/[packages]/updates/5/openssh/current/SPECS/openssh.spec
ViewVC logotype

Contents of /updates/5/openssh/current/SPECS/openssh.spec

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1186003 - (show annotations) (download)
Wed Dec 27 22:59:59 2017 UTC (6 years, 3 months ago) by luigiwalser
File size: 23512 byte(s) 
rediff patch from fedora to fix CVE-2017-15906
1 # Version of ssh-askpass
2 %define aversion 1.2.4.1
3 # Version of watchdog patch
4 %define wversion 4.4p1
5
6 # Version of the hpn patch
7 %define hpnver 13v6
8
9 # overrides
10 %define build_skey 0
11 %define build_krb5 1
12 %define build_watchdog 0
13 %define build_x11askpass 1
14 %define build_gnomeaskpass 1
15 %define build_ldap 1
16 %define build_sftpcontrol 0
17 %define build_hpn 0
18 %define build_audit 0
19 %define build_libedit 1
20
21 %{?_with_skey: %{expand: %%global build_skey 1}}
22 %{?_without_skey: %{expand: %%global build_skey 0}}
23 %{?_with_krb5: %{expand: %%global build_krb5 1}}
24 %{?_without_krb5: %{expand: %%global build_krb5 0}}
25 %{?_with_watchdog: %{expand: %%global build_watchdog 1}}
26 %{?_without_watchdog: %{expand: %%global build_watchdog 0}}
27 %{?_with_x11askpass: %{expand: %%global build_x11askpass 1}}
28 %{?_without_x11askpass: %{expand: %%global build_x11askpass 0}}
29 %{?_with_gnomeaskpass: %{expand: %%global build_gnomeaskpass 1}}
30 %{?_without_gnomeaskpass: %{expand: %%global build_gnomeaskpass 0}}
31 %{?_with_ldap: %{expand: %%global build_ldap 1}}
32 %{?_without_ldap: %{expand: %%global build_ldap 0}}
33 %{?_with_sftpcontrol: %{expand: %%global build_sftpcontrol 1}}
34 %{?_without_sftpcontrol: %{expand: %%global build_sftpcontrol 0}}
35 %{?_with_hpn: %{expand: %%global build_hpn 1}}
36 %{?_without_hpn: %{expand: %%global build_hpn 0}}
37 %{?_with_audit: %{expand: %%global build_audit 1}}
38 %{?_without_audit: %{expand: %%global build_audit 0}}
39 %{?_with_libedit: %{expand: %%global build_libedit 1}}
40 %{?_without_libedit: %{expand: %%global build_libedit 0}}
41
42 %define OPENSSH_PATH "/usr/local/bin:%{_bindir}"
43 %define XAUTH %{_bindir}/xauth
44
45 Summary: OpenSSH free Secure Shell (SSH) implementation
46 Name: openssh
47 Version: 6.6p1
48 %define subrel 10
49 Release: %mkrel 5
50 License: BSD
51 Group: Networking/Remote access
52 URL: http://www.openssh.com/
53 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
54 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
55 Source2: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.bz2
56 # ssh-copy-id taken from debian, with "usage" added
57 Source3: ssh-copy-id
58 Source7: openssh-xinetd
59 Source9: README.sftpfilecontrol
60 # this is never to be applied by default
61 # http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html
62 Source10: openssh-%{wversion}-watchdog.patch.tgz
63 Source12: ssh_ldap_key.pl
64 Source15: ssh-avahi-integration
65 Source17: sshd.pam
66 Source21: README.hpn
67 Source22: sshd.service
68 Source23: sshd@.service
69 Source24: sshd-keygen.service
70 Source25: sshd.socket
71 Source26: sshd-keygen
72 # patch to set some default configuration
73 Patch1: openssh-6.5p1-config.patch
74 # rediffed from openssh-4.4p1-watchdog.patch.tgz
75 Patch4: openssh-4.4p1-watchdog.diff
76 # ldap support, from Fedora
77 Patch501: openssh-6.5p1-ldap.patch
78 # http://sftpfilecontrol.sourceforge.net
79 # Not applied by default
