# gtk2-based gnome-askpass means no gnome1-based
%{?with_gtk:%undefine with_gnome}
-%if "%{pld_release}" != "ac"
-%define sandbox %{!?with_libseccomp:seccomp_filter}%{?with_seccomp:libseccomp_filter}
+%ifnarch x32
+# libseccomp requires 3.5 kernel, avoid such requirement where possible (non-x32 arches)
+%undefine with_libseccomp
+%endif
+
+%define sandbox %{?with_libseccomp:lib}seccomp_filter
+
+%ifarch x32
+%{!?with_libseccomp:%error openssh seccomp implementation is broken! do not disable libseccomp on x32}
%endif
%if "%{pld_release}" == "ac"
Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
Name: openssh
-Version: 6.8p1
-Release: 5
+Version: 7.4p1
+Release: 1
Epoch: 2
License: BSD
Group: Applications/Networking
-Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5: 08f72de6751acfbd0892b5f003922701
+Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
+# Source0-md5: b2db2a83caf66a208bb78d6d287cdaa3
Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5: 66943d481cc422512b537bcc2c7400d1
Source2: %{name}d.init
Source10: sshd-keygen
Source11: sshd.socket
Source12: sshd@.service
-Patch0: %{name}-no_libnsl.patch
+Patch1: %{name}-tests-reuseport.patch
Patch2: %{name}-pam_misc.patch
Patch3: %{name}-sigpipe.patch
# http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree
Patch9: %{name}-5.2p1-hpn13v6.diff
Patch10: %{name}-include.patch
Patch11: %{name}-chroot.patch
-
Patch14: %{name}-bind.patch
Patch15: %{name}-disable_ldap.patch
Patch16: libseccomp-sandbox.patch
%if %{with tests} && 0%(id -u sshd >/dev/null 2>&1; echo $?)
BuildRequires: %{name}-server
%endif
+%if %{with tests} && %{with libseccomp}
+# libseccomp based sandbox requires NO_NEW_PRIVS prctl flag
+BuildRequires: uname(release) >= 3.5
+%endif
Requires: zlib >= 1.2.3
%if "%{pld_release}" == "ac"
Requires: filesystem >= 2.0-1
Requires: pam >= %{pam_ver}
Suggests: xorg-app-xauth
%endif
-%{?with_libseccomp:Requires: uname(release) >= 3.5}
Obsoletes: ssh
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
Requires: pam >= %{pam_ver}
Requires: rc-scripts >= 0.4.3.0
Requires: systemd-units >= 38
+%{?with_libseccomp:Requires: uname(release) >= 3.5}
Requires: util-linux
%{?with_ldap:Suggests: %{name}-server-ldap}
Suggests: /bin/login
%prep
%setup -q
-%patch0 -p1
+%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%endif
# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
-sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile*
+sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*
grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \
%{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,'
+# prevent being ovewritten by aclocal calls
+mv aclocal.m4 acinclude.m4
+
%build
cp /usr/share/automake/config.sub .
%{__aclocal}
--with-pid-dir=%{_localstatedir}/run \
--with-privsep-path=%{_privsepdir} \
--with-privsep-user=sshd \
-%if "%{?sandbox}" != ""
- --with-sandbox=%{sandbox} \
-%endif
%{?with_selinux:--with-selinux} \
%if "%{pld_release}" == "ac"
--with-xauth=/usr/X11R6/bin/xauth
%else
+ --with-sandbox=%{sandbox} \
--with-xauth=%{_bindir}/xauth
%endif
%{__make}
-%{?with_tests:%{__make} tests}
+%{?with_tests:%{__make} -j1 tests}
cd contrib
%if %{with gnome}
cp -p %{SOURCE9} %{SOURCE11} %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir}
install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
-%{__sed} -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \
+%{__sed} -i -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \
+ $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd \
$RPM_BUILD_ROOT%{systemdunitdir}/sshd.service \
$RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
install -p contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}
cp -p contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1
-%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1
-echo ".so ssh.1" > $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1
-
touch $RPM_BUILD_ROOT/etc/security/blacklist.sshd
cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS
fi
%systemd_reload
+%triggerpostun server -- %{name}-server < 2:7.0p1-2
+%banner %{name}-server -e << EOF
+!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!
+! Starting from openssh 7.0 DSA keys are disabled !
+! on server and client side. You will NOT be able !
+! to use DSA keys for authentication. Please read !
+! about PubkeyAcceptedKeyTypes in man ssh_config. !
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+EOF
+
%triggerpostun server -- %{name}-server < 6.2p1-1
cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config
%files clients
%defattr(644,root,root,755)
%attr(755,root,root) %{_bindir}/ssh
-%attr(755,root,root) %{_bindir}/slogin
%attr(755,root,root) %{_bindir}/sftp
%attr(755,root,root) %{_bindir}/ssh-agent
%attr(755,root,root) %{_bindir}/ssh-add
%config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS
%{_mandir}/man1/scp.1*
%{_mandir}/man1/ssh.1*
-%{_mandir}/man1/slogin.1*
%{_mandir}/man1/sftp.1*
%{_mandir}/man1/ssh-agent.1*
%{_mandir}/man1/ssh-add.1*