1 |
# Version of ssh-askpass |
2 |
%define aversion 1.2.4.1 |
3 |
# Version of watchdog patch |
4 |
%define wversion 4.4p1 |
5 |
|
6 |
# Version of the hpn patch |
7 |
%define hpnver 13v6 |
8 |
|
9 |
# overrides |
10 |
%define build_skey 0 |
11 |
%define build_krb5 1 |
12 |
%define build_watchdog 0 |
13 |
%define build_x11askpass 1 |
14 |
%define build_gnomeaskpass 1 |
15 |
%define build_ldap 1 |
16 |
%define build_sftpcontrol 0 |
17 |
%define build_hpn 0 |
18 |
%define build_audit 0 |
19 |
%define build_libedit 1 |
20 |
|
21 |
%{?_with_skey: %{expand: %%global build_skey 1}} |
22 |
%{?_without_skey: %{expand: %%global build_skey 0}} |
23 |
%{?_with_krb5: %{expand: %%global build_krb5 1}} |
24 |
%{?_without_krb5: %{expand: %%global build_krb5 0}} |
25 |
%{?_with_watchdog: %{expand: %%global build_watchdog 1}} |
26 |
%{?_without_watchdog: %{expand: %%global build_watchdog 0}} |
27 |
%{?_with_x11askpass: %{expand: %%global build_x11askpass 1}} |
28 |
%{?_without_x11askpass: %{expand: %%global build_x11askpass 0}} |
29 |
%{?_with_gnomeaskpass: %{expand: %%global build_gnomeaskpass 1}} |
30 |
%{?_without_gnomeaskpass: %{expand: %%global build_gnomeaskpass 0}} |
31 |
%{?_with_ldap: %{expand: %%global build_ldap 1}} |
32 |
%{?_without_ldap: %{expand: %%global build_ldap 0}} |
33 |
%{?_with_sftpcontrol: %{expand: %%global build_sftpcontrol 1}} |
34 |
%{?_without_sftpcontrol: %{expand: %%global build_sftpcontrol 0}} |
35 |
%{?_with_hpn: %{expand: %%global build_hpn 1}} |
36 |
%{?_without_hpn: %{expand: %%global build_hpn 0}} |
37 |
%{?_with_audit: %{expand: %%global build_audit 1}} |
38 |
%{?_without_audit: %{expand: %%global build_audit 0}} |
39 |
%{?_with_libedit: %{expand: %%global build_libedit 1}} |
40 |
%{?_without_libedit: %{expand: %%global build_libedit 0}} |
41 |
|
42 |
%define OPENSSH_PATH "/usr/local/bin:%{_bindir}" |
43 |
%define XAUTH %{_bindir}/xauth |
44 |
|
45 |
Summary: OpenSSH free Secure Shell (SSH) implementation |
46 |
Name: openssh |
47 |
Version: 6.6p1 |
48 |
%define subrel 10 |
49 |
Release: %mkrel 5 |
50 |
License: BSD |
51 |
Group: Networking/Remote access |
52 |
URL: http://www.openssh.com/ |
53 |
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz |
54 |
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc |
55 |
Source2: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.bz2 |
56 |
# ssh-copy-id taken from debian, with "usage" added |
57 |
Source3: ssh-copy-id |
58 |
Source7: openssh-xinetd |
59 |
Source9: README.sftpfilecontrol |
60 |
# this is never to be applied by default |
61 |
# http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html |
62 |
Source10: openssh-%{wversion}-watchdog.patch.tgz |
63 |
Source12: ssh_ldap_key.pl |
64 |
Source15: ssh-avahi-integration |
65 |
Source17: sshd.pam |
66 |
Source21: README.hpn |
67 |
Source22: sshd.service |
68 |
Source23: sshd@.service |
69 |
Source24: sshd-keygen.service |
70 |
Source25: sshd.socket |
71 |
Source26: sshd-keygen |
72 |
# patch to set some default configuration |
73 |
Patch1: openssh-6.5p1-config.patch |
74 |
# rediffed from openssh-4.4p1-watchdog.patch.tgz |
75 |
Patch4: openssh-4.4p1-watchdog.diff |
76 |
# ldap support, from Fedora |
77 |
Patch501: openssh-6.5p1-ldap.patch |
78 |
# http://sftpfilecontrol.sourceforge.net |
79 |
# Not applied by default |
80 |
# P7 is rediffed and slightly adjusted from http://sftplogging.sourceforge.net/download/v1.5/openssh-4.4p1.sftplogging-v1.5.patch |
81 |
Patch7: openssh-4.9p1.sftplogging-v1.5.diff |
82 |
# (tpg) http://www.psc.edu/networking/projects/hpn-ssh/ |
83 |
Patch11: http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn%{hpnver}.diff |