80 # P7 is rediffed and slightly adjusted from http://sftplogging.sourceforge.net/download/v1.5/openssh-4.4p1.sftplogging-v1.5.patch
81 Patch7: openssh-4.9p1.sftplogging-v1.5.diff
82 # (tpg) http://www.psc.edu/networking/projects/hpn-ssh/
83 Patch11: http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn%{hpnver}.diff
84 Patch12: http://www.psc.edu/networking/projects/hpn-ssh/openssh5.1-peaktput.diff
85 #gw: from Fedora:
86 #fix round-robin DNS with GSSAPI authentification
87 Patch13: openssh-4.3p2-gssapi-canohost.patch
88 Patch14: openssh-4.7p1-audit.patch
89 Patch17: openssh-5.1p1-askpass-progress.patch
90 Patch18: openssh-4.3p2-askpass-grab-info.patch
91 Patch19: openssh-5.6p1-exit-deadlock.patch
92 Patch20: openssh-6.6p1-CVE-2014-2653.patch
93 Patch21: openssh_tcp_wrappers.patch
94 Patch22: openssh-6.6p1-CVE-2015-5352.patch
95 Patch23: openssh-6.9p1-CVE-2015-5600.patch
96 # Handle terminal control characters in scp progressmeter (rhbz#1247204)
97 Patch24: openssh-6.6p1-scp-progressmeter.patch
98 # Vulnerabilities published with openssh-7.0:
99 # Privilege separation weakness related to PAM support (rhbz#1252844)
100 # Use-after-free bug related to PAM support (rhbz#1252852)
101 Patch25: openssh-6.6p1-security-7.0.patch
102 Patch26: openssh-7.1p1-CVE-2016-0777.patch
103 Patch27: openssh-7.2p2-CVE-2015-8325.patch
104 Patch28: openssh-7.2p2-user-enumeration.patch
105 Patch29: openssh-6.6p1-CVE-2017-15906.patch
106 # CVE-2016-3115
107 # https://github.com/openssh/openssh-portable/commit/9d47b8d3f50c3a6282896df8274147e3b9a38c56.patch
108 Patch100: 9d47b8d3f50c3a6282896df8274147e3b9a38c56.patch
109 Provides: ssh
110 Requires(post): openssl >= 0.9.7
111 Requires(post): makedev
112 Requires(preun): openssl >= 0.9.7
113 Requires: tcp_wrappers
114 BuildRequires: groff-for-man
115 BuildRequires: openssl-devel >= 0.9.7
116 BuildRequires: pam-devel
117 BuildRequires: tcp_wrappers-devel
118 BuildRequires: zlib-devel
119 %if %{build_skey}
120 BuildRequires: skey-devel
121 %endif
122 %if %{build_krb5}
123 BuildRequires: krb5-devel
124 %endif
125 %if %{build_x11askpass}
126 BuildRequires: imake
127 BuildRequires: rman
128 # http://qa.mandriva.com/show_bug.cgi?id=22736
129 BuildRequires: x11-util-cf-files >= 1.0.2
130 BuildRequires: gccmakedep
131 BuildRequires: libx11-devel
132 BuildRequires: libxt-devel
133 %endif
134 %if %{build_gnomeaskpass}
135 BuildRequires: gtk+2-devel
136 %endif
137 %if %{build_ldap}
138 BuildRequires: openldap-devel >= 2.0
139 %endif
140 %if %{build_audit}
141 BuildRequires: audit-devel
142 %endif
143 %if %{build_libedit}
144 BuildRequires: edit-devel
145 BuildRequires: ncurses-devel
146 %endif
147 BuildConflicts: libgssapi-devel
148
149 %description
150 Ssh (Secure Shell) is a program for logging into a remote machine and for
151 executing commands in a remote machine. It is intended to replace
152 rlogin and rsh, and provide secure encrypted communications between
153 two untrusted hosts over an insecure network. X11 connections and
154 arbitrary TCP/IP ports can also be forwarded over the secure channel.
155
156 OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
157 up to date in terms of security and features, as well as removing all
158 patented algorithms to separate libraries (OpenSSL).
159
160 This package includes the core files necessary for both the OpenSSH
161 client and server. To make this package useful, you should also
162 install openssh-clients, openssh-server, or both.
