X-Git-Url: http://git.pld-linux.org/?p=packages%2Fopenssh.git;a=blobdiff_plain;f=openssh.spec;h=88090fdfbe78fa5a89124eba5bf289f1831501b7;hp=624a2cd3ee44174adf48964c057641ba62f12689;hb=d3fc9aae922242138aaa88b27f29e9e74a1713d1;hpb=eefe27ae6647b1858c0200fdaa4ae58f6d182b7b

diff --git a/openssh.spec b/openssh.spec
index 624a2cd..88090fd 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -1,3 +1,7 @@
+# TODO:
+# - add trigger to enable this:
+#  * sshd(8): This release turns on pre-auth sandboxing sshd by default for
+#   new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
 #
 # Conditional build:
 %bcond_without	audit		# sshd audit support
@@ -8,6 +12,7 @@
 %bcond_without	kerberos5	# without kerberos5 support
 %bcond_without	selinux		# build without SELinux support
 %bcond_with	hpn		# High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often)
+%bcond_without	tests
 
 # gtk2-based gnome-askpass means no gnome1-based
 %{?with_gtk:%undefine with_gnome}
@@ -15,9 +20,8 @@
 %if "%{pld_release}" == "ac"
 %define		pam_ver	0.79.0
 %else
-%define		pam_ver	0.99.7.1
+%define		pam_ver	1:1.1.8-5
 %endif
-
 Summary:	OpenSSH free Secure Shell (SSH) implementation
 Summary(de.UTF-8):	OpenSSH - freie Implementation der Secure Shell (SSH)
 Summary(es.UTF-8):	Implementación libre de SSH
@@ -29,13 +33,13 @@ Summary(pt_BR.UTF-8):	Implementação livre do SSH
 Summary(ru.UTF-8):	OpenSSH - свободная реализация протокола Secure Shell (SSH)
 Summary(uk.UTF-8):	OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
 Name:		openssh
-Version:	5.9p1
-Release:	7
+Version:	6.8p1
+Release:	3
 Epoch:		2
 License:	BSD
 Group:		Applications/Networking
 Source0:	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5:	b50a499fa02616a47984b1920848b565
+# Source0-md5:	08f72de6751acfbd0892b5f003922701
 Source1:	http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
 # Source1-md5:	66943d481cc422512b537bcc2c7400d1
 Source2:	%{name}d.init
@@ -45,28 +49,31 @@ Source5:	ssh-agent.sh
 Source6:	ssh-agent.conf
 Source7:	%{name}-lpk.schema
 Source8:	%{name}d.upstart
-Patch100:	%{name}-heimdal.patch
+Source9:	sshd.service
+Source10:	sshd-keygen
+Source11:	sshd.socket
+Source12:	sshd@.service
 Patch0:		%{name}-no_libnsl.patch
 Patch2:		%{name}-pam_misc.patch
 Patch3:		%{name}-sigpipe.patch
 # http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree
-Patch4:		%{name}-5.9p1-ldap.patch
-Patch5:		%{name}-5.9p1-ldap-fixes.patch
-Patch8:		ldap.conf.patch
-Patch6:		%{name}-config.patch
-# https://bugzilla.mindrot.org/show_bug.cgi?id=1663
-Patch7:		authorized-keys-command.patch
+Patch4:		%{name}-ldap.patch
+Patch5:		%{name}-ldap-fixes.patch
+Patch6:		ldap.conf.patch
+Patch7:		%{name}-config.patch
+Patch8:		ldap-helper-sigpipe.patch
 # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
 # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
 Patch9:		%{name}-5.2p1-hpn13v6.diff
 Patch10:	%{name}-include.patch
 Patch11:	%{name}-chroot.patch
-# http://people.debian.org/~cjwatson/%{name}-blacklist.diff
-Patch12:	%{name}-blacklist.diff
-Patch13:	%{name}-kuserok.patch
+
 Patch14:	%{name}-bind.patch
+Patch15:	%{name}-disable_ldap.patch
+Patch16:	libseccomp-sandbox.patch
 URL:		http://www.openssh.com/portable.html
 BuildRequires:	%{__perl}
+%{?with_tests:BuildRequires:	%{name}-server}
 %{?with_audit:BuildRequires:	audit-libs-devel}
 BuildRequires:	autoconf >= 2.50
 BuildRequires:	automake
@@ -74,23 +81,25 @@ BuildRequires:	automake
 %{?with_gtk:BuildRequires:	gtk+2-devel}
 %{?with_kerberos5:BuildRequires:	heimdal-devel >= 0.7}
 %{?with_libedit:BuildRequires:	libedit-devel}
+BuildRequires:	libseccomp-devel
 %{?with_selinux:BuildRequires:	libselinux-devel}
-BuildRequires:	libwrap-devel
 %{?with_ldap:BuildRequires:	openldap-devel}
-BuildRequires:	openssl-devel >= 0.9.7d
+BuildRequires:	openssl-devel >= 0.9.8f
 BuildRequires:	pam-devel
 %{?with_gtk:BuildRequires:	pkgconfig}
 BuildRequires:	rpm >= 4.4.9-56
-BuildRequires:	rpmbuild(macros) >= 1.318
+BuildRequires:	rpmbuild(macros) >= 1.627
 BuildRequires:	sed >= 4.0
-BuildRequires:	zlib-devel
+# libseccomp based sandbox requires NO_NEW_PRIVS prctl flag
+%{?with_tests:BuildRequires:	uname(release) >= 3.5}
+BuildRequires:	zlib-devel >= 1.2.3
+Requires:	zlib >= 1.2.3
 %if "%{pld_release}" == "ac"
 Requires:	filesystem >= 2.0-1
 Requires:	pam >= 0.79.0
 %else
 Requires:	filesystem >= 3.0-11
 Requires:	pam >= %{pam_ver}
-Suggests:	openssh-blacklist
 Suggests:	xorg-app-xauth
 %endif
 Obsoletes:	ssh
@@ -247,6 +256,7 @@ Group:		Applications/Networking
 Requires:	%{name}
 Provides:	ssh-clients
 Obsoletes:	ssh-clients
+%requires_eq_to	openssl	openssl-devel
 
