X-Git-Url: http://git.pld-linux.org/?a=blobdiff_plain;f=openssh.spec;h=d7661d0cd32e64848891ea32f1c8e2472534c1cc;hb=141a04d1fdecda5efd3d0588eff5dd8b65ba3856;hp=2025d55c16ef043023e84ecb792fa75062aa8c71;hpb=4ec733f691bac68bc86a804667a51f36a15b4c83;p=packages%2Fopenssh.git diff --git a/openssh.spec b/openssh.spec index 2025d55..d7661d0 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,7 +1,10 @@ -# TODO -# - configure: WARNING: unrecognized options: --with-dns, --disable-suid-ssh +# TODO: +# - add trigger to enable this: +# * sshd(8): This release turns on pre-auth sandboxing sshd by default for +# new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. # # Conditional build: +%bcond_without audit # sshd audit support %bcond_with gnome # with gnome-askpass (GNOME 1.x) utility %bcond_without gtk # without GTK+ (2.x) %bcond_without ldap # with ldap support @@ -9,6 +12,7 @@ %bcond_without kerberos5 # without kerberos5 support %bcond_without selinux # build without SELinux support %bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often) +%bcond_without tests # gtk2-based gnome-askpass means no gnome1-based %{?with_gtk:%undefine with_gnome} @@ -16,7 +20,7 @@ %if "%{pld_release}" == "ac" %define pam_ver 0.79.0 %else -%define pam_ver 0.99.7.1 +%define pam_ver 1:1.1.5-5 %endif Summary: OpenSSH free Secure Shell (SSH) implementation @@ -30,13 +34,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 5.5p1 -Release: 4 +Version: 6.1p1 +Release: 2 Epoch: 2 License: BSD Group: Applications/Networking Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 88633408f4cb1eb11ec7e2ec58b519eb +# Source0-md5: 3345cbf4efe90ffb06a78670ab2d05d5 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -46,14 +50,21 @@ Source5: ssh-agent.sh Source6: ssh-agent.conf Source7: %{name}-lpk.schema Source8: %{name}d.upstart +Source9: sshd.service +Source10: sshd-keygen +Source11: sshd.socket +Source12: sshd@.service Patch100: %{name}-heimdal.patch Patch0: %{name}-no_libnsl.patch Patch2: %{name}-pam_misc.patch Patch3: %{name}-sigpipe.patch -# http://code.google.com/p/openssh-lpk/ -Patch4: %{name}-lpk.patch -Patch5: %{name}-config.patch -Patch7: %{name}-selinux.patch +# http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree +Patch4: %{name}-5.9p1-ldap.patch +Patch5: %{name}-5.9p1-ldap-fixes.patch +Patch8: ldap.conf.patch +Patch6: %{name}-config.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=1663 +Patch7: authorized-keys-command.patch # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/ # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz Patch9: %{name}-5.2p1-hpn13v6.diff @@ -61,9 +72,14 @@ Patch10: %{name}-include.patch Patch11: %{name}-chroot.patch # http://people.debian.org/~cjwatson/%{name}-blacklist.diff Patch12: %{name}-blacklist.diff -URL: http://www.openssh.com/ +Patch13: %{name}-kuserok.patch +Patch14: %{name}-bind.patch +Patch15: %{name}-disable_ldap.patch +URL: http://www.openssh.com/portable.html BuildRequires: %{__perl} -BuildRequires: autoconf +%{?with_tests:BuildRequires: %{name}-server} +%{?with_audit:BuildRequires: audit-libs-devel} +BuildRequires: autoconf >= 2.50 BuildRequires: automake %{?with_gnome:BuildRequires: gnome-libs-devel} %{?with_gtk:BuildRequires: gtk+2-devel} @@ -76,9 +92,10 @@ BuildRequires: openssl-devel >= 0.9.7d BuildRequires: pam-devel %{?with_gtk:BuildRequires: pkgconfig} BuildRequires: rpm >= 4.4.9-56 -BuildRequires: rpmbuild(macros) >= 1.318 +BuildRequires: rpmbuild(macros) >= 1.627 BuildRequires: sed >= 4.0 -BuildRequires: zlib-devel +BuildRequires: zlib-devel >= 1.2.3 +Requires: zlib >= 1.2.3 %if "%{pld_release}" == "ac" Requires: filesystem >= 2.0-1 Requires: pam >= 0.79.0 @@ -96,26 +113,6 @@ BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) %define _privsepdir /usr/share/empty %define schemadir /usr/share/openldap/schema -## to be moved to rpm-build-macros -## TODO: handle RPM_SKIP_AUTO_RESTART - -# migrate from init script to upstart job -%define upstart_post() \ - if [ -f /var/lock/subsys/"%1" ] ; then \ - /sbin/service --no-upstart "%1" stop \ - /sbin/service "%1" start \ - else \ - /sbin/service "%1" try-restart \ - fi - -# restart the job after upgrade or migrate to init script on removal -%define upstart_postun() \ - if [ -x /sbin/initctl ] && /sbin/initctl status "%1" 2>/dev/null | grep -q 'running' ; then \ - /sbin/initctl stop "%1" 2>/dev/null \ - [ -f "/etc/rc.d/init.d/%1" -o -f "/etc/init/%1.conf" ] && /sbin/service "%1" start \ - fi - - %description Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace @@ -350,11 +347,16 @@ Requires(post,preun): /sbin/chkconfig Requires(postun): /usr/sbin/userdel Requires(pre): /bin/id Requires(pre): /usr/sbin/useradd +Requires(post,preun,postun): systemd-units >= 38 Requires: %{name} = %{epoch}:%{version}-%{release} +# remove in 6.0, kept for flawless upgrade +%{?with_ldap:Requires: %{name}-server-ldap = %{epoch}:%{version}-%{release}} Requires: pam >= %{pam_ver} Requires: rc-scripts >= 0.4.3.0 +Requires: systemd-units >= 38 Requires: util-linux Suggests: /bin/login +Suggests: xorg-app-xauth Provides: ssh-server Provides: user(sshd) @@ -420,12 +422,27 @@ Ssh (Secure Shell) - це програма для "заходу" (login) до в частина протоколу Secure Shell, яка дозволяє клієнтам ssh зв'язуватись з вашим хостом. +%package server-ldap +Summary: A LDAP support for open source SSH server daemon +Summary(pl.UTF-8): Wsparcie LDAP dla serwera OpenSSH +Group: Daemons +Requires: %{name} = %{epoch}:%{version}-%{release} + +%description server-ldap +OpenSSH LDAP backend is a way how to distribute the authorized tokens +among the servers in the network. + +%description server-ldap -l pl.UTF-8 +Backend LDAP dla OpenSSH to metoda rozprowadzania autoryzowanych +tokenów między serwerami w sieci. + %package server-upstart Summary: Upstart job description for OpenSSH server Summary(pl.UTF-8): Opis zadania Upstart dla serwera OpenSSH Group: Daemons Requires: %{name}-server = %{epoch}:%{version}-%{release} Requires: upstart >= 0.6 +Conflicts: syslog-ng < 3.2.4-1 %description server-upstart Upstart job description for OpenSSH. @@ -513,52 +530,67 @@ openldap-a. %patch0 -p1 %patch2 -p1 %patch3 -p1 -%{?with_ldap:%patch4 -p1} +%patch4 -p1 %patch5 -p1 +%patch8 -p1 +%patch6 -p1 %patch7 -p1 %{?with_hpn:%patch9 -p1} %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%{!?with_ldap:%patch15 -p1} %if "%{pld_release}" == "ac" # fix for missing x11.pc %{__sed} -i -e '/pkg-config/s/ x11//' contrib/Makefile %endif +# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa +sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile* + +grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \ +%{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,' + %build cp /usr/share/automake/config.sub . %{__aclocal} %{__autoconf} +%{__autoheader} CPPFLAGS="-DCHROOT" %configure \ PERL=%{__perl} \ - --with-dns \ - --with-pam \ - --with-mantype=man \ - --with-md5-passwords \ - --with-ipaddr-display \ - %{?with_libedit:--with-libedit} \ + --disable-strip \ + --enable-utmpx \ + --enable-wtmpx \ --with-4in6 \ - --disable-suid-ssh \ - --with-tcp-wrappers \ - %{?with_ldap:--with-libs="-lldap -llber"} \ - %{?with_ldap:--with-cppflags="-DWITH_LDAP_PUBKEY"} \ + %{?with_audit:--with-audit=linux} \ + --with-ipaddr-display \ %{?with_kerberos5:--with-kerberos5=/usr} \ - --with-privsep-path=%{_privsepdir} \ + --with-ldap%{!?with_ldap:=no} \ + %{?with_libedit:--with-libedit} \ + --with-mantype=man \ + --with-md5-passwords \ + --with-pam \ + --with-authorized-keys-command \ --with-pid-dir=%{_localstatedir}/run \ + --with-privsep-path=%{_privsepdir} \ + %{?with_selinux:--with-selinux} \ + --with-tcp-wrappers \ %if "%{pld_release}" == "ac" - --with-xauth=/usr/X11R6/bin/xauth \ + --with-xauth=/usr/X11R6/bin/xauth %else - --with-xauth=/usr/bin/xauth \ + --with-xauth=%{_bindir}/xauth %endif - --enable-utmpx \ - --enable-wtmpx echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h %{__make} +%{?with_tests:%{__make} tests} + cd contrib %if %{with gnome} %{__make} gnome-ssh-askpass1 \ @@ -572,7 +604,7 @@ cd contrib %install rm -rf $RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{init,pam.d,rc.d/init.d,sysconfig,security,env.d}} \ - $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir}} + $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir},%{systemdunitdir}} install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d} %{__make} install \ @@ -580,21 +612,36 @@ install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d} bzip2 -dc %{SOURCE1} | tar xf - -C $RPM_BUILD_ROOT%{_mandir} -install %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd -install %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sshd -install %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd -install %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d +cp -p %{SOURCE3} sshd.pam +install -p %{SOURCE2} sshd.init + +%if "%{pld_release}" == "ac" +# not present in ac, no point searching it +%{__sed} -i -e '/pam_keyinit.so/d' sshd.pam +# openssl on ac does not have OPENSSL_HAS_ECC +%{__sed} -i -e '/ecdsa/d' sshd.init +%endif + +install -p sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd +cp -p sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd +cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh -install %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir} -install %{SOURCE7} $RPM_BUILD_ROOT%{schemadir} +cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir} +cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir} +cp -p %{SOURCE8} $RPM_BUILD_ROOT/etc/init/sshd.conf + +%{__sed} -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' %{SOURCE9} >$RPM_BUILD_ROOT%{systemdunitdir}/sshd.service +cp -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen -install %{SOURCE8} $RPM_BUILD_ROOT/etc/init/sshd.conf +cp -p %{SOURCE11} $RPM_BUILD_ROOT%{systemdunitdir} +cp -p %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir} %if %{with gnome} -install contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass +install -p contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass %endif %if %{with gtk} -install contrib/gnome-ssh-askpass2 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass +install -p contrib/gnome-ssh-askpass2 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass %endif %if %{with gnome} || %{with gtk} cat << 'EOF' >$RPM_BUILD_ROOT/etc/env.d/GNOME_SSH_ASKPASS_GRAB_SERVER @@ -606,10 +653,10 @@ EOF ln -s %{_libexecdir}/ssh/ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/ssh-askpass %endif -install contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir} -install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1 +install -p contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir} +cp -p contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1 -rm -f $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1 +%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1 echo ".so ssh.1" > $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1 touch $RPM_BUILD_ROOT/etc/security/blacklist.sshd @@ -618,8 +665,8 @@ cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS #SSH_ASKPASS="%{_libexecdir}/ssh-askpass" EOF -rm -f $RPM_BUILD_ROOT%{_datadir}/Ssh.bin # ??? -rm -f $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages +%{__rm} $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages +%{?with_ldap:%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf} %clean rm -rf $RPM_BUILD_ROOT @@ -641,22 +688,52 @@ rm -rf $RPM_BUILD_ROOT %post server /sbin/chkconfig --add sshd -%service sshd reload "openssh daemon" -if ! grep -qs ssh /etc/security/passwd.conf ; then - umask 022 - echo "ssh" >> /etc/security/passwd.conf -fi +%service sshd reload "OpenSSH Daemon" +NORESTART=1 +%systemd_post sshd.service %preun server if [ "$1" = "0" ]; then %service sshd stop /sbin/chkconfig --del sshd fi +%systemd_preun sshd.service %postun server if [ "$1" = "0" ]; then %userremove sshd fi +%systemd_reload + +%triggerpostun server -- %{name}-server < 2:5.9p1-8 +# lpk.patch to ldap.patch +if grep -qE '^(UseLPK|Lpk)' %{_sysconfdir}/sshd_config; then + echo >&2 "Migrating LPK patch to LDAP patch" + cp -f %{_sysconfdir}/sshd_config{,.rpmorig} + %{__sed} -i -e ' + # disable old configs + # just UseLPK/LkpLdapConf supported for now + s/^\s*UseLPK/## Obsolete &/ + s/^\s*Lpk/## Obsolete &/ + # Enable new ones, assumes /etc/ldap.conf defaults, see HOWTO.ldap-keys + /UseLPK/iAuthorizedKeysCommand %{_libexecdir}/ssh-ldap-wrapper + ' %{_sysconfdir}/sshd_config + if [ ! -x /bin/systemd_booted ] || ! /bin/systemd_booted; then + /bin/systemctl try-restart sshd.service || : + else + %service -q sshd reload + fi +fi +%systemd_trigger sshd.service +if [ -x /bin/systemd_booted ] && /bin/systemd_booted; then +%banner %{name}-server -e << EOF +!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!! +! Native systemd support for sshd has been installed. ! +! Restarting sshd.service with systemctl WILL kill all ! +! active ssh sessions (daemon as such will be started). ! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +EOF +fi %post server-upstart %upstart_post sshd @@ -676,7 +753,7 @@ fi %files %defattr(644,root,root,755) -%doc *.RNG TODO README OVERVIEW CREDITS Change* +%doc TODO README OVERVIEW CREDITS Change* %attr(755,root,root) %{_bindir}/ssh-key* %attr(755,root,root) %{_bindir}/ssh-vulnkey* %{_mandir}/man1/ssh-key*.1* @@ -727,6 +804,7 @@ fi %attr(755,root,root) %{_libexecdir}/sftp-server %attr(755,root,root) %{_libexecdir}/ssh-keysign %attr(755,root,root) %{_libexecdir}/ssh-pkcs11-helper +%attr(755,root,root) %{_libexecdir}/sshd-keygen %{_mandir}/man8/sshd.8* %{_mandir}/man8/sftp-server.8* %{_mandir}/man8/ssh-keysign.8* @@ -739,6 +817,19 @@ fi %attr(754,root,root) /etc/rc.d/init.d/sshd %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/sshd %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/blacklist.sshd +%{systemdunitdir}/sshd.service +%{systemdunitdir}/sshd.socket +%{systemdunitdir}/sshd@.service + +%if %{with ldap} +%files server-ldap +%defattr(644,root,root,755) +%doc HOWTO.ldap-keys ldap.conf +%attr(755,root,root) %{_libexecdir}/ssh-ldap-helper +%attr(755,root,root) %{_libexecdir}/ssh-ldap-wrapper +%{_mandir}/man5/ssh-ldap.conf.5* +%{_mandir}/man8/ssh-ldap-helper.8* +%endif %if %{with gnome} || %{with gtk} %files gnome-askpass