163
164 You can build %{name} with some conditional build swithes;
165
166 (ie. use with rpm --rebuild):
167
168 --with[out] skey smartcard support (disabled)
169 --with[out] krb5 kerberos support (enabled)
170 --with[out] watchdog watchdog support (disabled)
171 --with[out] x11askpass X11 ask pass support (enabled)
172 --with[out] gnomeaskpass Gnome ask pass support (enabled)
173 --with[out] ldap OpenLDAP support (enabled)
174 --with[out] sftpcontrol sftp file control support (disabled)
175 --with[out] hpn HPN ssh/scp support (disabled)
176 --with[out] audit audit support (disabled)
177 --with[out] libedit libedit support in sftp (enabled)
178
179 %package clients
180 Summary: OpenSSH Secure Shell protocol clients
181 Group: Networking/Remote access
182 Requires: %{name} = %{version}-%{release}
183 Provides: ssh-clients, sftp, ssh
184
185 %description clients
186 Ssh (Secure Shell) is a program for logging into a remote machine and for
187 executing commands in a remote machine. It is intended to replace
188 rlogin and rsh, and provide secure encrypted communications between
189 two untrusted hosts over an insecure network. X11 connections and
190 arbitrary TCP/IP ports can also be forwarded over the secure channel.
191
192 OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
193 up to date in terms of security and features, as well as removing all
194 patented algorithms to separate libraries (OpenSSL).
195
196 This package includes the clients necessary to make encrypted connections
197 to SSH servers.
198
199 %package server
200 Summary: OpenSSH Secure Shell protocol server (sshd)
201 Group: System/Servers
202 Requires(pre): %{name} = %{version}-%{release} chkconfig >= 0.9
203 Requires(pre): pam >= 0.74
204 Requires(post): rpm-helper >= 0.24.8-1
205 Requires(preun): rpm-helper >= 0.24.8-1
206 Requires(post): openssl >= 0.9.7
207 Requires(post): makedev
208 Requires: %{name}-clients = %{version}-%{release}
209 %if %{build_skey}
210 Requires: skey
211 %endif
212 %if %{build_audit}
213 BuildRequires: audit
214 %endif
215 Provides: ssh-server, sshd
216
217 %description server
218 Ssh (Secure Shell) is a program for logging into a remote machine and for
219 executing commands in a remote machine. It is intended to replace
220 rlogin and rsh, and provide secure encrypted communications between
221 two untrusted hosts over an insecure network. X11 connections and
222 arbitrary TCP/IP ports can also be forwarded over the secure channel.
223
224 OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
225 up to date in terms of security and features, as well as removing all
226 patented algorithms to separate libraries (OpenSSL).
227
228 This package contains the secure shell daemon. The sshd is the server
229 part of the secure shell protocol and allows ssh clients to connect to
230 your host.
231
232 %package askpass-common
233 Summary: OpenSSH X11 passphrase common scripts
234 Group: Networking/Remote access
235
236 %description askpass-common
237 OpenSSH X11 passphrase common scripts
238
239 %if %{build_x11askpass}
240 %package askpass
241 Summary: OpenSSH X11 passphrase dialog
242 Group: Networking/Remote access
243 Requires: %{name} = %{version}-%{release}
244 Requires: %{name}-askpass-common
245 Provides: ssh-extras, ssh-askpass
246 Requires(pre): update-alternatives
247
248 %description askpass
249 Ssh (Secure Shell) is a program for logging into a remote machine and for
250 executing commands in a remote machine. It is intended to replace
251 rlogin and rsh, and provide secure encrypted communications between
252 two untrusted hosts over an insecure network. X11 connections and
253 arbitrary TCP/IP ports can also be forwarded over the secure channel.
254
255 OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
256 up to date in terms of security and features, as well as removing all
257 patented algorithms to separate libraries (OpenSSL).
258
259 This package contains Jim Knoble's <jmknoble@pobox.com> X11 passphrase
260 dialog.
