Rel 5; add upstream official fixes for stable release (https://lists.mindrot.org...

[packages/openssh.git] / openssh.spec

# TODO:
# - add trigger to enable this:
#  * sshd(8): This release turns on pre-auth sandboxing sshd by default for
#   new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
#
# Conditional build:
%bcond_without	audit		# sshd audit support
%bcond_with	gnome		# gnome-askpass (GNOME 1.x) utility
%bcond_without	gtk		# gnome-askpass (GTK+ 2.x) utility
%bcond_without	ldap		# LDAP support
%bcond_with	ldns		# DNSSEC support via libldns
%bcond_without	libedit		# libedit (editline/history support in sftp client)
%bcond_without	kerberos5	# Kerberos5 support
%bcond_without	selinux		# SELinux support
%bcond_without	libseccomp	# use libseccomp for seccomp privsep (requires 3.5 kernel)
%bcond_with	hpn		# High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often)
%bcond_without	tests		# test suite
%bcond_with	tests_conch	# run conch interoperability tests

# gtk2-based gnome-askpass means no gnome1-based
%{?with_gtk:%undefine with_gnome}

%if "%{pld_release}" == "ac"
%define		pam_ver	0.79.0
%else
%define		pam_ver	1:1.1.8-5
%endif
Summary:	OpenSSH free Secure Shell (SSH) implementation
Summary(de.UTF-8):	OpenSSH - freie Implementation der Secure Shell (SSH)
Summary(es.UTF-8):	Implementación libre de SSH
Summary(fr.UTF-8):	Implémentation libre du shell sécurisé OpenSSH (SSH)
Summary(it.UTF-8):	Implementazione gratuita OpenSSH della Secure Shell
Summary(pl.UTF-8):	Publicznie dostępna implementacja bezpiecznego shella (SSH)
Summary(pt.UTF-8):	Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH)
Summary(pt_BR.UTF-8):	Implementação livre do SSH
Summary(ru.UTF-8):	OpenSSH - свободная реализация протокола Secure Shell (SSH)
Summary(uk.UTF-8):	OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
Name:		openssh
Version:	8.9p1
Release:	5
Epoch:		2
License:	BSD
Group:		Applications/Networking
Source0:	https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
# Source0-md5:	f33910174f0af52491277211e2b105bb
Source1:	http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5:	66943d481cc422512b537bcc2c7400d1
Source2:	%{name}d.init
Source3:	%{name}d.pamd
Source4:	%{name}.sysconfig
Source5:	ssh-agent.sh
Source6:	ssh-agent.conf
Source7:	%{name}-lpk.schema
Source9:	sshd.service
Source10:	sshd-keygen
Source11:	sshd.socket
Source12:	sshd@.service
Patch100:	%{name}-git.patch
# Patch100-md5: xyz
Patch0:		%{name}-no-pty-tests.patch
Patch1:		%{name}-tests-reuseport.patch
Patch2:		%{name}-pam_misc.patch
Patch3:		%{name}-sigpipe.patch
# http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree
Patch4:		%{name}-ldap.patch
Patch5:		%{name}-ldap-fixes.patch
Patch6:		ldap.conf.patch
Patch7:		%{name}-config.patch
Patch8:		ldap-helper-sigpipe.patch
# High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
# http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
Patch9:		%{name}-5.2p1-hpn13v6.diff

