+# TODO:
+# - add trigger to enable this:
+# * sshd(8): This release turns on pre-auth sandboxing sshd by default for
+# new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
+#
# Conditional build:
+%bcond_without audit # sshd audit support
%bcond_with gnome # with gnome-askpass (GNOME 1.x) utility
%bcond_without gtk # without GTK+ (2.x)
%bcond_without ldap # with ldap support
%bcond_without kerberos5 # without kerberos5 support
%bcond_without selinux # build without SELinux support
%bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often)
+%bcond_without tests
# gtk2-based gnome-askpass means no gnome1-based
%{?with_gtk:%undefine with_gnome}
-#
+
+%if "%{pld_release}" == "ac"
+%define pam_ver 0.79.0
+%else
+%define pam_ver 1:1.1.5-5
+%endif
Summary: OpenSSH free Secure Shell (SSH) implementation
Summary(de.UTF-8): OpenSSH - freie Implementation der Secure Shell (SSH)
Summary(es.UTF-8): Implementación libre de SSH
Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
Name: openssh
-Version: 5.2p1
-Release: 6
+Version: 6.6p1
+Release: 2
Epoch: 2
License: BSD
Group: Applications/Networking
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5: ada79c7328a8551bdf55c95e631e7dad
+# Source0-md5: 3e9800e6bca1fbac0eea4d41baa7f239
Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5: 66943d481cc422512b537bcc2c7400d1
Source2: %{name}d.init
Source5: ssh-agent.sh
Source6: ssh-agent.conf
Source7: %{name}-lpk.schema
+Source8: %{name}d.upstart
+Source9: sshd.service
+Source10: sshd-keygen
+Source11: sshd.socket
+Source12: sshd@.service
Patch0: %{name}-no_libnsl.patch
Patch2: %{name}-pam_misc.patch
Patch3: %{name}-sigpipe.patch
-# http://code.google.com/p/openssh-lpk/
-Patch4: %{name}-lpk.patch
-Patch5: %{name}-config.patch
-Patch7: %{name}-selinux.patch
+# http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree
+Patch4: %{name}-ldap.patch
+Patch5: %{name}-ldap-fixes.patch
+Patch6: ldap.conf.patch
+Patch7: %{name}-config.patch
+Patch8: ldap-helper-sigpipe.patch
# High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
# http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
Patch9: %{name}-5.2p1-hpn13v6.diff
Patch10: %{name}-include.patch
Patch11: %{name}-chroot.patch
-Patch12: http://people.debian.org/~cjwatson/%{name}-blacklist.diff
-URL: http://www.openssh.com/
+Patch12: limits.h.patch
+
+Patch14: %{name}-bind.patch
+Patch15: %{name}-disable_ldap.patch
+URL: http://www.openssh.com/portable.html
BuildRequires: %{__perl}
-BuildRequires: autoconf
+%{?with_tests:BuildRequires: %{name}-server}
+%{?with_audit:BuildRequires: audit-libs-devel}
+BuildRequires: autoconf >= 2.50
BuildRequires: automake
%{?with_gnome:BuildRequires: gnome-libs-devel}
%{?with_gtk:BuildRequires: gtk+2-devel}
-%{?with_kerberos5:BuildRequires: heimdal-devel}
+%{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7}
%{?with_libedit:BuildRequires: libedit-devel}
%{?with_selinux:BuildRequires: libselinux-devel}
BuildRequires: libwrap-devel
-%{?with_ldap:BuildRequires: openldap-devel >= 2.4.6}
+%{?with_ldap:BuildRequires: openldap-devel}
BuildRequires: openssl-devel >= 0.9.7d
BuildRequires: pam-devel
%{?with_gtk:BuildRequires: pkgconfig}
-BuildRequires: rpmbuild(macros) >= 1.318
-BuildRequires: zlib-devel
+BuildRequires: rpm >= 4.4.9-56
+BuildRequires: rpmbuild(macros) >= 1.627
+BuildRequires: sed >= 4.0
+BuildRequires: zlib-devel >= 1.2.3
+Requires: zlib >= 1.2.3
+%if "%{pld_release}" == "ac"
+Requires: filesystem >= 2.0-1
+Requires: pam >= 0.79.0
+%else
Requires: filesystem >= 3.0-11
-Requires: pam >= 0.99.7.1
-Suggests: openssh-blacklist
+Requires: pam >= %{pam_ver}
Suggests: xorg-app-xauth
+%endif
Obsoletes: ssh
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
+
%if %{with hpn}
This release includes High Performance SSH/SCP patches from
-http://www.psc.edu/networking/projects/hpn-ssh/ which are supposed
-to increase throughput on fast connections with high RTT (20-150 msec).
+http://www.psc.edu/networking/projects/hpn-ssh/ which are supposed to
+increase throughput on fast connections with high RTT (20-150 msec).