261 %endif
262
263 %if %{build_gnomeaskpass}
264 %package askpass-gnome
265 Summary: OpenSSH GNOME passphrase dialog
266 Group: Networking/Remote access
267 Requires: %{name} = %{version}-%{release}
268 Requires: %{name}-askpass-common
269 Requires(pre): update-alternatives
270 Provides: %{name}-askpass, ssh-askpass, ssh-extras
271
272 %description askpass-gnome
273 Ssh (Secure Shell) is a program for logging into a remote machine and for
274 executing commands in a remote machine. It is intended to replace
275 rlogin and rsh, and provide secure encrypted communications between
276 two untrusted hosts over an insecure network. X11 connections and
277 arbitrary TCP/IP ports can also be forwarded over the secure channel.
278
279 OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
280 up to date in terms of security and features, as well as removing all
281 patented algorithms to separate libraries (OpenSSL).
282
283 This package contains the GNOME passphrase dialog.
284 %endif
285
286 %if %{build_ldap}
287 %package ldap
288 Summary: A LDAP support for open source SSH server daemon
289 Group: Networking/Remote access
290 Requires: %{name} = %{version}-%{release}
291
292 %description ldap
293 OpenSSH LDAP backend is a way how to distribute the authorized tokens
294 among the servers in the network.
295 %endif
296
297 %prep
298 %if %{build_x11askpass}
299 echo "Building with x11 askpass..."
300 %endif
301 %if %{build_gnomeaskpass}
302 echo "Building with GNOME askpass..."
303 %endif
304 %if %{build_krb5}
305 echo "Building with Kerberos5 support..."
306 %endif
307 %if %{build_skey}
308 echo "Building with S/KEY support..."
309 %endif
310 %if %{build_watchdog}
311 echo "Building with watchdog support..."
312 %endif
313 %if %{build_ldap}
314 echo "Buiding with support for authenticating to public keys in ldap"
315 %endif
316 %if %{build_sftpcontrol}
317 echo "Buiding with support for sftp file control"
318 %endif
319 %if %{build_hpn}
320 echo "Buiding with support for High Performance Network SSH/SCP"
321 %endif
322 %if %{build_audit}
323 echo "Buiding with audit support"
324 %endif
325
326 %setup -q -a2 -a10
327
328 %patch1 -p1 -b .config
329 %if %{build_watchdog}
330 #patch -p0 -s -z .wdog < %{name}-%{wversion}-watchdog.patch
331 %patch4 -p1 -b .watchdog
332 %endif
333 %if %{build_ldap}
334 %patch501 -p1 -b .ldap
335 %endif
336 %if %{build_sftpcontrol}
337 #cat %{SOURCE8} | patch -p1 -s -z .sftpcontrol
338 echo "This patch is broken or needs to be updated/rediffed"; exit 1
339 %patch7 -p1 -b .sftplogging-v1.5
340 # README with license terms for this patch
341 install -m 0644 %{SOURCE9} .
342 %endif
343 %if %{build_hpn}
344 echo "This patch is broken or needs to be updated/rediffed"; exit 1
345 %patch11 -p1 -b .hpn
346 %patch12 -p1 -b .peak
347 install %{SOURCE21} .
348 %endif
349 %patch13 -p1 -b .canohost
350 %if %{build_audit}
351 %patch14 -p1 -b .audit
352 %endif
353 %patch17 -p1 -b .progress
354 %patch18 -p1 -b .grab-info
355 %patch19 -p1 -b .exit-deadlock
356 %patch20 -p1 -b .CVE-2014-2653
357 %patch21 -p1 -b .tcp_wrappers_mips
358 %patch22 -p1 -b .CVE-2015-5352
359 %patch23 -p1 -b .CVE-2015-5600
360 #patch24 -p1 -b .progressmeter
361 %patch25 -p1 -b .security7
362 %patch26 -p0 -b .CVE-2016-0777
363 %patch27 -p1 -b .CVE-2015-8325
364 %patch28 -p1 -b .CVE-2016-6515
365 %patch29 -p1 -b .CVE-2017-15906
366 %patch100 -p1 -b .CVE-2016-3115
367
368 install %{SOURCE12} .