Patch11:	%{name}-chroot.patch

Patch13:	%{name}-skip-interop-tests.patch
Patch14:	%{name}-bind.patch
Patch15:	%{name}-disable_ldap.patch
Patch16:	openssl3.0.patch
URL:		http://www.openssh.com/portable.html
BuildRequires:	%{__perl}
%{?with_audit:BuildRequires:	audit-libs-devel}
BuildRequires:	autoconf >= 2.50
BuildRequires:	automake
%{?with_gnome:BuildRequires:	gnome-libs-devel}
%{?with_gtk:BuildRequires:	gtk+2-devel}
%{?with_kerberos5:BuildRequires:	heimdal-devel >= 0.7}
%{?with_ldns:BuildRequires:	ldns-devel}
%{?with_libedit:BuildRequires:	libedit-devel}
BuildRequires:	libfido2-devel >= 1.5.0
%{?with_libseccomp:BuildRequires:	libseccomp-devel}
%{?with_selinux:BuildRequires:	libselinux-devel}
%{?with_ldap:BuildRequires:	openldap-devel}
BuildRequires:	openssl-devel >= 1.1.0g
BuildRequires:	pam-devel
%{?with_gtk:BuildRequires:	pkgconfig}
%if %{with tests} && %{with tests_conch}
BuildRequires:	python-TwistedConch
%endif
BuildRequires:	rpm >= 4.4.9-56
BuildRequires:	rpmbuild(macros) >= 1.752
BuildRequires:	sed >= 4.0
BuildRequires:	zlib-devel >= 1.2.3
%if %{with tests} && 0%(id -u sshd >/dev/null 2>&1; echo $?)
BuildRequires:	%{name}-server
%endif
%if %{with tests} && %{with libseccomp}
# libseccomp based sandbox requires NO_NEW_PRIVS prctl flag
BuildRequires:	uname(release) >= 3.5
%endif
Requires:	zlib >= 1.2.3
%if "%{pld_release}" == "ac"
Requires:	filesystem >= 2.0-1
Requires:	pam >= 0.79.0
%else
Requires:	filesystem >= 3.0-11
Requires:	pam >= %{pam_ver}
Suggests:	xorg-app-xauth
%endif
Obsoletes:	ssh
BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)

%define		_sysconfdir	/etc/ssh
%define		_libexecdir	%{_libdir}/%{name}
%define		_privsepdir	/usr/share/empty
%define		schemadir	/usr/share/openldap/schema

%description
Ssh (Secure Shell) a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to seperate libraries (OpenSSL).

This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.

%if %{with hpn}
This release includes High Performance SSH/SCP patches from
http://www.psc.edu/networking/projects/hpn-ssh/ which are supposed to
increase throughput on fast connections with high RTT (20-150 msec).
See the website for '-w' values for your connection and /proc/sys TCP
values. BTW. in a LAN you have got generally RTT < 1 msec.
%endif

%description -l de.UTF-8
OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es
ersetzt telnet, rlogin, rexec und rsh und stellt eine sichere,
verschlüsselte Verbindung zwischen zwei nicht vertrauenswürdigen Hosts
über eine unsicheres Netzwerk her. X11 Verbindungen und beliebige
andere TCP/IP Ports können ebenso über den sicheren Channel
weitergeleitet werden.

%description -l es.UTF-8
SSH es un programa para accesar y ejecutar órdenes en computadores
remotos. Sustituye rlogin y rsh, y suministra un canal de comunicación
seguro entre dos servidores en una red insegura. Conexiones X11 y
puertas TCP/IP arbitrárias también pueden ser usadas por el canal
seguro.

OpenSSH es el resultado del trabajo del equipo de OpenBSD para
continuar la última versión gratuita de SSH, actualizándolo en
términos de seguridad y recursos,así también eliminando todos los
algoritmos patentados y colocándolos en bibliotecas separadas
(OpenSSL).

Este paquete contiene "port" para Linux de OpenSSH. Se debe instalar
también el paquete openssh-clients u openssh-server o ambos.

%description -l fr.UTF-8
OpenSSH (Secure Shell) fournit un accès à un système distant. Il
remplace telnet, rlogin, rexec et rsh, tout en assurant des
communications cryptées securisées entre deux hôtes non fiabilisés sur
un réseau non sécurisé. Des connexions X11 et des ports TCP/IP
arbitraires peuvent également être transmis sur le canal sécurisé.

%description -l it.UTF-8
OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni
sicure e crittate tra due host non fidati su una rete non sicura. Le
connessioni X11 ad una porta TCP/IP arbitraria possono essere
inoltrate attraverso un canale sicuro.

%description -l pl.UTF-8
Ssh (Secure Shell) to program służący do logowania się na zdalną
maszynę i uruchamiania na niej aplikacji. W zamierzeniu openssh ma
zastąpić rlogin, rsh i dostarczyć bezpieczne, szyfrowane połączenie
pomiędzy dwoma hostami.

Ten pakiet zawiera podstawowe pliki potrzebne zarówno po stronie
klienta jak i serwera OpenSSH. Aby był użyteczny, trzeba zainstalować
co najmniej jeden z pakietów: openssh-clients lub openssh-server.

