X-Git-Url: http://git.pld-linux.org/?a=blobdiff_plain;f=openssh.spec;h=e902e0ad96575c00fdda9e6a7292e6bccc402f95;hb=be127028d17a22eee12f6025f166ccf1a0072183;hp=dad1e8b45d4f4800cd1b60800f110c4009404680;hpb=2faa36da5b80dbd9f326a5dee5f4831e4e986dc5;p=packages%2Fopenssh.git diff --git a/openssh.spec b/openssh.spec index dad1e8b..e902e0a 100644 --- a/openssh.spec +++ b/openssh.spec @@ -5,22 +5,35 @@ # # Conditional build: %bcond_without audit # sshd audit support -%bcond_with gnome # with gnome-askpass (GNOME 1.x) utility -%bcond_without gtk # without GTK+ (2.x) -%bcond_without ldap # with ldap support -%bcond_without libedit # without libedit (editline/history support in sftp client) -%bcond_without kerberos5 # without kerberos5 support -%bcond_without selinux # build without SELinux support +%bcond_with gnome # gnome-askpass (GNOME 1.x) utility +%bcond_without gtk # gnome-askpass (GTK+ 2.x) utility +%bcond_without ldap # LDAP support +%bcond_with ldns # DNSSEC support via libldns +%bcond_without libedit # libedit (editline/history support in sftp client) +%bcond_without kerberos5 # Kerberos5 support +%bcond_without selinux # SELinux support +%bcond_without libseccomp # use libseccomp for seccomp privsep (requires 3.5 kernel) %bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often) -%bcond_without tests +%bcond_without tests # test suite # gtk2-based gnome-askpass means no gnome1-based %{?with_gtk:%undefine with_gnome} +%ifnarch x32 +# libseccomp requires 3.5 kernel, avoid such requirement where possible (non-x32 arches) +%undefine with_libseccomp +%endif + +%define sandbox %{?with_libseccomp:lib}seccomp_filter + +%ifarch x32 +%{!?with_libseccomp:%error openssh seccomp implementation is broken! do not disable libseccomp on x32} +%endif + %if "%{pld_release}" == "ac" %define pam_ver 0.79.0 %else -%define pam_ver 1:1.1.5-5 +%define pam_ver 1:1.1.8-5 %endif Summary: OpenSSH free Secure Shell (SSH) implementation Summary(de.UTF-8): OpenSSH - freie Implementation der Secure Shell (SSH) @@ -33,13 +46,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 6.3p1 +Version: 7.5p1 Release: 1 Epoch: 2 License: BSD Group: Applications/Networking -Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 225e75c9856f76011966013163784038 +Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz +# Source0-md5: 652fdc7d8392f112bef11cacf7e69e23 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -48,50 +61,55 @@ Source4: %{name}.sysconfig Source5: ssh-agent.sh Source6: ssh-agent.conf Source7: %{name}-lpk.schema -Source8: %{name}d.upstart Source9: sshd.service Source10: sshd-keygen Source11: sshd.socket Source12: sshd@.service -Patch0: %{name}-no_libnsl.patch +Patch0: %{name}-ldns.patch +Patch1: %{name}-tests-reuseport.patch Patch2: %{name}-pam_misc.patch Patch3: %{name}-sigpipe.patch # http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree Patch4: %{name}-ldap.patch Patch5: %{name}-ldap-fixes.patch -Patch8: ldap.conf.patch -Patch6: %{name}-config.patch - +Patch6: ldap.conf.patch +Patch7: %{name}-config.patch +Patch8: ldap-helper-sigpipe.patch # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/ # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz Patch9: %{name}-5.2p1-hpn13v6.diff Patch10: %{name}-include.patch Patch11: %{name}-chroot.patch -# http://people.debian.org/~cjwatson/%{name}-blacklist.diff -Patch12: %{name}-blacklist.diff -Patch13: %{name}-kuserok.patch Patch14: %{name}-bind.patch Patch15: %{name}-disable_ldap.patch +Patch16: libseccomp-sandbox.patch URL: http://www.openssh.com/portable.html BuildRequires: %{__perl} -%{?with_tests:BuildRequires: %{name}-server} %{?with_audit:BuildRequires: audit-libs-devel} BuildRequires: autoconf >= 2.50 BuildRequires: automake %{?with_gnome:BuildRequires: gnome-libs-devel} %{?with_gtk:BuildRequires: gtk+2-devel} %{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7} +%{?with_ldns:BuildRequires: ldns-devel} %{?with_libedit:BuildRequires: libedit-devel} +BuildRequires: libseccomp-devel %{?with_selinux:BuildRequires: libselinux-devel} -BuildRequires: libwrap-devel %{?with_ldap:BuildRequires: openldap-devel} -BuildRequires: openssl-devel >= 0.9.7d +BuildRequires: openssl-devel >= 1.0.1 BuildRequires: pam-devel %{?with_gtk:BuildRequires: pkgconfig} BuildRequires: rpm >= 4.4.9-56 BuildRequires: rpmbuild(macros) >= 1.627 BuildRequires: sed >= 4.0 BuildRequires: zlib-devel >= 1.2.3 +%if %{with tests} && 0%(id -u sshd >/dev/null 2>&1; echo $?) +BuildRequires: %{name}-server +%endif +%if %{with tests} && %{with libseccomp} +# libseccomp based sandbox requires NO_NEW_PRIVS prctl flag +BuildRequires: uname(release) >= 3.5 +%endif Requires: zlib >= 1.2.3 %if "%{pld_release}" == "ac" Requires: filesystem >= 2.0-1 @@ -99,7 +117,6 @@ Requires: pam >= 0.79.0 %else Requires: filesystem >= 3.0-11 Requires: pam >= %{pam_ver} -Suggests: openssh-blacklist Suggests: xorg-app-xauth %endif Obsoletes: ssh @@ -347,12 +364,12 @@ Requires(pre): /bin/id Requires(pre): /usr/sbin/useradd Requires(post,preun,postun): systemd-units >= 38 Requires: %{name} = %{epoch}:%{version}-%{release} -# remove in 6.0, kept for flawless upgrade -%{?with_ldap:Requires: %{name}-server-ldap = %{epoch}:%{version}-%{release}} Requires: pam >= %{pam_ver} Requires: rc-scripts >= 0.4.3.0 Requires: systemd-units >= 38 +%{?with_libseccomp:Requires: uname(release) >= 3.5} Requires: util-linux +%{?with_ldap:Suggests: %{name}-server-ldap} Suggests: /bin/login Suggests: xorg-app-xauth Provides: ssh-server @@ -426,6 +443,7 @@ Summary: A LDAP support for open source SSH server daemon Summary(pl.UTF-8): Wsparcie LDAP dla serwera OpenSSH Group: Daemons Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: openldap-nss-config %description server-ldap OpenSSH LDAP backend is a way how to distribute the authorized tokens @@ -435,20 +453,6 @@ among the servers in the network. Backend LDAP dla OpenSSH to metoda rozprowadzania autoryzowanych tokenów między serwerami w sieci. -%package server-upstart -Summary: Upstart job description for OpenSSH server -Summary(pl.UTF-8): Opis zadania Upstart dla serwera OpenSSH -Group: Daemons -Requires: %{name}-server = %{epoch}:%{version}-%{release} -Requires: upstart >= 0.6 -Conflicts: syslog-ng < 3.2.4-1 - -%description server-upstart -Upstart job description for OpenSSH. - -%description server-upstart -l pl.UTF-8 -Opis zadania Upstart dla OpenSSH. - %package gnome-askpass Summary: OpenSSH GNOME passphrase dialog Summary(de.UTF-8): OpenSSH GNOME Passwort-Dialog @@ -529,38 +533,43 @@ openldap-a. %prep %setup -q %patch0 -p1 +%patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch8 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %{?with_hpn:%patch9 -p1} %patch10 -p1 %patch11 -p1 -%patch12 -p1 -%patch13 -p1 + %patch14 -p1 %{!?with_ldap:%patch15 -p1} +%{?with_libseccomp:%patch16 -p1} %if "%{pld_release}" == "ac" # fix for missing x11.pc -%{__sed} -i -e '/pkg-config/s/ x11//' contrib/Makefile +%{__sed} -i -e 's/\(`$(PKG_CONFIG) --libs gtk+-2.0\) x11`/\1` -lX11/' contrib/Makefile %endif # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa -sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile* +sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile* grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \ %{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,' +# prevent being ovewritten by aclocal calls +%{__mv} aclocal.m4 acinclude.m4 + %build cp /usr/share/automake/config.sub . %{__aclocal} %{__autoconf} %{__autoheader} -CPPFLAGS="-DCHROOT" +CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" %configure \ PERL=%{__perl} \ --disable-strip \ @@ -571,18 +580,19 @@ CPPFLAGS="-DCHROOT" --with-ipaddr-display \ %{?with_kerberos5:--with-kerberos5=/usr} \ --with-ldap%{!?with_ldap:=no} \ + %{?with_ldns:--with-ldns} \ %{?with_libedit:--with-libedit} \ --with-mantype=man \ --with-md5-passwords \ --with-pam \ --with-pid-dir=%{_localstatedir}/run \ --with-privsep-path=%{_privsepdir} \ - --with-sandbox=seccomp_filter \ + --with-privsep-user=sshd \ %{?with_selinux:--with-selinux} \ - --with-tcp-wrappers \ %if "%{pld_release}" == "ac" --with-xauth=/usr/X11R6/bin/xauth %else + --with-sandbox=%{sandbox} \ --with-xauth=%{_bindir}/xauth %endif @@ -590,7 +600,7 @@ echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h %{__make} -%{?with_tests:%{__make} tests} +%{?with_tests:%{__make} -j1 tests} cd contrib %if %{with gnome} @@ -604,7 +614,7 @@ cd contrib %install rm -rf $RPM_BUILD_ROOT -install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{init,pam.d,rc.d/init.d,sysconfig,security,env.d}} \ +install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \ $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir},%{systemdunitdir}} install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d} @@ -613,35 +623,21 @@ install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d} bzip2 -dc %{SOURCE1} | tar xf - -C $RPM_BUILD_ROOT%{_mandir} -cp -p %{SOURCE3} sshd.pam -install -p %{SOURCE2} sshd.init - -%if "%{pld_release}" == "ac" -# not present in ac, no point searching it -%{__sed} -i -e '/pam_keyinit.so/d' sshd.pam -# openssl on ac does not have OPENSSL_HAS_ECC -%{__sed} -i -e '/ecdsa/d' sshd.init -%endif - -%if %{without audit} -# remove