X-Git-Url: http://git.pld-linux.org/?p=packages%2Fopenssh.git;a=blobdiff_plain;f=openssh.spec;h=543aa6d5611045a7ae863ea4991d13d81128439d;hp=086213593788b4f664561a6eb4a84aa00d676a02;hb=f149ec4d6a7dfd4eca5be5bd7dfd1069d519e3dc;hpb=ea57cfec478a92b27a640b015ade50ad9fa83ecf diff --git a/openssh.spec b/openssh.spec index 0862135..543aa6d 100644 --- a/openssh.spec +++ b/openssh.spec @@ -5,23 +5,20 @@ # # Conditional build: %bcond_without audit # sshd audit support -%bcond_with gnome # with gnome-askpass (GNOME 1.x) utility -%bcond_without gtk # without GTK+ (2.x) -%bcond_without ldap # with ldap support -%bcond_without libedit # without libedit (editline/history support in sftp client) -%bcond_without kerberos5 # without kerberos5 support -%bcond_without selinux # build without SELinux support +%bcond_with gnome # gnome-askpass (GNOME 1.x) utility +%bcond_without gtk # gnome-askpass (GTK+ 2.x) utility +%bcond_without ldap # LDAP support +%bcond_with ldns # DNSSEC support via libldns +%bcond_without libedit # libedit (editline/history support in sftp client) +%bcond_without kerberos5 # Kerberos5 support +%bcond_without selinux # SELinux support %bcond_without libseccomp # use libseccomp for seccomp privsep (requires 3.5 kernel) %bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often) -%bcond_without tests +%bcond_without tests # test suite # gtk2-based gnome-askpass means no gnome1-based %{?with_gtk:%undefine with_gnome} -%if "%{pld_release}" != "ac" -%define sandbox %{!?with_libseccomp:seccomp_filter}%{?with_seccomp:libseccomp_filter} -%endif - %if "%{pld_release}" == "ac" %define pam_ver 0.79.0 %else @@ -38,13 +35,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 6.8p1 -Release: 5 +Version: 8.0p1 +Release: 2 Epoch: 2 License: BSD Group: Applications/Networking -Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 08f72de6751acfbd0892b5f003922701 +Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz +# Source0-md5: bf050f002fe510e1daecd39044e1122d Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -57,7 +54,7 @@ Source9: sshd.service Source10: sshd-keygen Source11: sshd.socket Source12: sshd@.service -Patch0: %{name}-no_libnsl.patch +Patch1: %{name}-tests-reuseport.patch Patch2: %{name}-pam_misc.patch Patch3: %{name}-sigpipe.patch # http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree @@ -71,10 +68,10 @@ Patch8: ldap-helper-sigpipe.patch Patch9: %{name}-5.2p1-hpn13v6.diff Patch10: %{name}-include.patch Patch11: %{name}-chroot.patch +Patch12: openssh-bug-2905.patch Patch14: %{name}-bind.patch Patch15: %{name}-disable_ldap.patch -Patch16: libseccomp-sandbox.patch URL: http://www.openssh.com/portable.html BuildRequires: %{__perl} %{?with_audit:BuildRequires: audit-libs-devel} @@ -83,11 +80,12 @@ BuildRequires: automake %{?with_gnome:BuildRequires: gnome-libs-devel} %{?with_gtk:BuildRequires: gtk+2-devel} %{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7} +%{?with_ldns:BuildRequires: ldns-devel} %{?with_libedit:BuildRequires: libedit-devel} BuildRequires: libseccomp-devel %{?with_selinux:BuildRequires: libselinux-devel} %{?with_ldap:BuildRequires: openldap-devel} -BuildRequires: openssl-devel >= 0.9.8f +BuildRequires: openssl-devel >= 1.1.0g BuildRequires: pam-devel %{?with_gtk:BuildRequires: pkgconfig} BuildRequires: rpm >= 4.4.9-56 @@ -110,7 +108,6 @@ Requires: filesystem >= 3.0-11 Requires: pam >= %{pam_ver} Suggests: xorg-app-xauth %endif -%{?with_libseccomp:Requires: uname(release) >= 3.5} Obsoletes: ssh BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) @@ -359,6 +356,7 @@ Requires: %{name} = %{epoch}:%{version}-%{release} Requires: pam >= %{pam_ver} Requires: rc-scripts >= 0.4.3.0 Requires: systemd-units >= 38 +%{?with_libseccomp:Requires: uname(release) >= 3.5} Requires: util-linux %{?with_ldap:Suggests: %{name}-server-ldap} Suggests: /bin/login @@ -523,7 +521,7 @@ openldap-a. %prep %setup -q -%patch0 -p1 +%patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 @@ -535,10 +533,10 @@ openldap-a. %{?with_hpn:%patch9 -p1} %patch10 -p1 %patch11 -p1 +%patch12 -p1 %patch14 -p1 %{!?with_ldap:%patch15 -p1} -%{?with_libseccomp:%patch16 -p1} %if "%{pld_release}" == "ac" # fix for missing x11.pc @@ -546,13 +544,13 @@ openldap-a. %endif # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa -sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile* +sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile* grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \ %{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,' # prevent being ovewritten by aclocal calls -mv aclocal.m4 acinclude.m4 +%{__mv} aclocal.m4 acinclude.m4 %build cp /usr/share/automake/config.sub . @@ -570,6 +568,7 @@ CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" --with-ipaddr-display \ %{?with_kerberos5:--with-kerberos5=/usr} \ --with-ldap%{!?with_ldap:=no} \ + %{?with_ldns:--with-ldns} \ %{?with_libedit:--with-libedit} \ --with-mantype=man \ --with-md5-passwords \ @@ -577,13 +576,11 @@ CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" --with-pid-dir=%{_localstatedir}/run \ --with-privsep-path=%{_privsepdir} \ --with-privsep-user=sshd \ -%if "%{?sandbox}" != "" - --with-sandbox=%{sandbox} \ -%endif %{?with_selinux:--with-selinux} \ %if "%{pld_release}" == "ac" --with-xauth=/usr/X11R6/bin/xauth %else + --with-sandbox=seccomp_filter \ --with-xauth=%{_bindir}/xauth %endif @@ -591,7 +588,11 @@ echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h %{__make} -%{?with_tests:%{__make} tests} +%if %{with tests} +%{__make} -j1 tests \ + TEST_SSH_PORT=$((4242 + ${RANDOM:-$$} % 1000)) \ + TEST_SSH_TRACE="yes" +%endif cd contrib %if %{with gnome} @@ -625,7 +626,8 @@ cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir} cp -p %{SOURCE9} %{SOURCE11} %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir} install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen -%{__sed} -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \ +%{__sed} -i -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \ + $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd \ $RPM_BUILD_ROOT%{systemdunitdir}/sshd.service \ $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen @@ -648,9 +650,6 @@ ln -s %{_libexecdir}/ssh/ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/ssh-askpass install -p contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir} cp -p contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1 -%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1 -echo ".so ssh.1" > $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1 - touch $RPM_BUILD_ROOT/etc/security/blacklist.sshd cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS @@ -709,6 +708,16 @@ if [ "$1" = "0" ]; then fi %systemd_reload +%triggerpostun server -- %{name}-server < 2:7.0p1-2 +%banner %{name}-server -e << EOF +!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!! +! Starting from openssh 7.0 DSA keys are disabled ! +! on server and client side. You will NOT be able ! +! to use DSA keys for authentication. Please read ! +! about PubkeyAcceptedKeyTypes in man ssh_config. ! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +EOF + %triggerpostun server -- %{name}-server < 6.2p1-1 cp -f %{_sysconfdir}/sshd_config{,.rpmorig} sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config @@ -766,7 +775,6 @@ fi %files clients %defattr(644,root,root,755) %attr(755,root,root) %{_bindir}/ssh -%attr(755,root,root) %{_bindir}/slogin %attr(755,root,root) %{_bindir}/sftp %attr(755,root,root) %{_bindir}/ssh-agent %attr(755,root,root) %{_bindir}/ssh-add @@ -776,7 +784,6 @@ fi %config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS %{_mandir}/man1/scp.1* %{_mandir}/man1/ssh.1* -%{_mandir}/man1/slogin.1* %{_mandir}/man1/sftp.1* %{_mandir}/man1/ssh-agent.1* %{_mandir}/man1/ssh-add.1* @@ -815,7 +822,7 @@ fi %{_mandir}/man5/moduli.5* %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sshd -%attr(640,root,root) %{_sysconfdir}/moduli +%{_sysconfdir}/moduli %attr(754,root,root) /etc/rc.d/init.d/sshd %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/sshd %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/blacklist.sshd