%if %{with hpn}
Ta wersja zawiera łaty z projektu High Performance SSH/SCP
http://www.psc.edu/networking/projects/hpn-ssh/, które mają na celu
zwiększenie przepustowości transmisji dla szybkich połączeń z dużym
RTT (20-150 msec). Na stronie projektu znaleźć można odpowednie dla
danego połączenia wartości parametru '-w' oraz opcje /proc/sys dla
TCP. Nawiasem mówiąc w sieciach LAN RTT < 1 msec.
%endif

%description -l pt.UTF-8
OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e
cifradas entre duas máquinas sem confiança mútua sobre uma rede
insegura. Ligações X11 e portos TCP/IP arbitrários também poder ser
reenviados pelo canal seguro.

%description -l pt_BR.UTF-8
SSH é um programa para acessar e executar comandos em máquinas
remotas. Ele substitui rlogin e rsh, e provem um canal de comunicação
seguro entre dois hosts em uma rede insegura. Conexões X11 e portas
TCP/IP arbitrárias também podem ser usadas pelo canal seguro.

OpenSSH é o resultado do trabalho da equipe do OpenBSD em continuar a
última versão gratuita do SSH, atualizando-o em termos de segurança e
recursos, assim como removendo todos os algoritmos patenteados e
colocando-os em bibliotecas separadas (OpenSSL).

Esse pacote contém o "port" pra Linux do OpenSSH. Você deve instalar
também ou o pacote openssh-clients, ou o openssh-server, ou ambos.

%description -l ru.UTF-8
Ssh (Secure Shell) - это программа для "захода" (login) на удаленную
машину и для выполнения команд на удаленной машине. Она предназначена
для замены rlogin и rsh и обеспечивает безопасную шифрованную
коммуникацию между двумя хостами в сети, являющейся небезопасной.
Соединения X11 и любые порты TCP/IP могут также быть проведены через
безопасный канал.

OpenSSH - это переделка командой разработчиков OpenBSD последней
свободной версии SSH, доведенная до современного состояния в терминах
уровня безопасности и поддерживаемых возможностей. Все патентованные
алгоритмы вынесены в отдельные библиотеки (OpenSSL).

Этот пакет содержит файлы, необходимые как для клиента, так и для
сервера OpenSSH. Вам нужно будет установить еще openssh-clients,
openssh-server, или оба пакета.

%description -l uk.UTF-8
Ssh (Secure Shell) - це програма для "заходу" (login) до віддаленої
машини та для виконання команд на віддаленій машині. Вона призначена
для заміни rlogin та rsh і забезпечує безпечну шифровану комунікацію
між двома хостами в мережі, яка не є безпечною. З'єднання X11 та
довільні порти TCP/IP можуть також бути проведені через безпечний
канал.

OpenSSH - це переробка командою розробників OpenBSD останньої вільної
версії SSH, доведена до сучасного стану в термінах рівня безпеки та
підтримуваних можливостей. Всі патентовані алгоритми винесені до
окремих бібліотек (OpenSSL).

Цей пакет містить файли, необхідні як для клієнта, так і для сервера
OpenSSH. Вам потрібно буде ще встановити openssh-clients,
openssh-server, чи обидва пакети.

%package clients
Summary:	OpenSSH Secure Shell protocol clients
Summary(es.UTF-8):	Clientes de OpenSSH
Summary(pl.UTF-8):	Klienci protokołu Secure Shell
Summary(pt_BR.UTF-8):	Clientes do OpenSSH
Summary(ru.UTF-8):	OpenSSH - клиенты протокола Secure Shell
Summary(uk.UTF-8):	OpenSSH - клієнти протоколу Secure Shell
Group:		Applications/Networking
Requires:	%{name}
Suggests:	%{name}-clients-helper-fido = %{epoch}:%{version}-%{release}
Provides:	ssh-clients
Obsoletes:	ssh-clients
%requires_eq_to	openssl	openssl-devel

%description clients
Ssh (Secure Shell) a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to seperate libraries (OpenSSL).

This package includes the clients necessary to make encrypted
connections to SSH servers.

%description clients -l es.UTF-8
Este paquete incluye los clientes que se necesitan para hacer
conexiones codificadas con servidores SSH.

%description clients -l pl.UTF-8
Ssh (Secure Shell) to program służący do logowania się na zdalną
maszynę i uruchamiania na niej aplikacji. W zamierzeniu openssh ma
zastąpić rlogin, rsh i dostarczyć bezpieczne, szyfrowane połączenie
pomiędzy dwoma hostami.

Ten pakiet zawiera klientów służących do łączenia się z serwerami SSH.

%description clients -l pt_BR.UTF-8
Esse pacote inclui os clientes necessários para fazer conexões
encriptadas com servidores SSH.

%description clients -l ru.UTF-8
Ssh (Secure Shell) - это программа для "захода" (login) на удаленную
машину и для выполнения команд на удаленной машине.

Этот пакет содержит программы-клиенты, необходимые для установления
зашифрованных соединений с серверами SSH.

%description clients -l uk.UTF-8
Ssh (Secure Shell) - це програма для "заходу" (login) до віддаленої
машини та для виконання команд на віддаленій машині.

Цей пакет містить програми-клієнти, необхідні для встановлення
зашифрованих з'єднань з серверами SSH.

%package clients-agent-profile_d
Summary:	OpenSSH Secure Shell agent init script
Summary(pl.UTF-8):	Skrypt startowy agenta OpenSSH
Group:		Applications/Networking
Requires:	%{name}-clients = %{epoch}:%{version}-%{release}

%description clients-agent-profile_d
profile.d scripts for starting SSH agent.

%description clients-agent-profile_d -l pl.UTF-8
Skrypty profile.d do uruchamiania agenta SSH.

%package clients-agent-xinitrc
Summary:	OpenSSH Secure Shell agent init script
Summary(pl.UTF-8):	Skrypt inicjujący agenta ssh przez xinitrc
Group:		Applications/Networking
Requires:	%{name}-clients-agent-profile_d = %{epoch}:%{version}-%{release}
Requires:	xinitrc

%description clients-agent-xinitrc
xinitrc scripts for starting SSH agent.

%description clients-agent-xinitrc -l pl.UTF-8
Skrypty xinitrc do uruchamiania agenta SSH.

%package clients-helper-fido
Summary:	OpenSSH helper for FIDO authenticator
Summary(pl.UTF-8):	OpenSSH helper obsługujący klucz autoryzujący FIDO
Group:		Applications/Networking
Requires:	%{name}-clients = %{epoch}:%{version}-%{release}
Requires:	libfido2 >= 1.5.0

%description clients-helper-fido
OpenSSH helper for FIDO authenticator.

%description clients-helper-fido -l pl.UTF-8
OpenSSH helper obsługujący klucz autoryzujący FIDO.

%package server
Summary:	OpenSSH Secure Shell protocol server (sshd)
Summary(de.UTF-8):	OpenSSH Secure Shell Protocol-Server (sshd)
Summary(es.UTF-8):	Servidor OpenSSH para comunicaciones codificadas
Summary(fr.UTF-8):	Serveur de protocole du shell sécurisé OpenSSH (sshd)
Summary(it.UTF-8):	Server OpenSSH per il protocollo Secure Shell (sshd)
Summary(pl.UTF-8):	Serwer protokołu Secure Shell (sshd)
Summary(pt.UTF-8):	Servidor do protocolo 'Secure Shell' OpenSSH (sshd)
Summary(pt_BR.UTF-8):	Servidor OpenSSH para comunicações encriptadas
Summary(ru.UTF-8):	OpenSSH - сервер протокола Secure Shell (sshd)
Summary(uk.UTF-8):	OpenSSH - сервер протоколу Secure Shell (sshd)
Group:		Networking/Daemons
Requires(post):	/sbin/chkconfig
Requires(post):	grep
Requires(post,preun):	/sbin/chkconfig
Requires(postun):	/usr/sbin/userdel
Requires(pre):	/bin/id
Requires(pre):	/usr/sbin/useradd
Requires(post,preun,postun):	systemd-units >= 38
Requires:	%{name} = %{epoch}:%{version}-%{release}
Requires:	pam >= %{pam_ver}
Requires:	rc-scripts >= 0.4.3.0
Requires:	systemd-units >= 38
%{?with_libseccomp:Requires:	uname(release) >= 3.5}
Requires:	util-linux
%{?with_ldap:Suggests:	%{name}-server-ldap}
Suggests:	/bin/login
Suggests:	xorg-app-xauth
Provides:	ssh-server
Provides:	user(sshd)
%requires_eq_to	openssl	openssl-devel

%description server
Ssh (Secure Shell) a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to seperate libraries (OpenSSL).

This package contains the secure shell daemon. The sshd is the server
part of the secure shell protocol and allows ssh clients to connect to
your host.

%description server -l de.UTF-8
Dieses Paket installiert den sshd, den Server-Teil der OpenSSH.

%description server -l es.UTF-8
Este paquete contiene el servidor SSH. sshd es la parte servidor del
protocolo secure shell y permite que clientes ssh se conecten a su
servidor.

%description server -l fr.UTF-8
Ce paquetage installe le 'sshd', partie serveur de OpenSSH.

%description server -l it.UTF-8
Questo pacchetto installa sshd, il server di OpenSSH.

%description server -l pl.UTF-8
Ssh (Secure Shell) to program służący do logowania się na zdalną
maszynę i uruchamiania na niej aplikacji. W zamierzeniu openssh ma
zastąpić rlogin, rsh i dostarczyć bezpieczne, szyfrowane połączenie
pomiędzy dwoma hostami.

Ten pakiet zawiera serwer sshd (do którego mogą łączyć się klienci
ssh).

%description server -l pt.UTF-8
Este pacote intala o sshd, o servidor do OpenSSH.

%description server -l pt_BR.UTF-8
Esse pacote contém o servidor SSH. O sshd é a parte servidor do
protocolo secure shell e permite que clientes ssh se conectem ao seu
host.

%description server -l ru.UTF-8
Ssh (Secure Shell) - это программа для "захода" (login) на удаленную
машину и для выполнения команд на удаленной машине.

Этот пакет содержит sshd - "демон" Secure Shell. sshd - это серверная
часть протокола Secure Shell, позволяющая клиентам ssh соединяться с
вашим хостом.

%description server -l uk.UTF-8
Ssh (Secure Shell) - це програма для "заходу" (login) до віддаленої
машини та для виконання команд на віддаленій машині.

Цей пакет містить sshd - "демон" Secure Shell. sshd - це серверна
частина протоколу Secure Shell, яка дозволяє клієнтам ssh зв'язуватись
з вашим хостом.

%package server-ldap
Summary:	A LDAP support for open source SSH server daemon
Summary(pl.UTF-8):	Wsparcie LDAP dla serwera OpenSSH
Group:		Daemons
Requires:	%{name} = %{epoch}:%{version}-%{release}
Requires:	openldap-nss-config

%description server-ldap
OpenSSH LDAP backend is a way how to distribute the authorized tokens
among the servers in the network.

%description server-ldap -l pl.UTF-8
Backend LDAP dla OpenSSH to metoda rozprowadzania autoryzowanych
tokenów między serwerami w sieci.

%package gnome-askpass
Summary:	OpenSSH GNOME passphrase dialog
Summary(de.UTF-8):	OpenSSH GNOME Passwort-Dialog
Summary(es.UTF-8):	Diálogo para introducción de passphrase para GNOME
Summary(fr.UTF-8):	Dialogue pass-phrase GNOME d'OpenSSH
Summary(it.UTF-8):	Finestra di dialogo GNOME per la frase segreta di OpenSSH
Summary(pl.UTF-8):	Odpytywacz hasła OpenSSH dla GNOME
Summary(pt.UTF-8):	Diálogo de pedido de senha para GNOME do OpenSSH
Summary(pt_BR.UTF-8):	Diálogo para entrada de passphrase para GNOME
Summary(ru.UTF-8):	OpenSSH - диалог ввода ключевой фразы (passphrase) для GNOME
Summary(uk.UTF-8):	OpenSSH - діалог вводу ключової фрази (passphrase) для GNOME
Group:		Applications/Networking
Requires:	%{name} = %{epoch}:%{version}-%{release}
Obsoletes:	openssh-askpass
Obsoletes:	ssh-askpass
Obsoletes:	ssh-extras

%description gnome-askpass
Ssh (Secure Shell) a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to seperate libraries (OpenSSL).

This package contains the GNOME passphrase dialog.

%description gnome-askpass -l es.UTF-8
Este paquete contiene un programa que abre una caja de diálogo para
entrada de passphrase en GNOME.

%description gnome-askpass -l pl.UTF-8
Ssh (Secure Shell) to program służący do logowania się na zdalną
maszynę i uruchamiania na niej aplikacji. W zamierzeniu openssh ma
zastąpić rlogin, rsh i dostarczyć bezpieczne, szyfrowane połączenie
pomiędzy dwoma hostami.