84 |
Patch12: http://www.psc.edu/networking/projects/hpn-ssh/openssh5.1-peaktput.diff |
85 |
#gw: from Fedora: |
86 |
#fix round-robin DNS with GSSAPI authentification |
87 |
Patch13: openssh-4.3p2-gssapi-canohost.patch |
88 |
Patch14: openssh-4.7p1-audit.patch |
89 |
Patch17: openssh-5.1p1-askpass-progress.patch |
90 |
Patch18: openssh-4.3p2-askpass-grab-info.patch |
91 |
Patch19: openssh-5.6p1-exit-deadlock.patch |
92 |
Patch20: openssh-6.6p1-CVE-2014-2653.patch |
93 |
Patch21: openssh_tcp_wrappers.patch |
94 |
Patch22: openssh-6.6p1-CVE-2015-5352.patch |
95 |
Patch23: openssh-6.9p1-CVE-2015-5600.patch |
96 |
# Handle terminal control characters in scp progressmeter (rhbz#1247204) |
97 |
Patch24: openssh-6.6p1-scp-progressmeter.patch |
98 |
# Vulnerabilities published with openssh-7.0: |
99 |
# Privilege separation weakness related to PAM support (rhbz#1252844) |
100 |
# Use-after-free bug related to PAM support (rhbz#1252852) |
101 |
Patch25: openssh-6.6p1-security-7.0.patch |
102 |
Patch26: openssh-7.1p1-CVE-2016-0777.patch |
103 |
Patch27: openssh-7.2p2-CVE-2015-8325.patch |
104 |
Patch28: openssh-7.2p2-user-enumeration.patch |
105 |
Patch29: openssh-6.6p1-CVE-2017-15906.patch |
106 |
Patch30: openssh-6.6p1-CVE-2016-8858.patch |
107 |
Patch31: openssh-6.6p1-CVE-2016-10009.patch |
108 |
# CVE-2016-3115 |
109 |
# https://github.com/openssh/openssh-portable/commit/9d47b8d3f50c3a6282896df8274147e3b9a38c56.patch |
110 |
Patch100: 9d47b8d3f50c3a6282896df8274147e3b9a38c56.patch |
111 |
Provides: ssh |
112 |
Requires(post): openssl >= 0.9.7 |
113 |
Requires(post): makedev |
114 |
Requires(preun): openssl >= 0.9.7 |
115 |
Requires: tcp_wrappers |
116 |
BuildRequires: groff-for-man |
117 |
BuildRequires: openssl-devel >= 0.9.7 |
118 |
BuildRequires: pam-devel |
119 |
BuildRequires: tcp_wrappers-devel |
120 |
BuildRequires: zlib-devel |
121 |
%if %{build_skey} |
122 |
BuildRequires: skey-devel |
123 |
%endif |
124 |
%if %{build_krb5} |
125 |
BuildRequires: krb5-devel |
126 |
%endif |
127 |
%if %{build_x11askpass} |
128 |
BuildRequires: imake |
129 |
BuildRequires: rman |
130 |
# http://qa.mandriva.com/show_bug.cgi?id=22736 |
131 |
BuildRequires: x11-util-cf-files >= 1.0.2 |
132 |
BuildRequires: gccmakedep |
133 |
BuildRequires: libx11-devel |
134 |
BuildRequires: libxt-devel |
135 |
%endif |
136 |
%if %{build_gnomeaskpass} |
137 |
BuildRequires: gtk+2-devel |
138 |
%endif |
139 |
%if %{build_ldap} |
140 |
BuildRequires: openldap-devel >= 2.0 |
141 |
%endif |
142 |
%if %{build_audit} |
143 |
BuildRequires: audit-devel |
144 |
%endif |
145 |
%if %{build_libedit} |
146 |
BuildRequires: edit-devel |
147 |
BuildRequires: ncurses-devel |
148 |
%endif |
149 |
BuildConflicts: libgssapi-devel |
150 |
|
151 |
%description |
152 |
Ssh (Secure Shell) is a program for logging into a remote machine and for |
153 |
executing commands in a remote machine. It is intended to replace |
154 |
rlogin and rsh, and provide secure encrypted communications between |
155 |
two untrusted hosts over an insecure network. X11 connections and |
156 |
arbitrary TCP/IP ports can also be forwarded over the secure channel. |
157 |
|
158 |
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it |
159 |
up to date in terms of security and features, as well as removing all |
160 |
patented algorithms to separate libraries (OpenSSL). |
161 |
|
162 |
This package includes the core files necessary for both the OpenSSH |
163 |
client and server. To make this package useful, you should also |
164 |
install openssh-clients, openssh-server, or both. |
165 |
|
166 |
You can build %{name} with some conditional build swithes; |
167 |
|
168 |
(ie. use with rpm --rebuild): |
169 |
|
170 |
--with[out] skey smartcard support (disabled) |
171 |
--with[out] krb5 kerberos support (enabled) |
172 |
--with[out] watchdog watchdog support (disabled) |
173 |
--with[out] x11askpass X11 ask pass support (enabled) |
174 |
--with[out] gnomeaskpass Gnome ask pass support (enabled) |
175 |
--with[out] ldap OpenLDAP support (enabled) |
176 |
--with[out] sftpcontrol sftp file control support (disabled) |
177 |
--with[out] hpn HPN ssh/scp support (disabled) |
178 |
--with[out] audit audit support (disabled) |
179 |
--with[out] libedit libedit support in sftp (enabled) |
180 |
|
181 |
%package clients |
182 |
Summary: OpenSSH Secure Shell protocol clients |
183 |
Group: Networking/Remote access |
184 |
Requires: %{name} = %{version}-%{release} |
185 |
Provides: ssh-clients, sftp, ssh |
186 |
|
187 |
%description clients |
188 |
Ssh (Secure Shell) is a program for logging into a remote machine and for |
189 |
executing commands in a remote machine. It is intended to replace |
190 |
rlogin and rsh, and provide secure encrypted communications between |
191 |
two untrusted hosts over an insecure network. X11 connections and |
192 |
arbitrary TCP/IP ports can also be forwarded over the secure channel. |
193 |
|
194 |
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it |
195 |
up to date in terms of security and features, as well as removing all |
196 |
patented algorithms to separate libraries (OpenSSL). |
197 |
|
198 |
This package includes the clients necessary to make encrypted connections |
199 |
to SSH servers. |
200 |
|
201 |
%package server |
202 |
Summary: OpenSSH Secure Shell protocol server (sshd) |
203 |
Group: System/Servers |
204 |
Requires(pre): %{name} = %{version}-%{release} chkconfig >= 0.9 |
205 |
Requires(pre): pam >= 0.74 |
206 |
Requires(post): rpm-helper >= 0.24.8-1 |
207 |
Requires(preun): rpm-helper >= 0.24.8-1 |
208 |
Requires(post): openssl >= 0.9.7 |
209 |
Requires(post): makedev |
210 |
Requires: %{name}-clients = %{version}-%{release} |
211 |
%if %{build_skey} |
212 |
Requires: skey |
213 |
%endif |
214 |
%if %{build_audit} |
215 |
BuildRequires: audit |
216 |
%endif |
217 |
Provides: ssh-server, sshd |
218 |
|
219 |
%description server |
220 |
Ssh (Secure Shell) is a program for logging into a remote machine and for |
221 |
executing commands in a remote machine. It is intended to replace |
222 |
rlogin and rsh, and provide secure encrypted communications between |
223 |
two untrusted hosts over an insecure network. X11 connections and |
224 |
arbitrary TCP/IP ports can also be forwarded over the secure channel. |
225 |
|
226 |
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it |
227 |
up to date in terms of security and features, as well as removing all |
228 |
patented algorithms to separate libraries (OpenSSL). |
229 |
|
230 |
This package contains the secure shell daemon. The sshd is the server |
231 |
part of the secure shell protocol and allows ssh clients to connect to |
232 |
your host. |
233 |
|
234 |
%package askpass-common |
235 |
Summary: OpenSSH X11 passphrase common scripts |
236 |
Group: Networking/Remote access |
237 |
|
238 |
%description askpass-common |
239 |
OpenSSH X11 passphrase common scripts |
240 |
|
241 |
%if %{build_x11askpass} |
242 |
%package askpass |
243 |
Summary: OpenSSH X11 passphrase dialog |
244 |
Group: Networking/Remote access |
245 |
Requires: %{name} = %{version}-%{release} |
246 |
Requires: %{name}-askpass-common |
247 |
Provides: ssh-extras, ssh-askpass |
248 |