See the website for '-w' values for your connection and /proc/sys TCP
values. BTW. in a LAN you have got generally RTT < 1 msec.
%endif
Ten pakiet zawiera podstawowe pliki potrzebne zarówno po stronie
klienta jak i serwera OpenSSH. Aby był użyteczny, trzeba zainstalować
co najmniej jeden z pakietów: openssh-clients lub openssh-server.
+
%if %{with hpn}
Ta wersja zawiera łaty z projektu High Performance SSH/SCP
http://www.psc.edu/networking/projects/hpn-ssh/, które mają na celu
-zwiększenie przepustowości transmisji dla szybkich połączeń
-z dużym RTT (20-150 msec). Na stronie projektu znaleźć można
-odpowednie dla danego połączenia wartości parametru '-w' oraz
-opcje /proc/sys dla TCP. Nawiasem mówiąc w sieciach LAN RTT < 1 msec.
+zwiększenie przepustowości transmisji dla szybkich połączeń z dużym
+RTT (20-150 msec). Na stronie projektu znaleźć można odpowednie dla
+danego połączenia wartości parametru '-w' oraz opcje /proc/sys dla
+TCP. Nawiasem mówiąc w sieciach LAN RTT < 1 msec.
%endif
%description -l pt.UTF-8
Requires: %{name}
Provides: ssh-clients
Obsoletes: ssh-clients
+%requires_eq_to openssl openssl-devel
%description clients
Ssh (Secure Shell) a program for logging into a remote machine and for
Summary(ru.UTF-8): OpenSSH - сервер протокола Secure Shell (sshd)
Summary(uk.UTF-8): OpenSSH - сервер протоколу Secure Shell (sshd)
Group: Networking/Daemons
-Requires(post): chkconfig >= 0.9
+Requires(post): /sbin/chkconfig
Requires(post): grep
Requires(post,preun): /sbin/chkconfig
Requires(postun): /usr/sbin/userdel
Requires(pre): /bin/id
Requires(pre): /usr/sbin/useradd
+Requires(post,preun,postun): systemd-units >= 38
Requires: %{name} = %{epoch}:%{version}-%{release}
-Requires: pam >= 0.99.7.1
-Requires: rc-scripts >= 0.4.1.23
+Requires: pam >= %{pam_ver}
+Requires: rc-scripts >= 0.4.3.0
+Requires: systemd-units >= 38
Requires: util-linux
+%{?with_ldap:Suggests: %{name}-server-ldap}
Suggests: /bin/login
+Suggests: xorg-app-xauth
Provides: ssh-server
Provides: user(sshd)
+%requires_eq_to openssl openssl-devel
%description server
Ssh (Secure Shell) a program for logging into a remote machine and for
частина протоколу Secure Shell, яка дозволяє клієнтам ssh зв'язуватись
з вашим хостом.
+%package server-ldap
+Summary: A LDAP support for open source SSH server daemon
+Summary(pl.UTF-8): Wsparcie LDAP dla serwera OpenSSH
+Group: Daemons
+Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: openldap-nss-config
+
+%description server-ldap
+OpenSSH LDAP backend is a way how to distribute the authorized tokens
+among the servers in the network.
+
+%description server-ldap -l pl.UTF-8
+Backend LDAP dla OpenSSH to metoda rozprowadzania autoryzowanych
+tokenów między serwerami w sieci.
+
+%package server-upstart
+Summary: Upstart job description for OpenSSH server
+Summary(pl.UTF-8): Opis zadania Upstart dla serwera OpenSSH
+Group: Daemons
+Requires: %{name}-server = %{epoch}:%{version}-%{release}
+Requires: upstart >= 0.6
+Conflicts: syslog-ng < 3.2.4-1
+
+%description server-upstart
+Upstart job description for OpenSSH.
+
+%description server-upstart -l pl.UTF-8
+Opis zadania Upstart dla OpenSSH.
+
%package gnome-askpass
Summary: OpenSSH GNOME passphrase dialog
Summary(de.UTF-8): OpenSSH GNOME Passwort-Dialog
Group: Networking/Daemons
Requires(post,postun): sed >= 4.0
Requires: openldap-servers
+%if "%{_rpmversion}" >= "5"
+BuildArch: noarch
+%endif
%description -n openldap-schema-openssh-lpk
This package contains OpenSSH LDAP Public Key schema for openldap.