Ten pakiet zawiera ,,odpytywacz hasła'' dla GNOME.

%description gnome-askpass -l pt_BR.UTF-8
Esse pacote contém um programa que abre uma caixa de diálogo para
entrada de passphrase no GNOME.

%description gnome-askpass -l ru.UTF-8
Ssh (Secure Shell) - это программа для "захода" (login) на удаленную
машину и для выполнения команд на удаленной машине.

Этот пакет содержит диалог ввода ключевой фразы для использования под
GNOME.

%description gnome-askpass -l uk.UTF-8
Ssh (Secure Shell) - це програма для "заходу" (login) до віддаленої
машини та для виконання команд на віддаленій машині.

Цей пакет містить діалог вводу ключової фрази для використання під
GNOME.

%package -n openldap-schema-openssh-lpk
Summary:	OpenSSH LDAP Public Key schema
Summary(pl.UTF-8):	Schemat klucza publicznego LDAP dla OpenSSH
Group:		Networking/Daemons
Requires(post,postun):	sed >= 4.0
Requires:	openldap-servers
BuildArch:	noarch

%description -n openldap-schema-openssh-lpk
This package contains OpenSSH LDAP Public Key schema for openldap.

%description -n openldap-schema-openssh-lpk -l pl.UTF-8
Ten pakiet zawiera schemat klucza publicznego LDAP dla OpenSSH dla
openldap-a.

%prep
%setup -q
%patch100 -p1

%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1

%{?with_hpn:%patch9 -p1}

%patch11 -p1

%patch13 -p1

%patch14 -p1
%{!?with_ldap:%patch15 -p1}
%patch16 -p1

%if "%{pld_release}" == "ac"
# fix for missing x11.pc
%{__sed} -i -e 's/\(`$(PKG_CONFIG) --libs gtk+-2.0\) x11`/\1` -lX11/' contrib/Makefile
%endif

# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*

grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \
%{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,'

# prevent being ovewritten by aclocal calls
%{__mv} aclocal.m4 acinclude.m4

%build
%{__aclocal}
%{__autoconf}
%{__autoheader}
CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99"
%configure \
	PERL=%{__perl} \
	--disable-strip \
	--enable-utmpx \
	--enable-wtmpx \
	--with-4in6 \
	%{?with_audit:--with-audit=linux} \
	--with-ipaddr-display \
	%{?with_kerberos5:--with-kerberos5=/usr} \
	--with-ldap%{!?with_ldap:=no} \
	%{?with_ldns:--with-ldns} \
	%{?with_libedit:--with-libedit} \
	--with-mantype=man \
	--with-md5-passwords \
	--with-pam \
	--with-pid-dir=%{_localstatedir}/run \
	--with-privsep-path=%{_privsepdir} \
	--with-privsep-user=sshd \
	--with-security-key-builtin \
	%{?with_selinux:--with-selinux} \
%if "%{pld_release}" == "ac"
	--with-xauth=/usr/X11R6/bin/xauth
%else
%if %{with libseccomp}
	--with-sandbox=seccomp_filter \
%else
	--with-sandbox=rlimit \
%endif
	--with-xauth=%{_bindir}/xauth
%endif

echo '#define LOGIN_PROGRAM		   "/bin/login"' >>config.h

%{__make}

%if %{with tests}
%{__make} -j1 tests \
	TEST_SSH_PORT=$((4242 + ${RANDOM:-$$} % 1000)) \
	TEST_SSH_TRACE="yes" \
%if %{without tests_conch}
	SKIP_LTESTS="conch-ciphers"
%endif
%endif

cd contrib
%if %{with gnome}
%{__make} gnome-ssh-askpass1 \
	CC="%{__cc} %{rpmldflags} %{rpmcflags}"
%endif
%if %{with gtk}
%{__make} gnome-ssh-askpass2 \
	CC="%{__cc} %{rpmldflags} %{rpmcflags}"
%endif

%install
rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \
	$RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir},%{systemdunitdir}}
install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d}

%{__make} install \
	DESTDIR=$RPM_BUILD_ROOT

bzip2 -dc %{SOURCE1} | tar xf - -C $RPM_BUILD_ROOT%{_mandir}

install -p %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
cp -p %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sshd
cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd
cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d
ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}
cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir}

cp -p %{SOURCE9} %{SOURCE11} %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir}
install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen

%{__sed} -i -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \
	$RPM_BUILD_ROOT/etc/rc.d/init.d/sshd \
	$RPM_BUILD_ROOT%{systemdunitdir}/sshd.service \
	$RPM_BUILD_ROOT%{systemdunitdir}/sshd@.service \
	$RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen

%if %{with gnome}
install -p contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
%endif
%if %{with gtk}
install -p contrib/gnome-ssh-askpass2 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
%endif
%if %{with gnome} || %{with gtk}
cat << 'EOF' >$RPM_BUILD_ROOT/etc/env.d/GNOME_SSH_ASKPASS_GRAB_SERVER
#GNOME_SSH_ASKPASS_GRAB_SERVER="true"
EOF
cat << 'EOF' >$RPM_BUILD_ROOT/etc/env.d/GNOME_SSH_ASKPASS_GRAB_POINTER
#GNOME_SSH_ASKPASS_GRAB_POINTER="true"
EOF
ln -s %{_libexecdir}/ssh/ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/ssh-askpass
%endif

install -p contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}
cp -p contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1

touch $RPM_BUILD_ROOT/etc/security/blacklist.sshd

cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS
#SSH_ASKPASS="%{_libexecdir}/ssh-askpass"
EOF

%if "%{pld_release}" == "ac"
# not present in ac, no point searching it
%{__sed} -i -e '/pam_keyinit.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd
# openssl on ac does not have OPENSSL_HAS_ECC
%{__sed} -i -e '/ecdsa/d' $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
%endif

%if %{without audit}
# remove recording user's login uid to the process attribute
%{__sed} -i -e '/pam_loginuid.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd
%endif

%{__rm} $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages
%{?with_ldap:%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf}

%clean
rm -rf $RPM_BUILD_ROOT

%post clients
%env_update

%postun clients
%env_update

%post gnome-askpass
%env_update

%postun gnome-askpass
%env_update

%pre server
%useradd -P %{name}-server -u 40 -d %{_privsepdir} -s /bin/false -c "OpenSSH PrivSep User" -g nobody sshd

%post server
/sbin/chkconfig --add sshd
%service sshd reload "OpenSSH Daemon"
NORESTART=1
%systemd_post sshd.service

%preun server
if [ "$1" = "0" ]; then
	%service sshd stop
	/sbin/chkconfig --del sshd
fi
%systemd_preun sshd.service

%postun server
if [ "$1" = "0" ]; then
	%userremove sshd
fi
%systemd_reload

%triggerpostun server -- %{name}-server < 2:7.0p1-2
%banner %{name}-server -e << EOF
!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!
! Starting from openssh 7.0 DSA keys are disabled !
! on server and client side. You will NOT be able !
! to use DSA keys for authentication. Please read !
! about PubkeyAcceptedKeyTypes in man ssh_config. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
EOF

%triggerpostun server -- %{name}-server < 6.2p1-1
cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config

%triggerpostun server -- %{name}-server < 2:5.9p1-8
# lpk.patch to ldap.patch
if grep -qE '^(UseLPK|Lpk)' %{_sysconfdir}/sshd_config; then
	echo >&2 "Migrating LPK patch to LDAP patch"
	cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
	%{__sed} -i -e '
		# disable old configs
		# just UseLPK/LkpLdapConf supported for now
		s/^\s*UseLPK/## Obsolete &/
		s/^\s*Lpk/## Obsolete &/
		# Enable new ones, assumes /etc/ldap.conf defaults, see HOWTO.ldap-keys
		/UseLPK/iAuthorizedKeysCommand %{_libexecdir}/ssh-ldap-wrapper
	' %{_sysconfdir}/sshd_config
	if [ ! -x /bin/systemd_booted ] || ! /bin/systemd_booted; then
		/bin/systemctl try-restart sshd.service || :
	else
		%service -q sshd reload
	fi
fi
%systemd_trigger sshd.service
if [ -x /bin/systemd_booted ] && /bin/systemd_booted; then
%banner %{name}-server -e << EOF
!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!
! Native systemd support for sshd has been installed.   !
! Restarting sshd.service with systemctl WILL kill all  !
! active ssh sessions (daemon as such will be started). !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
EOF
fi

%post -n openldap-schema-openssh-lpk
%openldap_schema_register %{schemadir}/openssh-lpk.schema
%service -q ldap restart