 %description clients
 Ssh (Secure Shell) a program for logging into a remote machine and for
@@ -335,15 +345,18 @@ Requires(post,preun):	/sbin/chkconfig
 Requires(postun):	/usr/sbin/userdel
 Requires(pre):	/bin/id
 Requires(pre):	/usr/sbin/useradd
+Requires(post,preun,postun):	systemd-units >= 38
 Requires:	%{name} = %{epoch}:%{version}-%{release}
-# remove in 6.0, kept for flawless upgrade
-Requires:	%{name}-server-ldap = %{epoch}:%{version}-%{release}
 Requires:	pam >= %{pam_ver}
 Requires:	rc-scripts >= 0.4.3.0
+Requires:	systemd-units >= 38
 Requires:	util-linux
+%{?with_ldap:Suggests:	%{name}-server-ldap}
 Suggests:	/bin/login
+Suggests:	xorg-app-xauth
 Provides:	ssh-server
 Provides:	user(sshd)
+%requires_eq_to	openssl	openssl-devel
 
 %description server
 Ssh (Secure Shell) a program for logging into a remote machine and for
@@ -412,6 +425,7 @@ Summary:	A LDAP support for open source SSH server daemon
 Summary(pl.UTF-8):	Wsparcie LDAP dla serwera OpenSSH
 Group:		Daemons
 Requires:	%{name} = %{epoch}:%{version}-%{release}
+Requires:	openldap-nss-config
 
 %description server-ldap
 OpenSSH LDAP backend is a way how to distribute the authorized tokens
@@ -501,6 +515,9 @@ Summary(pl.UTF-8):	Schemat klucza publicznego LDAP dla OpenSSH
 Group:		Networking/Daemons
 Requires(post,postun):	sed >= 4.0
 Requires:	openldap-servers
+%if "%{_rpmversion}" >= "5"
+BuildArch:	noarch
+%endif
 
 %description -n openldap-schema-openssh-lpk
 This package contains OpenSSH LDAP Public Key schema for openldap.
@@ -511,33 +528,26 @@ openldap-a.
 