369
370 install -m 0644 %{SOURCE17} sshd.pam
371
372 # fix attribs
373 chmod 644 ChangeLog OVERVIEW README* INSTALL CREDITS LICENCE TODO ssh_ldap_key.pl
374
375 # http://qa.mandriva.com/show_bug.cgi?id=22957
376 perl -pi -e "s|_OPENSSH_PATH_|%{OPENSSH_PATH}|g" sshd_config
377
378 %build
379 autoreconf
380
381 %serverbuild
382
383 %if %{build_x11askpass}
384 pushd x11-ssh-askpass-%{aversion}
385 %configure2_5x \
386 --prefix=%{_prefix} --libdir=%{_libdir} \
387 --mandir=%{_mandir} --libexecdir=%{_libdir}/ssh \
388 --with-app-defaults-dir=%{_sysconfdir}/X11/app-defaults \
389 %if %{build_libedit}
390 --with-libedit \
391 %else
392 --without-libedit \
393 %endif
394
395 xmkmf -a
396
397 %ifarch x86_64
398 perl -pi -e "s|/usr/lib\b|%{_libdir}|g" Makefile
399 perl -pi -e "s|i586-%{_vendor}-linux-gnu|x86_64-%{_vendor}-linux-gnu|g" Makefile
400 perl -pi -e "s|%{_libdir}/gcc/|/usr/lib/gcc/|g" Makefile
401 perl -pi -e "s|-m32|-m64|g" Makefile
402 perl -pi -e "s|__i386__|__x86_64__|g" Makefile
403 %endif
404
405 make \
406 BINDIR=%{_libdir}/ssh \
407 CDEBUGFLAGS="$RPM_OPT_FLAGS" \
408 CXXDEBUGFLAGS="$RPM_OPT_FLAGS"
409
410 # For some reason the x11-ssh-askpass.1.html file is not created on 10.0/10.1
411 # x86_64, so we just do it manually here... (oden)
412 rm -f x11-ssh-askpass.1x.html x11-ssh-askpass.1x-html
413 rman -f HTML < x11-ssh-askpass._man > x11-ssh-askpass.1x-html && \
414 mv -f x11-ssh-askpass.1x-html x11-ssh-askpass.1.html
415 popd
416 %endif
417
418 %if %{build_gnomeaskpass}
419 pushd contrib
420 make gnome-ssh-askpass2 CC="%__cc %optflags %ldflags"
421 mv gnome-ssh-askpass2 gnome-ssh-askpass
422 popd
423 %endif
424
425 %configure2_5x \
426 --prefix=%{_prefix} \
427 --sysconfdir=%{_sysconfdir}/ssh \
428 --mandir=%{_mandir} \
429 --libdir=%{_libdir} \
430 --libexecdir=%{_libdir}/ssh \
431 --datadir=%{_datadir}/ssh \
432 --disable-strip \
433 --with-tcp-wrappers \
434 --with-pam \
435 --with-default-path=%{OPENSSH_PATH} \
436 --with-xauth=%{XAUTH} \
437 --with-privsep-path=/var/empty \
438 --without-zlib-version-check \
439 %if %{build_krb5}
440 --with-kerberos5=%{_prefix} \
441 %endif
442 %if %{build_skey}
443 --with-skey \
444 %endif
445 %if %{build_ldap}
446 -with-ldap \
447 %endif
448 --with-superuser-path=/usr/local/sbin:/usr/local/bin:%{_sbindir}:%{_bindir} \
449 %if %{build_libedit}
450 --with-libedit \
451 %else
452 --without-libedit \
453 %endif
454 %if %{build_audit}
455 --with-linux-audit \
456 %endif
457
458 %make
459
460 %install
461 %makeinstall_std
462
463 install -d %{buildroot}%{_sysconfdir}/ssh
464 install -d %{buildroot}%{_sysconfdir}/pam.d/
465 install -d %{buildroot}%{_sysconfdir}/sysconfig
466 install -m 644 sshd.pam %{buildroot}%{_sysconfdir}/pam.d/sshd
467
468 if [ -f sshd_config.out ]; then
469 install -m 600 sshd_config.out %{buildroot}%{_sysconfdir}/ssh/sshd_config
470 else
471 install -m 600 sshd_config %{buildroot}%{_sysconfdir}/ssh/sshd_config
472 fi
473 echo "" > %{buildroot}%{_sysconfdir}/ssh/denyusers