%patch0 -p1
%patch2 -p1
%patch3 -p1
-%{?with_ldap:%patch4 -p1}
+%patch4 -p1
%patch5 -p1
+%patch6 -p1
%patch7 -p1
+%patch8 -p1
+
%{?with_hpn:%patch9 -p1}
%patch10 -p1
%patch11 -p1
%patch12 -p1
+%patch14 -p1
+%{!?with_ldap:%patch15 -p1}
+
+%if "%{pld_release}" == "ac"
+# fix for missing x11.pc
+%{__sed} -i -e 's/\(`$(PKG_CONFIG) --libs gtk+-2.0\) x11`/\1` -lX11/' contrib/Makefile
+%endif
+
+# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
+sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile*
+
+grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \
+%{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,'
+
%build
cp /usr/share/automake/config.sub .
%{__aclocal}
%{__autoconf}
+%{__autoheader}
CPPFLAGS="-DCHROOT"
%configure \
PERL=%{__perl} \
- --with-dns \
- --with-pam \
- --with-mantype=man \
- --with-md5-passwords \
- --with-ipaddr-display \
- %{?with_libedit:--with-libedit} \
+ --disable-strip \
+ --enable-utmpx \
+ --enable-wtmpx \
--with-4in6 \
- --disable-suid-ssh \
- --with-tcp-wrappers \
- %{?with_ldap:--with-libs="-lldap -llber"} \
- %{?with_ldap:--with-cppflags="-DWITH_LDAP_PUBKEY"} \
+ %{?with_audit:--with-audit=linux} \
+ --with-ipaddr-display \
%{?with_kerberos5:--with-kerberos5=/usr} \
- --with-privsep-path=%{_privsepdir} \
+ --with-ldap%{!?with_ldap:=no} \
+ %{?with_libedit:--with-libedit} \
+ --with-mantype=man \
+ --with-md5-passwords \
+ --with-pam \
--with-pid-dir=%{_localstatedir}/run \
- --with-xauth=/usr/bin/xauth \
- --enable-utmpx \
- --enable-wtmpx
+ --with-privsep-path=%{_privsepdir} \
+%if "%{pld_release}" != "ac"
+ --with-sandbox=seccomp_filter \
+%endif
+ %{?with_selinux:--with-selinux} \
+ --with-tcp-wrappers \
+%if "%{pld_release}" == "ac"
+ --with-xauth=/usr/X11R6/bin/xauth
+%else
+ --with-xauth=%{_bindir}/xauth
+%endif
echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h
%{__make}
+%{?with_tests:%{__make} tests}
+
cd contrib
%if %{with gnome}
%{__make} gnome-ssh-askpass1 \
%install
rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \
- $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir}}
+install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{init,pam.d,rc.d/init.d,sysconfig,security,env.d}} \
+ $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir},%{systemdunitdir}}
install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d}
%{__make} install \
bzip2 -dc %{SOURCE1} | tar xf - -C $RPM_BUILD_ROOT%{_mandir}
-install %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
-install %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sshd
-install %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd
-install %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d
+cp -p %{SOURCE3} sshd.pam
+install -p %{SOURCE2} sshd.init
+
+%if "%{pld_release}" == "ac"
+# not present in ac, no point searching it
+%{__sed} -i -e '/pam_keyinit.so/d' sshd.pam
+# openssl on ac does not have OPENSSL_HAS_ECC
+%{__sed} -i -e '/ecdsa/d' sshd.init
+%endif
+
+%if %{without audit}
+# remove recording user's login uid to the process attribute
+%{__sed} -i -e '/pam_loginuid.so/d' sshd.pam
+%endif
+
+install -p sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
+cp -p sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
+cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd
+cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d
ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
-install %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}
-install %{SOURCE7} $RPM_BUILD_ROOT%{schemadir}
+cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}
+cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir}
+cp -p %{SOURCE8} $RPM_BUILD_ROOT/etc/init/sshd.conf
+
+%{__sed} -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' %{SOURCE9} >$RPM_BUILD_ROOT%{systemdunitdir}/sshd.service
+cp -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
+
+cp -p %{SOURCE11} $RPM_BUILD_ROOT%{systemdunitdir}
+cp -p %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir}
%if %{with gnome}
-install contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
+install -p contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
%endif
%if %{with gtk}
-install contrib/gnome-ssh-askpass2 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
+install -p contrib/gnome-ssh-askpass2 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
%endif
%if %{with gnome} || %{with gtk}
cat << 'EOF' >$RPM_BUILD_ROOT/etc/env.d/GNOME_SSH_ASKPASS_GRAB_SERVER
ln -s %{_libexecdir}/ssh/ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/ssh-askpass
%endif
-install contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}
-install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1
+install -p contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}
+cp -p contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1
-rm -f $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1
echo ".so ssh.1" > $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1
touch $RPM_BUILD_ROOT/etc/security/blacklist.sshd
#SSH_ASKPASS="%{_libexecdir}/ssh-askpass"
EOF
-rm -f $RPM_BUILD_ROOT%{_datadir}/Ssh.bin # ???