 %prep
 %setup -q
-%{?with_kerberos5:%patch100 -p1}
 %patch0 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
-%patch8 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+
 %{?with_hpn:%patch9 -p1}
 %patch10 -p1
 %patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
 
-cp -p %{SOURCE3} sshd.pam
-install -p %{SOURCE2} sshd.init
+%patch14 -p1
+%{!?with_ldap:%patch15 -p1}
+%patch16 -p1
 
 %if "%{pld_release}" == "ac"
 # fix for missing x11.pc
-%{__sed} -i -e '/pkg-config/s/ x11//' contrib/Makefile
-# not present in ac, no point searching it
-%{__sed} -i -e '/pam_keyinit.so/d' sshd.pam
-
-# openssl on ac does not have OPENSSL_HAS_ECC
-%{__sed} -i -e '/ecdsa/d' sshd.init
+%{__sed} -i -e 's/\(`$(PKG_CONFIG) --libs gtk+-2.0\) x11`/\1` -lX11/' contrib/Makefile
 %endif
 
 # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
@@ -551,7 +561,7 @@ cp /usr/share/automake/config.sub .
 %{__aclocal}
 %{__autoconf}
 %{__autoheader}
-CPPFLAGS="-DCHROOT"
+CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99"
 %configure \
 	PERL=%{__perl} \
 	--disable-strip \
@@ -566,11 +576,12 @@ CPPFLAGS="-DCHROOT"
 	--with-mantype=man \
 	--with-md5-passwords \
 	--with-pam \
-	--with-authorized-keys-command \
 	--with-pid-dir=%{_localstatedir}/run \
 	--with-privsep-path=%{_privsepdir} \
+%if "%{pld_release}" != "ac"
+	--with-sandbox=libseccomp_filter \
+%endif
 	%{?with_selinux:--with-selinux} \
-	--with-tcp-wrappers \
 %if "%{pld_release}" == "ac"
 	--with-xauth=/usr/X11R6/bin/xauth
 %else
@@ -581,6 +592,8 @@ echo '#define LOGIN_PROGRAM		   "/bin/login"' >>config.h
 
 %{__make}
 
+%{?with_tests:%{__make} tests}
+
 cd contrib
 %if %{with gnome}
 %{__make} gnome-ssh-askpass1 \
@@ -594,7 +607,7 @@ cd contrib
 %install
 rm -rf $RPM_BUILD_ROOT
 install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{init,pam.d,rc.d/init.d,sysconfig,security,env.d}} \
-	$RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir}}
+	$RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir},%{systemdunitdir}}
 install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d}
 
 %{__make} install \
@@ -602,15 +615,22 @@ install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d}
 
 bzip2 -dc %{SOURCE1} | tar xf - -C $RPM_BUILD_ROOT%{_mandir}
 
-install -p sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
-cp -p sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -p %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
+cp -p %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sshd
 cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd
 cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d
-ln -sf	/etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
+ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
 cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}
 cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir}
 cp -p %{SOURCE8} $RPM_BUILD_ROOT/etc/init/sshd.conf
 
+cp -p %{SOURCE9} %{SOURCE11} %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir}
+install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
+
+%{__sed} -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \
+	$RPM_BUILD_ROOT%{systemdunitdir}/sshd.service \
+	$RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
+
 %if %{with gnome}
 install -p contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
 %endif
@@ -639,8 +659,20 @@ cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS
 #SSH_ASKPASS="%{_libexecdir}/ssh-askpass"
 EOF
 
+%if "%{pld_release}" == "ac"
+# not present in ac, no point searching it
+%{__sed} -i -e '/pam_keyinit.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd
+# openssl on ac does not have OPENSSL_HAS_ECC
+%{__sed} -i -e '/ecdsa/d' $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
+%endif
+
+%if %{without audit}
+# remove recording user's login uid to the process attribute
+%{__sed} -i -e '/pam_loginuid.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd
+%endif
+
 %{__rm} $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages
-%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf
+%{?with_ldap:%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf}
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -663,23 +695,27 @@ rm -rf $RPM_BUILD_ROOT
 %post server
 /sbin/chkconfig --add sshd
 %service sshd reload "OpenSSH Daemon"
-if ! grep -qs ssh /etc/security/passwd.conf ; then
-	umask 022
-	echo "ssh" >> /etc/security/passwd.conf
-fi
+NORESTART=1
+%systemd_post sshd.service
 