474
475 if [ -f ssh_config.out ]; then
476 install -m 644 ssh_config.out %{buildroot}%{_sysconfdir}/ssh/ssh_config
477 else
478 install -m 644 ssh_config %{buildroot}%{_sysconfdir}/ssh/ssh_config
479 fi
480 echo " StrictHostKeyChecking no" >> %{buildroot}%{_sysconfdir}/ssh/ssh_config
481
482 mkdir -p %{buildroot}%{_libdir}/ssh
483 %if %{build_x11askpass}
484 pushd x11-ssh-askpass-%{aversion}
485 #make DESTDIR=%{buildroot} install
486 #make DESTDIR=%{buildroot} install.man
487 #install -d %{buildroot}%{_prefix}/X11R6/lib/X11/doc/html
488 #install -m0644 x11-ssh-askpass.1.html %{buildroot}%{_prefix}/X11R6/lib/X11/doc/html/
489 install -d %{buildroot}%{_libdir}/ssh
490 install -d %{buildroot}%{_sysconfdir}/X11/app-defaults
491 install -m 644 SshAskpass.ad %{buildroot}%{_sysconfdir}/X11/app-defaults/SshAskpass
492 install -m 755 x11-ssh-askpass %{buildroot}%{_libdir}/ssh/
493 install -m 644 x11-ssh-askpass.man %{buildroot}%{_mandir}/man1/x11-ssh-askpass.1
494 popd
495 %endif
496
497 install -d %{buildroot}%{_sysconfdir}/profile.d/
498 %if %{build_gnomeaskpass}
499 install -m 755 contrib/gnome-ssh-askpass %{buildroot}%{_libdir}/ssh/gnome-ssh-askpass
500 %endif
501
502 cat > %{buildroot}%{_sysconfdir}/profile.d/90ssh-askpass.csh <<EOF
503 setenv SSH_ASKPASS %{_libdir}/ssh/ssh-askpass
504 EOF
505
506 cat > %{buildroot}%{_sysconfdir}/profile.d/90ssh-askpass.sh <<EOF
507 export SSH_ASKPASS=%{_libdir}/ssh/ssh-askpass
508 EOF
509
510 cat > %{buildroot}%{_sysconfdir}/profile.d/90ssh-client.sh <<'EOF'
511 # fix hanging ssh clients on exit
512 if [ -n "$BASH_VERSION" ]; then
513 shopt -s huponexit
514 elif [ -n "$ZSH_VERSION" ]; then
515 setopt hup
516 fi
517 EOF
518
519 install -m 755 %{SOURCE3} %{buildroot}/%{_bindir}/ssh-copy-id
520 chmod a+x %{buildroot}/%{_bindir}/ssh-copy-id
521 install -m 644 contrib/ssh-copy-id.1 %{buildroot}/%{_mandir}/man1/
522
523 # create pre-authentication directory
524 install -d -m 755 %{buildroot}/var/empty
525
526 # remove unwanted files
527 rm -f %{buildroot}%{_libdir}/ssh/ssh-askpass
528
529 # xinetd support (tv)
530 install -d -m 755 %{buildroot}%{_sysconfdir}/xinetd.d/
531 install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/xinetd.d/sshd-xinetd
532
533 cat > %{buildroot}%{_sysconfdir}/sysconfig/sshd << EOF
534 #OPTIONS=""
535 EOF
536
537 # avahi integration support (misc)
538 mkdir -p %{buildroot}%{_sysconfdir}/avahi/services/
539 install -m 0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/avahi/services/%{name}.service
540
541 install -d -m 755 %{buildroot}%{_unitdir}
542 install -m 644 %{SOURCE22} %{buildroot}%{_unitdir}/sshd.service
543 #install -m 644 %{SOURCE23} %{buildroot}%{_unitdir}/sshd@.service
544 #install -m 644 %{SOURCE24} %{buildroot}%{_unitdir}/sshd-keygen.service
545 #install -m 644 %{SOURCE25} %{buildroot}%{_unitdir}/sshd.socket
546 install -m 755 %{SOURCE26} %{buildroot}%{_sbindir}/sshd-keygen
547
548 # make sure strip can touch it
