnTfB6F57gMqVHHtPINbkFIHaa86KAbLrJYP9xkPUd9yT7O kCoA0QUKRk78Nmho108na9ife0HPgTHDUmh9qR1GRe9pXGrJvr8g+VXjdBfLgl6U 0gwmv8bMPYTxKnM8gmwXQZwRjeVrdiOttnnbeTI24zzgivXoECRtl0ijn4nobs9t moJ9ilk0SpmI/+Fmgy3jejExKelI5pcOxEW4yjSaBb4oeTRLHy5vO8bT0t1XHVxB fRLVbyhhdBa0duTSVsky/JmtjhuFdcCo+aX6oebsySOHW+QcH36AkCqSxF1odw+/ 9kKwrXQNFYOUiSTIQfix6WeOKbWzIe3T4s72//T7LXVGBqNdw/DEii5Zvu8BMsTR VUq/e8gxsfmCEEzAUdlGXkA9lNROcbntRLQ8Zcp1ogZnKVkmgUlyrr+ad7TJoAz3 /kUvS5Lg1pZKDxnf0r34cAReQSx7RgnJHZiq9WnUJxRSFITsvwo= =AtA3 -----END PGP SIGNATURE-----
diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh index 87d5f6ebd..5b8f2c86e 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -56,7 +56,13 @@ rm -rvf \ /usr/share/nagios/ \ /var/nagios/ +# Update SSH configuration +sed -i /etc/ssh/sshd_config \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' + # Start services +/etc/init.d/sshd restart /etc/init.d/apache restart # This update needs a reboot... diff --git a/lfs/openssh b/lfs/openssh index 203446370..46561953d 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -91,8 +91,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \ -e 's/^#\?UsePAM .*$$//' \ -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \