#
# Conditional build:
%bcond_without audit # sshd audit support
-%bcond_with gnome # with gnome-askpass (GNOME 1.x) utility
-%bcond_without gtk # without GTK+ (2.x)
-%bcond_without ldap # with ldap support
-%bcond_without libedit # without libedit (editline/history support in sftp client)
-%bcond_without kerberos5 # without kerberos5 support
-%bcond_without selinux # build without SELinux support
+%bcond_with gnome # gnome-askpass (GNOME 1.x) utility
+%bcond_without gtk # gnome-askpass (GTK+ 2.x) utility
+%bcond_without ldap # LDAP support
+%bcond_with ldns # DNSSEC support via libldns
+%bcond_without libedit # libedit (editline/history support in sftp client)
+%bcond_without kerberos5 # Kerberos5 support
+%bcond_without selinux # SELinux support
+%bcond_without libseccomp # use libseccomp for seccomp privsep (requires 3.5 kernel)
%bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often)
-%bcond_without tests
+%bcond_without tests # test suite
+%bcond_with tests_conch # run conch interoperability tests
# gtk2-based gnome-askpass means no gnome1-based
%{?with_gtk:%undefine with_gnome}
Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
Name: openssh
-Version: 6.8p1
+Version: 9.0p1
Release: 1
Epoch: 2
License: BSD
Group: Applications/Networking
-Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5: 08f72de6751acfbd0892b5f003922701
+Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
+# Source0-md5: 5ed8252a0ee379c0f7c9e0d25d32424d
Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5: 66943d481cc422512b537bcc2c7400d1
Source2: %{name}d.init
Source5: ssh-agent.sh
Source6: ssh-agent.conf
Source7: %{name}-lpk.schema
-Source8: %{name}d.upstart
Source9: sshd.service
Source10: sshd-keygen
Source11: sshd.socket
Source12: sshd@.service
-Patch0: %{name}-no_libnsl.patch
+Patch100: %{name}-git.patch
+# Patch100-md5: eb723cc4f21efc32752161d539c9c5e9
+Patch0: %{name}-no-pty-tests.patch
+Patch1: %{name}-tests-reuseport.patch
Patch2: %{name}-pam_misc.patch
Patch3: %{name}-sigpipe.patch
# http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree
# High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
# http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
Patch9: %{name}-5.2p1-hpn13v6.diff
-Patch10: %{name}-include.patch
+
Patch11: %{name}-chroot.patch
+Patch13: %{name}-skip-interop-tests.patch
Patch14: %{name}-bind.patch
Patch15: %{name}-disable_ldap.patch
+Patch16: openssl3.0.patch
URL: http://www.openssh.com/portable.html
BuildRequires: %{__perl}
-%{?with_tests:BuildRequires: %{name}-server}
%{?with_audit:BuildRequires: audit-libs-devel}
BuildRequires: autoconf >= 2.50
BuildRequires: automake
%{?with_gnome:BuildRequires: gnome-libs-devel}
%{?with_gtk:BuildRequires: gtk+2-devel}
%{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7}
+%{?with_ldns:BuildRequires: ldns-devel}
%{?with_libedit:BuildRequires: libedit-devel}
+BuildRequires: libfido2-devel >= 1.5.0
+%{?with_libseccomp:BuildRequires: libseccomp-devel}
%{?with_selinux:BuildRequires: libselinux-devel}
%{?with_ldap:BuildRequires: openldap-devel}
-BuildRequires: openssl-devel >= 0.9.8f
+BuildRequires: openssl-devel >= 1.1.0g
BuildRequires: pam-devel
%{?with_gtk:BuildRequires: pkgconfig}
+%if %{with tests} && %{with tests_conch}
+BuildRequires: python-TwistedConch
+%endif
BuildRequires: rpm >= 4.4.9-56
-BuildRequires: rpmbuild(macros) >= 1.627
+BuildRequires: rpmbuild(macros) >= 1.752
BuildRequires: sed >= 4.0
BuildRequires: zlib-devel >= 1.2.3
+%if %{with tests} && 0%(id -u sshd >/dev/null 2>&1; echo $?)
+BuildRequires: %{name}-server
+%endif
+%if %{with tests} && %{with libseccomp}
+# libseccomp based sandbox requires NO_NEW_PRIVS prctl flag
+BuildRequires: uname(release) >= 3.5
+%endif
Requires: zlib >= 1.2.3
%if "%{pld_release}" == "ac"
Requires: filesystem >= 2.0-1
Summary(uk.UTF-8): OpenSSH - клієнти протоколу Secure Shell
Group: Applications/Networking
Requires: %{name}
+Suggests: %{name}-clients-helper-fido = %{epoch}:%{version}-%{release}
Provides: ssh-clients
Obsoletes: ssh-clients
%requires_eq_to openssl openssl-devel
%description clients-agent-xinitrc -l pl.UTF-8
Skrypty xinitrc do uruchamiania agenta SSH.
+%package clients-helper-fido
+Summary: OpenSSH helper for FIDO authenticator
+Summary(pl.UTF-8): OpenSSH helper obsługujący klucz autoryzujący FIDO
+Group: Applications/Networking
+Requires: %{name}-clients = %{epoch}:%{version}-%{release}
+Requires: libfido2 >= 1.5.0
+
+%description clients-helper-fido
+OpenSSH helper for FIDO authenticator.
+
+%description clients-helper-fido -l pl.UTF-8
+OpenSSH helper obsługujący klucz autoryzujący FIDO.
+
%package server
Summary: OpenSSH Secure Shell protocol server (sshd)
Summary(de.UTF-8): OpenSSH Secure Shell Protocol-Server (sshd)
Requires: pam >= %{pam_ver}
Requires: rc-scripts >= 0.4.3.0
Requires: systemd-units >= 38
+%{?with_libseccomp:Requires: uname(release) >= 3.5}
Requires: util-linux
%{?with_ldap:Suggests: %{name}-server-ldap}
Suggests: /bin/login
Backend LDAP dla OpenSSH to metoda rozprowadzania autoryzowanych
tokenów między serwerami w sieci.
-%package server-upstart
-Summary: Upstart job description for OpenSSH server
-Summary(pl.UTF-8): Opis zadania Upstart dla serwera OpenSSH
-Group: Daemons
-Requires: %{name}-server = %{epoch}:%{version}-%{release}
-Requires: upstart >= 0.6
-Conflicts: syslog-ng < 3.2.4-1
-
-%description server-upstart
-Upstart job description for OpenSSH.
-
-%description server-upstart -l pl.UTF-8
-Opis zadania Upstart dla OpenSSH.
-
%package gnome-askpass
Summary: OpenSSH GNOME passphrase dialog
Summary(de.UTF-8): OpenSSH GNOME Passwort-Dialog
Group: Networking/Daemons
Requires(post,postun): sed >= 4.0
Requires: openldap-servers
-%if "%{_rpmversion}" >= "5"
BuildArch: noarch
-%endif
%description -n openldap-schema-openssh-lpk
This package contains OpenSSH LDAP Public Key schema for openldap.
%prep
%setup -q
+%patch100 -p1
+
%patch0 -p1
+%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch8 -p1
%{?with_hpn:%patch9 -p1}
-%patch10 -p1
+
%patch11 -p1
+%patch13 -p1
+
%patch14 -p1
%{!?with_ldap:%patch15 -p1}
+%patch16 -p1
%if "%{pld_release}" == "ac"
# fix for missing x11.pc
%endif
# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
-sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile*
+sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*
grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \
%{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,'
+# prevent being ovewritten by aclocal calls
+%{__mv} aclocal.m4 acinclude.m4
+
%build
-cp /usr/share/automake/config.sub .
%{__aclocal}
%{__autoconf}
%{__autoheader}
--with-ipaddr-display \
%{?with_kerberos5:--with-kerberos5=/usr} \
--with-ldap%{!?with_ldap:=no} \
+ %{?with_ldns:--with-ldns} \
%{?with_libedit:--with-libedit} \
--with-mantype=man \
--with-md5-passwords \
--with-pam \
--with-pid-dir=%{_localstatedir}/run \
--with-privsep-path=%{_privsepdir} \
-%if "%{pld_release}" != "ac"
- --with-sandbox=seccomp_filter \
-%endif
+ --with-privsep-user=sshd \
+ --with-security-key-builtin \
%{?with_selinux:--with-selinux} \
%if "%{pld_release}" == "ac"
--with-xauth=/usr/X11R6/bin/xauth
%else
+%if %{with libseccomp}
+ --with-sandbox=seccomp_filter \
+%else
+ --with-sandbox=rlimit \
+%endif
--with-xauth=%{_bindir}/xauth
%endif
%{__make}
-%{?with_tests:%{__make} tests}
+%if %{with tests}
+%{__make} -j1 tests \
+ TEST_SSH_PORT=$((4242 + ${RANDOM:-$$} % 1000)) \
+ TEST_SSH_TRACE="yes" \
+%if %{without tests_conch}
+ SKIP_LTESTS="conch-ciphers"
+%endif
+%endif
cd contrib
%if %{with gnome}
%install
rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{init,pam.d,rc.d/init.d,sysconfig,security,env.d}} \
+install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \
$RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir},%{systemdunitdir}}
install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d}
bzip2 -dc %{SOURCE1} | tar xf - -C $RPM_BUILD_ROOT%{_mandir}
-cp -p %{SOURCE3} sshd.pam
-install -p %{SOURCE2} sshd.init
-
-%if "%{pld_release}" == "ac"
-# not present in ac, no point searching it
-%{__sed} -i -e '/pam_keyinit.so/d' sshd.pam
-# openssl on ac does not have OPENSSL_HAS_ECC
-%{__sed} -i -e '/ecdsa/d' sshd.init
-%endif
-
-%if %{without audit}
-# remove recording user's login uid to the process attribute
-%{__sed} -i -e '/pam_loginuid.so/d' sshd.pam
-%endif
-
-install -p sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
-cp -p sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -p %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
+cp -p %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sshd
cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd
cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d
-ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
+ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}
cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir}
-cp -p %{SOURCE8} $RPM_BUILD_ROOT/etc/init/sshd.conf
-%{__sed} -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' %{SOURCE9} >$RPM_BUILD_ROOT%{systemdunitdir}/sshd.service
-cp -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
+cp -p %{SOURCE9} %{SOURCE11} %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir}
+install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
-cp -p %{SOURCE11} $RPM_BUILD_ROOT%{systemdunitdir}
-cp -p %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir}
+%{__sed} -i -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \
+ $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd \
+ $RPM_BUILD_ROOT%{systemdunitdir}/sshd.service \
+ $RPM_BUILD_ROOT%{systemdunitdir}/sshd@.service \
+ $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
%if %{with gnome}
install -p contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
install -p contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}
cp -p contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1
-%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1
-echo ".so ssh.1" > $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1
-
touch $RPM_BUILD_ROOT/etc/security/blacklist.sshd
cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS
#SSH_ASKPASS="%{_libexecdir}/ssh-askpass"
EOF
+%if "%{pld_release}" == "ac"
+# not present in ac, no point searching it
+%{__sed} -i -e '/pam_keyinit.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd
+# openssl on ac does not have OPENSSL_HAS_ECC
+%{__sed} -i -e '/ecdsa/d' $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
+%endif
+
+%if %{without audit}
+# remove recording user's login uid to the process attribute
+%{__sed} -i -e '/pam_loginuid.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd
+%endif
+
%{__rm} $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages
%{?with_ldap:%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf}
fi
%systemd_reload
+%triggerpostun server -- %{name}-server < 2:7.0p1-2
+%banner %{name}-server -e << EOF
+!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!
+! Starting from openssh 7.0 DSA keys are disabled !
+! on server and client side. You will NOT be able !
+! to use DSA keys for authentication. Please read !
+! about PubkeyAcceptedKeyTypes in man ssh_config. !
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+EOF
+
%triggerpostun server -- %{name}-server < 6.2p1-1
cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config
EOF
fi
-%post server-upstart
-%upstart_post sshd
-
-%postun server-upstart
-%upstart_postun sshd
-
%post -n openldap-schema-openssh-lpk
%openldap_schema_register %{schemadir}/openssh-lpk.schema
%service -q ldap restart
%files clients
%defattr(644,root,root,755)
%attr(755,root,root) %{_bindir}/ssh
-%attr(755,root,root) %{_bindir}/slogin
%attr(755,root,root) %{_bindir}/sftp
%attr(755,root,root) %{_bindir}/ssh-agent
%attr(755,root,root) %{_bindir}/ssh-add
%config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS
%{_mandir}/man1/scp.1*
%{_mandir}/man1/ssh.1*
-%{_mandir}/man1/slogin.1*
%{_mandir}/man1/sftp.1*
%{_mandir}/man1/ssh-agent.1*
%{_mandir}/man1/ssh-add.1*
%defattr(644,root,root,755)
%attr(755,root,root) /etc/X11/xinit/xinitrc.d/ssh-agent.sh
+%files clients-helper-fido
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_libexecdir}/ssh-sk-helper
+%{_mandir}/man8/ssh-sk-helper.8*
+
%files server
%defattr(644,root,root,755)
%attr(755,root,root) %{_sbindir}/sshd
%{_mandir}/man5/moduli.5*
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sshd
-%attr(640,root,root) %{_sysconfdir}/moduli
+%{_sysconfdir}/moduli
%attr(754,root,root) /etc/rc.d/init.d/sshd
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/sshd
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/blacklist.sshd
%defattr(644,root,root,755)
%{schemadir}/openssh-lpk.schema
%endif
-
-%if "%{pld_release}" != "ti"
-%files server-upstart
-%defattr(644,root,root,755)
-%config(noreplace) %verify(not md5 mtime size) /etc/init/sshd.conf
-%endif