%postun -n openldap-schema-openssh-lpk
if [ "$1" = "0" ]; then
	%openldap_schema_unregister %{schemadir}/openssh-lpk.schema
	%service -q ldap restart
fi

%files
%defattr(644,root,root,755)
%doc TODO README OVERVIEW CREDITS Change*
%attr(755,root,root) %{_bindir}/ssh-key*
#%attr(755,root,root) %{_bindir}/ssh-vulnkey*
%{_mandir}/man1/ssh-key*.1*
#%{_mandir}/man1/ssh-vulnkey*.1*
%dir %{_sysconfdir}
%dir %{_libexecdir}

%files clients
%defattr(644,root,root,755)
%attr(755,root,root) %{_bindir}/ssh
%attr(755,root,root) %{_bindir}/sftp
%attr(755,root,root) %{_bindir}/ssh-agent
%attr(755,root,root) %{_bindir}/ssh-add
%attr(755,root,root) %{_bindir}/ssh-copy-id
%attr(755,root,root) %{_bindir}/scp
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config
%config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS
%{_mandir}/man1/scp.1*
%{_mandir}/man1/ssh.1*
%{_mandir}/man1/sftp.1*
%{_mandir}/man1/ssh-agent.1*
%{_mandir}/man1/ssh-add.1*
%{_mandir}/man1/ssh-copy-id.1*
%{_mandir}/man5/ssh_config.5*
%lang(it) %{_mandir}/it/man1/ssh.1*
%lang(it) %{_mandir}/it/man5/ssh_config.5*
%lang(pl) %{_mandir}/pl/man1/scp.1*
%lang(zh_CN) %{_mandir}/zh_CN/man1/scp.1*

# for host-based auth (suid required for accessing private host key)
#%attr(4755,root,root) %{_libexecdir}/ssh-keysign
#%{_mandir}/man8/ssh-keysign.8*

%files clients-agent-profile_d
%defattr(644,root,root,755)
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh-agent.conf
%attr(755,root,root) /etc/profile.d/ssh-agent.sh

%files clients-agent-xinitrc
%defattr(644,root,root,755)
%attr(755,root,root) /etc/X11/xinit/xinitrc.d/ssh-agent.sh

%files clients-helper-fido
%defattr(644,root,root,755)
%attr(755,root,root) %{_libexecdir}/ssh-sk-helper
%{_mandir}/man8/ssh-sk-helper.8*

%files server
%defattr(644,root,root,755)
%attr(755,root,root) %{_sbindir}/sshd
%attr(755,root,root) %{_libexecdir}/sftp-server
%attr(755,root,root) %{_libexecdir}/ssh-keysign
%attr(755,root,root) %{_libexecdir}/ssh-pkcs11-helper
%attr(755,root,root) %{_libexecdir}/sshd-keygen
%{_mandir}/man8/sshd.8*
%{_mandir}/man8/sftp-server.8*
%{_mandir}/man8/ssh-keysign.8*
%{_mandir}/man8/ssh-pkcs11-helper.8*
%{_mandir}/man5/sshd_config.5*
%{_mandir}/man5/moduli.5*
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sshd
%{_sysconfdir}/moduli
%attr(754,root,root) /etc/rc.d/init.d/sshd
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/sshd
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/blacklist.sshd
%{systemdunitdir}/sshd.service
%{systemdunitdir}/sshd.socket
%{systemdunitdir}/sshd@.service

%if %{with ldap}
%files server-ldap
%defattr(644,root,root,755)
%doc HOWTO.ldap-keys ldap.conf
%attr(755,root,root) %{_libexecdir}/ssh-ldap-helper
%attr(755,root,root) %{_libexecdir}/ssh-ldap-wrapper
%{_mandir}/man5/ssh-ldap.conf.5*
%{_mandir}/man8/ssh-ldap-helper.8*
%endif

%if %{with gnome} || %{with gtk}
%files gnome-askpass
%defattr(644,root,root,755)
%config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/GNOME_SSH_ASKPASS*
%dir %{_libexecdir}/ssh
%attr(755,root,root) %{_libexecdir}/ssh/ssh-askpass
%attr(755,root,root) %{_libexecdir}/ssh-askpass
%endif

%if %{with ldap}
%files -n openldap-schema-openssh-lpk
%defattr(644,root,root,755)
%{schemadir}/openssh-lpk.schema
%endif