Requires(pre): update-alternatives |
249 |
|
250 |
%description askpass |
251 |
Ssh (Secure Shell) is a program for logging into a remote machine and for |
252 |
executing commands in a remote machine. It is intended to replace |
253 |
rlogin and rsh, and provide secure encrypted communications between |
254 |
two untrusted hosts over an insecure network. X11 connections and |
255 |
arbitrary TCP/IP ports can also be forwarded over the secure channel. |
256 |
|
257 |
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it |
258 |
up to date in terms of security and features, as well as removing all |
259 |
patented algorithms to separate libraries (OpenSSL). |
260 |
|
261 |
This package contains Jim Knoble's <jmknoble@pobox.com> X11 passphrase |
262 |
dialog. |
263 |
%endif |
264 |
|
265 |
%if %{build_gnomeaskpass} |
266 |
%package askpass-gnome |
267 |
Summary: OpenSSH GNOME passphrase dialog |
268 |
Group: Networking/Remote access |
269 |
Requires: %{name} = %{version}-%{release} |
270 |
Requires: %{name}-askpass-common |
271 |
Requires(pre): update-alternatives |
272 |
Provides: %{name}-askpass, ssh-askpass, ssh-extras |
273 |
|
274 |
%description askpass-gnome |
275 |
Ssh (Secure Shell) is a program for logging into a remote machine and for |
276 |
executing commands in a remote machine. It is intended to replace |
277 |
rlogin and rsh, and provide secure encrypted communications between |
278 |
two untrusted hosts over an insecure network. X11 connections and |
279 |
arbitrary TCP/IP ports can also be forwarded over the secure channel. |
280 |
|
281 |
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it |
282 |
up to date in terms of security and features, as well as removing all |
283 |
patented algorithms to separate libraries (OpenSSL). |
284 |
|
285 |
This package contains the GNOME passphrase dialog. |
286 |
%endif |
287 |
|
288 |
%if %{build_ldap} |
289 |
%package ldap |
290 |
Summary: A LDAP support for open source SSH server daemon |
291 |
Group: Networking/Remote access |
292 |
Requires: %{name} = %{version}-%{release} |
293 |
|
294 |
%description ldap |
295 |
OpenSSH LDAP backend is a way how to distribute the authorized tokens |
296 |
among the servers in the network. |
297 |
%endif |
298 |
|
299 |
%prep |
300 |
%if %{build_x11askpass} |
301 |
echo "Building with x11 askpass..." |
302 |
%endif |
303 |
%if %{build_gnomeaskpass} |
304 |
echo "Building with GNOME askpass..." |
305 |
%endif |
306 |
%if %{build_krb5} |
307 |
echo "Building with Kerberos5 support..." |
308 |
%endif |
309 |
%if %{build_skey} |
310 |
echo "Building with S/KEY support..." |
311 |
%endif |
312 |
%if %{build_watchdog} |
313 |
echo "Building with watchdog support..." |
314 |
%endif |
315 |
%if %{build_ldap} |
316 |
echo "Buiding with support for authenticating to public keys in ldap" |
317 |
%endif |
318 |
%if %{build_sftpcontrol} |
319 |
echo "Buiding with support for sftp file control" |
320 |
%endif |
321 |
%if %{build_hpn} |
322 |
echo "Buiding with support for High Performance Network SSH/SCP" |
323 |
%endif |
324 |
%if %{build_audit} |
325 |
echo "Buiding with audit support" |
326 |
%endif |
327 |
|
328 |
%setup -q -a2 -a10 |
329 |
|
330 |
%patch1 -p1 -b .config |
331 |
%if %{build_watchdog} |
332 |
#patch -p0 -s -z .wdog < %{name}-%{wversion}-watchdog.patch |
333 |
%patch4 -p1 -b .watchdog |
334 |
%endif |
335 |
%if %{build_ldap} |
336 |
%patch501 -p1 -b .ldap |
337 |
%endif |
338 |
%if %{build_sftpcontrol} |
339 |
#cat %{SOURCE8} | patch -p1 -s -z .sftpcontrol |
340 |
echo "This patch is broken or needs to be updated/rediffed"; exit 1 |
341 |
%patch7 -p1 -b .sftplogging-v1.5 |
342 |
# README with license terms for this patch |
343 |
install -m 0644 %{SOURCE9} . |
344 |
%endif |
345 |
%if %{build_hpn} |
346 |
echo "This patch is broken or needs to be updated/rediffed"; exit 1 |
347 |
%patch11 -p1 -b .hpn |
348 |
%patch12 -p1 -b .peak |
349 |
install %{SOURCE21} . |
350 |
%endif |
351 |
%patch13 -p1 -b .canohost |
352 |
%if %{build_audit} |
353 |
%patch14 -p1 -b .audit |
354 |
%endif |
355 |
%patch17 -p1 -b .progress |
356 |
%patch18 -p1 -b .grab-info |
357 |
%patch19 -p1 -b .exit-deadlock |
358 |
%patch20 -p1 -b .CVE-2014-2653 |
359 |
%patch21 -p1 -b .tcp_wrappers_mips |
360 |
%patch22 -p1 -b .CVE-2015-5352 |
361 |
%patch23 -p1 -b .CVE-2015-5600 |
362 |
#patch24 -p1 -b .progressmeter |
363 |
%patch25 -p1 -b .security7 |
364 |
%patch26 -p0 -b .CVE-2016-0777 |
365 |
%patch27 -p1 -b .CVE-2015-8325 |
366 |
%patch28 -p1 -b .CVE-2016-6515 |
367 |
%patch29 -p1 -b .CVE-2017-15906 |
368 |
%patch30 -p1 -b .CVE-2016-8858 |
369 |
%patch31 -p1 -b .CVE-2016-10009 |
370 |
%patch100 -p1 -b .CVE-2016-3115 |
371 |
|
372 |
install %{SOURCE12} . |
373 |
|
374 |
install -m 0644 %{SOURCE17} sshd.pam |
375 |
|
376 |
# fix attribs |
377 |
chmod 644 ChangeLog OVERVIEW README* INSTALL CREDITS LICENCE TODO ssh_ldap_key.pl |
378 |
|
379 |
# http://qa.mandriva.com/show_bug.cgi?id=22957 |
380 |
perl -pi -e "s|_OPENSSH_PATH_|%{OPENSSH_PATH}|g" sshd_config |
381 |
|
382 |
%build |
383 |
autoreconf |
384 |
|
385 |
%serverbuild |
386 |
|
387 |
%if %{build_x11askpass} |
388 |
pushd x11-ssh-askpass-%{aversion} |
389 |
%configure2_5x \ |
390 |
--prefix=%{_prefix} --libdir=%{_libdir} \ |
391 |
--mandir=%{_mandir} --libexecdir=%{_libdir}/ssh \ |
392 |
--with-app-defaults-dir=%{_sysconfdir}/X11/app-defaults \ |
393 |
%if %{build_libedit} |
394 |
--with-libedit \ |
395 |
%else |
396 |
--without-libedit \ |
397 |
%endif |
398 |
|
399 |
xmkmf -a |
400 |
|
401 |
%ifarch x86_64 |
402 |
perl -pi -e "s|/usr/lib\b|%{_libdir}|g" Makefile |
403 |
perl -pi -e "s|i586-%{_vendor}-linux-gnu|x86_64-%{_vendor}-linux-gnu|g" Makefile |
404 |
perl -pi -e "s|%{_libdir}/gcc/|/usr/lib/gcc/|g" Makefile |
405 |
perl -pi -e "s|-m32|-m64|g" Makefile |
406 |
perl -pi -e "s|__i386__|__x86_64__|g" Makefile |
407 |
%endif |
408 |
|
409 |
make \ |
410 |
BINDIR=%{_libdir}/ssh \ |
411 |
CDEBUGFLAGS="$RPM_OPT_FLAGS" \ |
412 |
CXXDEBUGFLAGS="$RPM_OPT_FLAGS" |
413 |
|
414 |
# For some reason the x11-ssh-askpass.1.html file is not created on 10.0/10.1 |
415 |
# x86_64, so we just do it manually here... (oden) |
416 |
rm -f x11-ssh-askpass.1x.html x11-ssh-askpass.1x-html |
417 |
rman -f HTML < x11-ssh-askpass._man > x11-ssh-askpass.1x-html && \ |
418 |
mv -f x11-ssh-askpass.1x-html x11-ssh-askpass.1.html |
419 |
popd |
420 |
%endif |
421 |
|
422 |
%if %{build_gnomeaskpass} |
423 |
pushd contrib |
424 |
make gnome-ssh-askpass2 CC="%__cc %optflags %ldflags" |
425 |
mv gnome-ssh-askpass2 gnome-ssh-askpass |
426 |
popd |
427 |
%endif |
428 |
|
429 |
%configure2_5x \ |
430 |
--prefix=%{_prefix} \ |
431 |
--sysconfdir=%{_sysconfdir}/ssh \ |
432 |
--mandir=%{_mandir} \ |
433 |
--libdir=%{_libdir} \ |
434 |
--libexecdir=%{_libdir}/ssh \ |
435 |
--datadir=%{_datadir}/ssh \ |
436 |
--disable-strip \ |
437 |
--with-tcp-wrappers \ |
438 |
--with-pam \ |
439 |
--with-default-path=%{OPENSSH_PATH} \ |
440 |
--with-xauth=%{XAUTH} \ |
441 |
--with-privsep-path=/var/empty \ |
442 |
--without-zlib-version-check \ |
443 |
%if %{build_krb5} |
444 |
--with-kerberos5=%{_prefix} \ |
445 |
%endif |
446 |
%if %{build_skey} |
447 |
--with-skey \ |
448 |
%endif |
449 |
%if %{build_ldap} |
450 |
-with-ldap \ |