549 chmod 755 %{buildroot}%{_libdir}/ssh/ssh-keysign
550
551 sed -e 's,\$LIB,%{_libdir},g' -i %buildroot%_libdir/ssh/ssh-ldap-wrapper
552
553 %pre server
554 %_pre_useradd sshd /var/empty /sbin/nologin
555
556 %post server
557 # do some key management; taken from the initscript
558
559 KEYGEN=/usr/bin/ssh-keygen
560 RSA1_KEY=/etc/ssh/ssh_host_key
561 RSA_KEY=/etc/ssh/ssh_host_rsa_key
562 DSA_KEY=/etc/ssh/ssh_host_dsa_key
563 ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
564
565 do_rsa1_keygen() {
566 if [ ! -s $RSA1_KEY ]; then
567 echo -n "Generating SSH1 RSA host key... "
568 if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
569 chmod 600 $RSA1_KEY
570 chmod 644 $RSA1_KEY.pub
571 echo "done"
572 echo
573 else
574 echo "failed"
575 echo
576 exit 1
577 fi
578 fi
579 }
580
581 do_rsa_keygen() {
582 if [ ! -s $RSA_KEY ]; then
583 echo "Generating SSH2 RSA host key... "
584 if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
585 chmod 600 $RSA_KEY
586 chmod 644 $RSA_KEY.pub
587 echo "done"
588 echo
589 else
590 echo "failed"
591 echo
592 exit 1
593 fi
594 fi
595 }
596
597 do_dsa_keygen() {
598 if [ ! -s $DSA_KEY ]; then
599 echo "Generating SSH2 DSA host key... "
600 if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
601 chmod 600 $DSA_KEY
602 chmod 644 $DSA_KEY.pub
603 echo "done"
604 echo
605 else
606 echo "failed"
607 echo
608 exit 1
609 fi
610 fi
611 }
612
613 do_ecdsa_keygen() {
614 if [ ! -s $ECDSA_KEY ]; then
615 echo "Generating SSH2 EC DSA host key... "
616 if $KEYGEN -q -t dsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
617 chmod 600 $ECDSA_KEY
618 chmod 644 $ECDSA_KEY.pub
619 echo "done"
620 echo
621 else
622 echo "failed"
623 echo
624 exit 1
625 fi
626 fi
627 }
628
629 do_rsa1_keygen
630 do_rsa_keygen
631 do_dsa_keygen
632 do_ecdsa_keygen
633 %_post_service sshd
634
635 %preun server
636 %_preun_service sshd
637
638 %postun server
639 %_postun_userdel sshd
640
641 %if %{build_x11askpass}
642 %post askpass
643 update-alternatives --install %{_libdir}/ssh/ssh-askpass ssh-askpass %{_libdir}/ssh/x11-ssh-askpass 10
644 update-alternatives --install %{_bindir}/ssh-askpass bssh-askpass %{_libdir}/ssh/x11-ssh-askpass 10
645
646 %postun askpass
647 [ $1 = 0 ] || exit 0
648 update-alternatives --remove ssh-askpass %{_libdir}/ssh/x11-ssh-askpass
649 update-alternatives --remove bssh-askpass %{_libdir}/ssh/x11-ssh-askpass
650 %endif
651
652 %if %{build_gnomeaskpass}
653 %post askpass-gnome
654 update-alternatives --install %{_libdir}/ssh/ssh-askpass ssh-askpass %{_libdir}/ssh/gnome-ssh-askpass 20
655 update-alternatives --install %{_bindir}/ssh-askpass bssh-askpass %{_libdir}/ssh/gnome-ssh-askpass 20
656
657 %postun askpass-gnome
658 [ $1 = 0 ] || exit 0
659 update-alternatives --remove ssh-askpass %{_libdir}/ssh/gnome-ssh-askpass
660 update-alternatives --remove bssh-askpass %{_libdir}/ssh/gnome-ssh-askpass
661 %endif
662
663 %triggerpostun server -- openssh-server < 3.8p1