recording user's login uid to the process attribute -%{__sed} -i -e '/pam_loginuid.so/d' sshd.pam -%endif - -install -p sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd -cp -p sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +install -p %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd +cp -p %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sshd cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d -ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh +ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir} cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir} -cp -p %{SOURCE8} $RPM_BUILD_ROOT/etc/init/sshd.conf -%{__sed} -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' %{SOURCE9} >$RPM_BUILD_ROOT%{systemdunitdir}/sshd.service -cp -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen +cp -p %{SOURCE9} %{SOURCE11} %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir} +install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen -cp -p %{SOURCE11} $RPM_BUILD_ROOT%{systemdunitdir} -cp -p %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir} +%{__sed} -i -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \ + $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd \ + $RPM_BUILD_ROOT%{systemdunitdir}/sshd.service \ + $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen %if %{with gnome} install -p contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass @@ -662,15 +658,24 @@ ln -s %{_libexecdir}/ssh/ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/ssh-askpass install -p contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir} cp -p contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1 -%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1 -echo ".so ssh.1" > $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1 - touch $RPM_BUILD_ROOT/etc/security/blacklist.sshd cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS #SSH_ASKPASS="%{_libexecdir}/ssh-askpass" EOF +%if "%{pld_release}" == "ac" +# not present in ac, no point searching it +%{__sed} -i -e '/pam_keyinit.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd +# openssl on ac does not have OPENSSL_HAS_ECC +%{__sed} -i -e '/ecdsa/d' $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen +%endif + +%if %{without audit} +# remove recording user's login uid to the process attribute +%{__sed} -i -e '/pam_loginuid.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd +%endif + %{__rm} $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages %{?with_ldap:%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf} @@ -711,6 +716,16 @@ if [ "$1" = "0" ]; then fi %systemd_reload +%triggerpostun server -- %{name}-server < 2:7.0p1-2 +%banner %{name}-server -e << EOF +!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!! +! Starting from openssh 7.0 DSA keys are disabled ! +! on server and client side. You will NOT be able ! +! to use DSA keys for authentication. Please read ! +! about PubkeyAcceptedKeyTypes in man ssh_config. ! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +EOF + %triggerpostun server -- %{name}-server < 6.2p1-1 cp -f %{_sysconfdir}/sshd_config{,.rpmorig} sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config @@ -745,12 +760,6 @@ if [ -x /bin/systemd_booted ] && /bin/systemd_booted; then EOF fi -%post server-upstart -%upstart_post sshd - -%postun server-upstart -%upstart_postun sshd - %post -n openldap-schema-openssh-lpk %openldap_schema_register %{schemadir}/openssh-lpk.schema %service -q ldap restart @@ -765,16 +774,15 @@ fi %defattr(644,root,root,755) %doc TODO README OVERVIEW CREDITS Change* %attr(755,root,root) %{_bindir}/ssh-key* -%attr(755,root,root) %{_bindir}/ssh-vulnkey* +#%attr(755,root,root) %{_bindir}/ssh-vulnkey* %{_mandir}/man1/ssh-key*.1* -%{_mandir}/man1/ssh-vulnkey*.1* +#%{_mandir}/man1/ssh-vulnkey*.1* %dir %{_sysconfdir} %dir %{_libexecdir} %files clients %defattr(644,root,root,755) %attr(755,root,root) %{_bindir}/ssh -%attr(755,root,root) %{_bindir}/slogin %attr(755,root,root) %{_bindir}/sftp %attr(755,root,root) %{_bindir}/ssh-agent %attr(755,root,root) %{_bindir}/ssh-add @@ -784,7 +792,6 @@ fi %config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS %{_mandir}/man1/scp.1* %{_mandir}/man1/ssh.1* -%{_mandir}/man1/slogin.1* %{_mandir}/man1/sftp.1* %{_mandir}/man1/ssh-agent.1* %{_mandir}/man1/ssh-add.1* @@ -855,9 +862,3 @@ fi %defattr(644,root,root,755) %{schemadir}/openssh-lpk.schema %endif - -%if "%{pld_release}" != "ti" -%files server-upstart -%defattr(644,root,root,755) -%config(noreplace) %verify(not md5 mtime size) /etc/init/sshd.conf -%endif