451 |
%endif |
452 |
--with-superuser-path=/usr/local/sbin:/usr/local/bin:%{_sbindir}:%{_bindir} \ |
453 |
%if %{build_libedit} |
454 |
--with-libedit \ |
455 |
%else |
456 |
--without-libedit \ |
457 |
%endif |
458 |
%if %{build_audit} |
459 |
--with-linux-audit \ |
460 |
%endif |
461 |
|
462 |
%make |
463 |
|
464 |
%install |
465 |
%makeinstall_std |
466 |
|
467 |
install -d %{buildroot}%{_sysconfdir}/ssh |
468 |
install -d %{buildroot}%{_sysconfdir}/pam.d/ |
469 |
install -d %{buildroot}%{_sysconfdir}/sysconfig |
470 |
install -m 644 sshd.pam %{buildroot}%{_sysconfdir}/pam.d/sshd |
471 |
|
472 |
if [ -f sshd_config.out ]; then |
473 |
install -m 600 sshd_config.out %{buildroot}%{_sysconfdir}/ssh/sshd_config |
474 |
else |
475 |
install -m 600 sshd_config %{buildroot}%{_sysconfdir}/ssh/sshd_config |
476 |
fi |
477 |
echo "" > %{buildroot}%{_sysconfdir}/ssh/denyusers |
478 |
|
479 |
if [ -f ssh_config.out ]; then |
480 |
install -m 644 ssh_config.out %{buildroot}%{_sysconfdir}/ssh/ssh_config |
481 |
else |
482 |
install -m 644 ssh_config %{buildroot}%{_sysconfdir}/ssh/ssh_config |
483 |
fi |
484 |
echo " StrictHostKeyChecking no" >> %{buildroot}%{_sysconfdir}/ssh/ssh_config |
485 |
|
486 |
mkdir -p %{buildroot}%{_libdir}/ssh |
487 |
%if %{build_x11askpass} |
488 |
pushd x11-ssh-askpass-%{aversion} |
489 |
#make DESTDIR=%{buildroot} install |
490 |
#make DESTDIR=%{buildroot} install.man |
491 |
#install -d %{buildroot}%{_prefix}/X11R6/lib/X11/doc/html |
492 |
#install -m0644 x11-ssh-askpass.1.html %{buildroot}%{_prefix}/X11R6/lib/X11/doc/html/ |
493 |
install -d %{buildroot}%{_libdir}/ssh |
494 |
install -d %{buildroot}%{_sysconfdir}/X11/app-defaults |
495 |
install -m 644 SshAskpass.ad %{buildroot}%{_sysconfdir}/X11/app-defaults/SshAskpass |
496 |
install -m 755 x11-ssh-askpass %{buildroot}%{_libdir}/ssh/ |
497 |
install -m 644 x11-ssh-askpass.man %{buildroot}%{_mandir}/man1/x11-ssh-askpass.1 |
498 |
popd |
499 |
%endif |
500 |
|
501 |
install -d %{buildroot}%{_sysconfdir}/profile.d/ |
502 |
%if %{build_gnomeaskpass} |
503 |
install -m 755 contrib/gnome-ssh-askpass %{buildroot}%{_libdir}/ssh/gnome-ssh-askpass |
504 |
%endif |
505 |
|
506 |
cat > %{buildroot}%{_sysconfdir}/profile.d/90ssh-askpass.csh <<EOF |
507 |
setenv SSH_ASKPASS %{_libdir}/ssh/ssh-askpass |
508 |
EOF |
509 |
|
510 |
cat > %{buildroot}%{_sysconfdir}/profile.d/90ssh-askpass.sh <<EOF |
511 |
export SSH_ASKPASS=%{_libdir}/ssh/ssh-askpass |
512 |
EOF |
513 |
|
514 |
cat > %{buildroot}%{_sysconfdir}/profile.d/90ssh-client.sh <<'EOF' |
515 |
# fix hanging ssh clients on exit |
516 |
if [ -n "$BASH_VERSION" ]; then |
517 |
shopt -s huponexit |
518 |
elif [ -n "$ZSH_VERSION" ]; then |
519 |
setopt hup |
520 |
fi |
521 |
EOF |
522 |
|
523 |
install -m 755 %{SOURCE3} %{buildroot}/%{_bindir}/ssh-copy-id |
524 |
chmod a+x %{buildroot}/%{_bindir}/ssh-copy-id |
525 |
install -m 644 contrib/ssh-copy-id.1 %{buildroot}/%{_mandir}/man1/ |
526 |
|
527 |
# create pre-authentication directory |
528 |
install -d -m 755 %{buildroot}/var/empty |
529 |
|
530 |
# remove unwanted files |
531 |
rm -f %{buildroot}%{_libdir}/ssh/ssh-askpass |
532 |
|
533 |
# xinetd support (tv) |
534 |
install -d -m 755 %{buildroot}%{_sysconfdir}/xinetd.d/ |
535 |
install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/xinetd.d/sshd-xinetd |
536 |
|
537 |
cat > %{buildroot}%{_sysconfdir}/sysconfig/sshd << EOF |
538 |
#OPTIONS="" |
539 |
EOF |
540 |
|
541 |
# avahi integration support (misc) |
542 |
mkdir -p %{buildroot}%{_sysconfdir}/avahi/services/ |
543 |
install -m 0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/avahi/services/%{name}.service |
544 |
|
545 |
install -d -m 755 %{buildroot}%{_unitdir} |
546 |
install -m 644 %{SOURCE22} %{buildroot}%{_unitdir}/sshd.service |
547 |
#install -m 644 %{SOURCE23} %{buildroot}%{_unitdir}/sshd@.service |
548 |
#install -m 644 %{SOURCE24} %{buildroot}%{_unitdir}/sshd-keygen.service |
549 |
#install -m 644 %{SOURCE25} %{buildroot}%{_unitdir}/sshd.socket |
550 |
install -m 755 %{SOURCE26} %{buildroot}%{_sbindir}/sshd-keygen |
551 |
|
552 |
# make sure strip can touch it |
553 |
chmod 755 %{buildroot}%{_libdir}/ssh/ssh-keysign |
554 |
|
555 |
sed -e 's,\$LIB,%{_libdir},g' -i %buildroot%_libdir/ssh/ssh-ldap-wrapper |
556 |
|
557 |
%pre server |
558 |
%_pre_useradd sshd /var/empty /sbin/nologin |
559 |
|
560 |
%post server |
561 |
# do some key management; taken from the initscript |
562 |
|
563 |
KEYGEN=/usr/bin/ssh-keygen |
564 |
RSA1_KEY=/etc/ssh/ssh_host_key |
565 |
RSA_KEY=/etc/ssh/ssh_host_rsa_key |
566 |
DSA_KEY=/etc/ssh/ssh_host_dsa_key |
567 |
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key |
568 |
|
569 |
do_rsa1_keygen() { |
570 |
if [ ! -s $RSA1_KEY ]; then |
571 |
echo -n "Generating SSH1 RSA host key... " |
572 |
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then |
573 |
chmod 600 $RSA1_KEY |
574 |
chmod 644 $RSA1_KEY.pub |
575 |
echo "done" |
576 |
echo |
577 |
else |
578 |
echo "failed" |
579 |
echo |
580 |
exit 1 |
581 |
fi |
582 |
fi |
583 |
} |
584 |
|
585 |
do_rsa_keygen() { |
586 |
if [ ! -s $RSA_KEY ]; then |
587 |
echo "Generating SSH2 RSA host key... " |
588 |
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then |
589 |
chmod 600 $RSA_KEY |
590 |
chmod 644 $RSA_KEY.pub |
591 |
echo "done" |
592 |
echo |
593 |
else |
594 |
echo "failed" |
595 |
echo |
596 |
exit 1 |
597 |
fi |
598 |
fi |
599 |
} |
600 |
|
601 |
do_dsa_keygen() { |
602 |
if [ ! -s $DSA_KEY ]; then |
603 |
echo "Generating SSH2 DSA host key... " |
604 |
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then |
605 |
chmod 600 $DSA_KEY |
606 |
chmod 644 $DSA_KEY.pub |
607 |
echo "done" |
608 |
echo |
609 |
else |
610 |
echo "failed" |
611 |
echo |
612 |
exit 1 |
613 |
fi |
614 |
fi |
615 |
} |
616 |
|
617 |
do_ecdsa_keygen() { |
618 |
if [ ! -s $ECDSA_KEY ]; then |
619 |
echo "Generating SSH2 EC DSA host key... " |
620 |
if $KEYGEN -q -t dsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then |
621 |
chmod 600 $ECDSA_KEY |
622 |
chmod 644 $ECDSA_KEY.pub |
623 |
echo "done" |
624 |
echo |
625 |
else |
626 |
echo "failed" |
627 |
echo |
628 |
exit 1 |
629 |
fi |
630 |
fi |
631 |
} |
632 |
|
633 |
do_rsa1_keygen |
634 |
do_rsa_keygen |
635 |
do_dsa_keygen |
636 |
do_ecdsa_keygen |
637 |
%_post_service sshd |
638 |
|
639 |
%preun server |
640 |
%_preun_service sshd |
641 |
|
642 |
%postun server |
643 |
%_postun_userdel sshd |
644 |
|
645 |
%if %{build_x11askpass} |
646 |
%post askpass |
647 |
update-alternatives --install %{_libdir}/ssh/ssh-askpass ssh-askpass %{_libdir}/ssh/x11-ssh-askpass 10 |
648 |
update-alternatives --install %{_bindir}/ssh-askpass bssh-askpass %{_libdir}/ssh/x11-ssh-askpass 10 |
649 |
|
650 |
%postun askpass |
651 |
[ $1 = 0 ] || exit 0 |
652 |
update-alternatives --remove ssh-askpass %{_libdir}/ssh/x11-ssh-askpass |
653 |
update-alternatives --remove bssh-askpass %{_libdir}/ssh/x11-ssh-askpass |
654 |
%endif |
655 |
|
656 |
%if %{build_gnomeaskpass} |
657 |
%post askpass-gnome |
658 |
update-alternatives --install %{_libdir}/ssh/ssh-askpass ssh-askpass %{_libdir}/ssh/gnome-ssh-askpass 20 |
659 |
update-alternatives --install %{_bindir}/ssh-askpass bssh-askpass %{_libdir}/ssh/gnome-ssh-askpass 20 |
660 |
|
661 |
%postun askpass-gnome |
662 |
[ $1 = 0 ] || exit 0 |
663 |
update-alternatives --remove ssh-askpass %{_libdir}/ssh/gnome-ssh-askpass |
664 |
update-alternatives --remove bssh-askpass %{_libdir}/ssh/gnome-ssh-askpass |
665 |
%endif |
666 |
|
667 |
%triggerpostun server -- openssh-server < 3.8p1 |
668 |
if grep -qE "^\W*auth\W+\w+\W+.*pam_(ldap|winbind|mysql)" /etc/pam.d/system-auth /etc/pam.d/sshd; then |
669 |
perl -pi -e 's|^#UsePAM no|UsePAM yes|' /etc/ssh/sshd_config |
670 |
fi |
671 |
|
672 |
%files |
673 |
%doc ChangeLog OVERVIEW README* INSTALL CREDITS LICENCE TODO ssh_ldap_key.pl |
674 |
%if %{build_ldap} |
675 |
%doc *.schema |
676 |
%endif |
677 |
%if %{build_watchdog} |
678 |
%doc CHANGES-openssh-watchdog openssh-watchdog.html |
679 |
%endif |
680 |
%if %{build_sftpcontrol} |
681 |
%doc README.sftpfilecontrol |
682 |
%endif |
683 |
%{_bindir}/ssh-keygen |
684 |
%dir %{_sysconfdir}/ssh |
685 |
%{_bindir}/ssh-keyscan |
686 |
%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign |
687 |
%{_libdir}/ssh/ssh-pkcs11-helper |
688 |
%{_mandir}/man1/ssh-keygen.1* |
689 |
%{_mandir}/man1/ssh-keyscan.1* |
690 |
%{_mandir}/man8/ssh-keysign.8* |
691 |
%{_mandir}/man8/ssh-pkcs11-helper.8* |
692 |
|
693 |
%files clients |
694 |
%{_bindir}/scp |
695 |
%{_bindir}/ssh |
696 |
%{_bindir}/ssh-agent |
697 |
%{_bindir}/ssh-add |
698 |
%{_bindir}/ssh-copy-id |
699 |
%{_bindir}/slogin |
700 |
%{_bindir}/sftp |
701 |
%{_mandir}/man1/scp.1* |
702 |
%{_mandir}/man1/ssh-copy-id.1* |
703 |
%{_mandir}/man1/slogin.1* |
704 |
%{_mandir}/man1/ssh.1* |
705 |
%{_mandir}/man1/ssh-agent.1* |
706 |
%{_mandir}/man1/ssh-add.1* |
707 |
%{_mandir}/man1/sftp.1* |
708 |
%{_mandir}/man5/ssh_config.5* |
709 |
%config(noreplace) %{_sysconfdir}/ssh/ssh_config |
710 |
%{_sysconfdir}/profile.d/90ssh-client.sh |
711 |
|
712 |
%files server |
713 |
%config(noreplace) %{_sysconfdir}/sysconfig/sshd |
714 |
%{_sbindir}/sshd |
715 |
%{_sbindir}/sshd-keygen |
716 |
%dir %{_libdir}/ssh |
717 |
%{_libdir}/ssh/sftp-server |
718 |
%{_mandir}/man5/sshd_config.5* |
719 |
%{_mandir}/man5/moduli.5* |
720 |
%{_mandir}/man8/sshd.8* |
721 |
%{_mandir}/man8/sftp-server.8* |
722 |
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config |
723 |
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/denyusers |
724 |
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd |
725 |
%config(noreplace) %_sysconfdir/xinetd.d/sshd-xinetd |
726 |
%config(noreplace) %{_sysconfdir}/avahi/services/%{name}.service |
727 |
%config(noreplace) %{_sysconfdir}/ssh/moduli |
728 |
%{_unitdir}/sshd.service |
729 |
%dir /var/empty |
730 |
|
731 |
%files askpass-common |
732 |
%{_sysconfdir}/profile.d/90ssh-askpass.* |
733 |
|
734 |
%if %{build_x11askpass} |
735 |
%files askpass |
736 |
%doc x11-ssh-askpass-%{aversion}/README |
737 |
%doc x11-ssh-askpass-%{aversion}/ChangeLog |
738 |
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad |
739 |
%doc x11-ssh-askpass-%{aversion}/x11-ssh-askpass.1.html |
740 |
%{_libdir}/ssh/x11-ssh-askpass |
741 |
%{_sysconfdir}/X11/app-defaults/SshAskpass |
742 |
%{_mandir}/man1/x11-ssh-askpass.1* |
743 |
%endif |
744 |
|
745 |
%if %{build_gnomeaskpass} |
746 |
%files askpass-gnome |
747 |
%{_libdir}/ssh/gnome-ssh-askpass |
748 |
%endif |
749 |
|
750 |
%if %{build_ldap} |
751 |
%files ldap |
752 |
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema |
753 |
%config %{_sysconfdir}/ssh/ldap.conf |
754 |
%{_libdir}/ssh/ssh-ldap-helper |
755 |
%{_libdir}/ssh/ssh-ldap-wrapper |
756 |
%{_mandir}/man8/ssh-ldap-helper.8* |
757 |
%{_mandir}/man5/ssh-ldap.conf.5* |
758 |
%endif |