 %preun server
 if [ "$1" = "0" ]; then
 	%service sshd stop
 	/sbin/chkconfig --del sshd
 fi
+%systemd_preun sshd.service
 
 %postun server
 if [ "$1" = "0" ]; then
 	%userremove sshd
 fi
+%systemd_reload
 
-%triggerpostun server -- %{name}-server < 2:5.9p1-1
+%triggerpostun server -- %{name}-server < 6.2p1-1
+cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
+sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config
+
+%triggerpostun server -- %{name}-server < 2:5.9p1-8
 # lpk.patch to ldap.patch
 if grep -qE '^(UseLPK|Lpk)' %{_sysconfdir}/sshd_config; then
 	echo >&2 "Migrating LPK patch to LDAP patch"
@@ -687,12 +723,26 @@ if grep -qE '^(UseLPK|Lpk)' %{_sysconfdir}/sshd_config; then
 	%{__sed} -i -e '
 		# disable old configs
 		# just UseLPK/LkpLdapConf supported for now
-		s/^UseLPK/## Obsolete &/
-		s/^Lpk/## Obsolete &/
+		s/^\s*UseLPK/## Obsolete &/
+		s/^\s*Lpk/## Obsolete &/
 		# Enable new ones, assumes /etc/ldap.conf defaults, see HOWTO.ldap-keys
 		/UseLPK/iAuthorizedKeysCommand %{_libexecdir}/ssh-ldap-wrapper
 	' %{_sysconfdir}/sshd_config
-	%service -q sshd reload
+	if [ ! -x /bin/systemd_booted ] || ! /bin/systemd_booted; then
+		/bin/systemctl try-restart sshd.service || :
+	else
+		%service -q sshd reload
+	fi
+fi
+%systemd_trigger sshd.service
+if [ -x /bin/systemd_booted ] && /bin/systemd_booted; then
+%banner %{name}-server -e << EOF
+!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!
+! Native systemd support for sshd has been installed.   !
+! Restarting sshd.service with systemctl WILL kill all  !
+! active ssh sessions (daemon as such will be started). !
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+EOF
 fi
 
 %post server-upstart
@@ -715,9 +765,9 @@ fi
 %defattr(644,root,root,755)
 %doc TODO README OVERVIEW CREDITS Change*
 %attr(755,root,root) %{_bindir}/ssh-key*
-%attr(755,root,root) %{_bindir}/ssh-vulnkey*
+#%attr(755,root,root) %{_bindir}/ssh-vulnkey*
 %{_mandir}/man1/ssh-key*.1*
-%{_mandir}/man1/ssh-vulnkey*.1*
+#%{_mandir}/man1/ssh-vulnkey*.1*
 %dir %{_sysconfdir}
 %dir %{_libexecdir}
 
@@ -764,6 +814,7 @@ fi
 %attr(755,root,root) %{_libexecdir}/sftp-server
 %attr(755,root,root) %{_libexecdir}/ssh-keysign
 %attr(755,root,root) %{_libexecdir}/ssh-pkcs11-helper
+%attr(755,root,root) %{_libexecdir}/sshd-keygen
 %{_mandir}/man8/sshd.8*
 %{_mandir}/man8/sftp-server.8*
 %{_mandir}/man8/ssh-keysign.8*
@@ -776,6 +827,9 @@ fi
 %attr(754,root,root) /etc/rc.d/init.d/sshd
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/sshd
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/blacklist.sshd
+%{systemdunitdir}/sshd.service
+%{systemdunitdir}/sshd.socket
+%{systemdunitdir}/sshd@.service
 
 %if %{with ldap}
 %files server-ldap