-rm -f $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages
+%{?with_ldap:%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf}
%clean
rm -rf $RPM_BUILD_ROOT
%post server
/sbin/chkconfig --add sshd
-%service sshd reload "openssh daemon"
-if ! grep -qs ssh /etc/security/passwd.conf ; then
- umask 022
- echo "ssh" >> /etc/security/passwd.conf
-fi
+%service sshd reload "OpenSSH Daemon"
+NORESTART=1
+%systemd_post sshd.service
%preun server
if [ "$1" = "0" ]; then
%service sshd stop
/sbin/chkconfig --del sshd
fi
+%systemd_preun sshd.service
%postun server
if [ "$1" = "0" ]; then
%userremove sshd
fi
+%systemd_reload
+
+%triggerpostun server -- %{name}-server < 6.2p1-1
+cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
+sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config
+
+%triggerpostun server -- %{name}-server < 2:5.9p1-8
+# lpk.patch to ldap.patch
+if grep -qE '^(UseLPK|Lpk)' %{_sysconfdir}/sshd_config; then
+ echo >&2 "Migrating LPK patch to LDAP patch"
+ cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
+ %{__sed} -i -e '
+ # disable old configs
+ # just UseLPK/LkpLdapConf supported for now
+ s/^\s*UseLPK/## Obsolete &/
+ s/^\s*Lpk/## Obsolete &/
+ # Enable new ones, assumes /etc/ldap.conf defaults, see HOWTO.ldap-keys
+ /UseLPK/iAuthorizedKeysCommand %{_libexecdir}/ssh-ldap-wrapper
+ ' %{_sysconfdir}/sshd_config
+ if [ ! -x /bin/systemd_booted ] || ! /bin/systemd_booted; then
+ /bin/systemctl try-restart sshd.service || :
+ else
+ %service -q sshd reload
+ fi
+fi
+%systemd_trigger sshd.service
+if [ -x /bin/systemd_booted ] && /bin/systemd_booted; then
+%banner %{name}-server -e << EOF
+!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!
+! Native systemd support for sshd has been installed. !
+! Restarting sshd.service with systemctl WILL kill all !
+! active ssh sessions (daemon as such will be started). !
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+EOF
+fi
+
+%post server-upstart
+%upstart_post sshd
+
+%postun server-upstart
+%upstart_postun sshd
%post -n openldap-schema-openssh-lpk
%openldap_schema_register %{schemadir}/openssh-lpk.schema
%files
%defattr(644,root,root,755)
-%doc *.RNG TODO README OVERVIEW CREDITS Change*
+%doc TODO README OVERVIEW CREDITS Change*
%attr(755,root,root) %{_bindir}/ssh-key*
-%attr(755,root,root) %{_bindir}/ssh-vulnkey*
+#%attr(755,root,root) %{_bindir}/ssh-vulnkey*
%{_mandir}/man1/ssh-key*.1*
-%{_mandir}/man1/ssh-vulnkey*.1*
+#%{_mandir}/man1/ssh-vulnkey*.1*
%dir %{_sysconfdir}
%dir %{_libexecdir}
%attr(755,root,root) %{_sbindir}/sshd
%attr(755,root,root) %{_libexecdir}/sftp-server
%attr(755,root,root) %{_libexecdir}/ssh-keysign
+%attr(755,root,root) %{_libexecdir}/ssh-pkcs11-helper
+%attr(755,root,root) %{_libexecdir}/sshd-keygen
%{_mandir}/man8/sshd.8*
%{_mandir}/man8/sftp-server.8*
%{_mandir}/man8/ssh-keysign.8*
+%{_mandir}/man8/ssh-pkcs11-helper.8*
%{_mandir}/man5/sshd_config.5*
%{_mandir}/man5/moduli.5*
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config
%attr(754,root,root) /etc/rc.d/init.d/sshd
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/sshd
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/blacklist.sshd
+%{systemdunitdir}/sshd.service
+%{systemdunitdir}/sshd.socket
+%{systemdunitdir}/sshd@.service
+
+%if %{with ldap}
+%files server-ldap
+%defattr(644,root,root,755)
+%doc HOWTO.ldap-keys ldap.conf
+%attr(755,root,root) %{_libexecdir}/ssh-ldap-helper
+%attr(755,root,root) %{_libexecdir}/ssh-ldap-wrapper
+%{_mandir}/man5/ssh-ldap.conf.5*
+%{_mandir}/man8/ssh-ldap-helper.8*
+%endif
%if %{with gnome} || %{with gtk}
%files gnome-askpass
%defattr(644,root,root,755)
%{schemadir}/openssh-lpk.schema
%endif
+
+%if "%{pld_release}" != "ti"
+%files server-upstart
+%defattr(644,root,root,755)
+%config(noreplace) %verify(not md5 mtime size) /etc/init/sshd.conf
+%endif
projects / packages / openssh.git / blobdiff