664 if grep -qE "^\W*auth\W+\w+\W+.*pam_(ldap|winbind|mysql)" /etc/pam.d/system-auth /etc/pam.d/sshd; then
665 perl -pi -e 's|^#UsePAM no|UsePAM yes|' /etc/ssh/sshd_config
666 fi
667
668 %files
669 %doc ChangeLog OVERVIEW README* INSTALL CREDITS LICENCE TODO ssh_ldap_key.pl
670 %if %{build_ldap}
671 %doc *.schema
672 %endif
673 %if %{build_watchdog}
674 %doc CHANGES-openssh-watchdog openssh-watchdog.html
675 %endif
676 %if %{build_sftpcontrol}
677 %doc README.sftpfilecontrol
678 %endif
679 %{_bindir}/ssh-keygen
680 %dir %{_sysconfdir}/ssh
681 %{_bindir}/ssh-keyscan
682 %attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
683 %{_libdir}/ssh/ssh-pkcs11-helper
684 %{_mandir}/man1/ssh-keygen.1*
685 %{_mandir}/man1/ssh-keyscan.1*
686 %{_mandir}/man8/ssh-keysign.8*
687 %{_mandir}/man8/ssh-pkcs11-helper.8*
688
689 %files clients
690 %{_bindir}/scp
691 %{_bindir}/ssh
692 %{_bindir}/ssh-agent
693 %{_bindir}/ssh-add
694 %{_bindir}/ssh-copy-id
695 %{_bindir}/slogin
696 %{_bindir}/sftp
697 %{_mandir}/man1/scp.1*
698 %{_mandir}/man1/ssh-copy-id.1*
699 %{_mandir}/man1/slogin.1*
700 %{_mandir}/man1/ssh.1*
701 %{_mandir}/man1/ssh-agent.1*
702 %{_mandir}/man1/ssh-add.1*
703 %{_mandir}/man1/sftp.1*
704 %{_mandir}/man5/ssh_config.5*
705 %config(noreplace) %{_sysconfdir}/ssh/ssh_config
706 %{_sysconfdir}/profile.d/90ssh-client.sh
707
708 %files server
709 %config(noreplace) %{_sysconfdir}/sysconfig/sshd
710 %{_sbindir}/sshd
711 %{_sbindir}/sshd-keygen
712 %dir %{_libdir}/ssh
713 %{_libdir}/ssh/sftp-server
714 %{_mandir}/man5/sshd_config.5*
715 %{_mandir}/man5/moduli.5*
716 %{_mandir}/man8/sshd.8*
717 %{_mandir}/man8/sftp-server.8*
718 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
719 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/denyusers
720 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
721 %config(noreplace) %_sysconfdir/xinetd.d/sshd-xinetd
722 %config(noreplace) %{_sysconfdir}/avahi/services/%{name}.service
723 %config(noreplace) %{_sysconfdir}/ssh/moduli
724 %{_unitdir}/sshd.service
725 %dir /var/empty
726
727 %files askpass-common
728 %{_sysconfdir}/profile.d/90ssh-askpass.*
729
730 %if %{build_x11askpass}
731 %files askpass
732 %doc x11-ssh-askpass-%{aversion}/README
733 %doc x11-ssh-askpass-%{aversion}/ChangeLog
734 %doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
735 %doc x11-ssh-askpass-%{aversion}/x11-ssh-askpass.1.html
736 %{_libdir}/ssh/x11-ssh-askpass
737 %{_sysconfdir}/X11/app-defaults/SshAskpass
738 %{_mandir}/man1/x11-ssh-askpass.1*
739 %endif
740
741 %if %{build_gnomeaskpass}
742 %files askpass-gnome
743 %{_libdir}/ssh/gnome-ssh-askpass
744 %endif
745
746 %if %{build_ldap}
747 %files ldap
748 %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
749 %config %{_sysconfdir}/ssh/ldap.conf
750 %{_libdir}/ssh/ssh-ldap-helper
751 %{_libdir}/ssh/ssh-ldap-wrapper
752 %{_mandir}/man8/ssh-ldap-helper.8*
753 %{_mandir}/man5/ssh-ldap.conf.5*
754 %endif
  ViewVC Help
Powered by ViewVC 1.1.30