X-Git-Url: http://git.pld-linux.org/gitweb.cgi?p=packages%2Fopenssh.git;a=blobdiff_plain;f=openssh.spec;h=d1357c9b17304c2e638041ceb4fa3fdf60916e49;hp=bb3ed93827eae3ae83df16379b2421a827feecc5;hb=621739ab2a22c5136a198a0a5e2dada6391f137f;hpb=08dfe3c4f2309fb822b599ed7e249fcc5829249d diff --git a/openssh.spec b/openssh.spec index bb3ed93..d1357c9 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,10 @@ +# TODO: +# - add trigger to enable this: +# * sshd(8): This release turns on pre-auth sandboxing sshd by default for +# new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. +# # Conditional build: +%bcond_without audit # sshd audit support %bcond_with gnome # with gnome-askpass (GNOME 1.x) utility %bcond_without gtk # without GTK+ (2.x) %bcond_without ldap # with ldap support @@ -6,10 +12,16 @@ %bcond_without kerberos5 # without kerberos5 support %bcond_without selinux # build without SELinux support %bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often) +%bcond_without tests # gtk2-based gnome-askpass means no gnome1-based %{?with_gtk:%undefine with_gnome} -# + +%if "%{pld_release}" == "ac" +%define pam_ver 0.79.0 +%else +%define pam_ver 1:1.1.5-5 +%endif Summary: OpenSSH free Secure Shell (SSH) implementation Summary(de.UTF-8): OpenSSH - freie Implementation der Secure Shell (SSH) Summary(es.UTF-8): Implementación libre de SSH @@ -21,13 +33,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 5.3p1 +Version: 6.6p1 Release: 2 Epoch: 2 License: BSD Group: Applications/Networking Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 13563dbf61f36ca9a1e4254260131041 +# Source0-md5: 3e9800e6bca1fbac0eea4d41baa7f239 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -36,22 +48,34 @@ Source4: %{name}.sysconfig Source5: ssh-agent.sh Source6: ssh-agent.conf Source7: %{name}-lpk.schema +Source8: %{name}d.upstart +Source9: sshd.service +Source10: sshd-keygen +Source11: sshd.socket +Source12: sshd@.service Patch0: %{name}-no_libnsl.patch Patch2: %{name}-pam_misc.patch Patch3: %{name}-sigpipe.patch -# http://code.google.com/p/openssh-lpk/ -Patch4: %{name}-lpk.patch -Patch5: %{name}-config.patch -Patch7: %{name}-selinux.patch +# http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree +Patch4: %{name}-ldap.patch +Patch5: %{name}-ldap-fixes.patch +Patch6: ldap.conf.patch +Patch7: %{name}-config.patch +Patch8: ldap-helper-sigpipe.patch # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/ # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz Patch9: %{name}-5.2p1-hpn13v6.diff Patch10: %{name}-include.patch Patch11: %{name}-chroot.patch -Patch12: http://people.debian.org/~cjwatson/%{name}-blacklist.diff -URL: http://www.openssh.com/ +Patch12: limits.h.patch + +Patch14: %{name}-bind.patch +Patch15: %{name}-disable_ldap.patch +URL: http://www.openssh.com/portable.html BuildRequires: %{__perl} -BuildRequires: autoconf +%{?with_tests:BuildRequires: %{name}-server} +%{?with_audit:BuildRequires: audit-libs-devel} +BuildRequires: autoconf >= 2.50 BuildRequires: automake %{?with_gnome:BuildRequires: gnome-libs-devel} %{?with_gtk:BuildRequires: gtk+2-devel} @@ -63,12 +87,19 @@ BuildRequires: libwrap-devel BuildRequires: openssl-devel >= 0.9.7d BuildRequires: pam-devel %{?with_gtk:BuildRequires: pkgconfig} -BuildRequires: rpmbuild(macros) >= 1.318 -BuildRequires: zlib-devel +BuildRequires: rpm >= 4.4.9-56 +BuildRequires: rpmbuild(macros) >= 1.627 +BuildRequires: sed >= 4.0 +BuildRequires: zlib-devel >= 1.2.3 +Requires: zlib >= 1.2.3 +%if "%{pld_release}" == "ac" +Requires: filesystem >= 2.0-1 +Requires: pam >= 0.79.0 +%else Requires: filesystem >= 3.0-11 -Requires: pam >= 0.99.7.1 -Suggests: openssh-blacklist +Requires: pam >= %{pam_ver} Suggests: xorg-app-xauth +%endif Obsoletes: ssh BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) @@ -91,10 +122,11 @@ all patented algorithms to seperate libraries (OpenSSL). This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. + %if %{with hpn} This release includes High Performance SSH/SCP patches from -http://www.psc.edu/networking/projects/hpn-ssh/ which are supposed -to increase throughput on fast connections with high RTT (20-150 msec). +http://www.psc.edu/networking/projects/hpn-ssh/ which are supposed to +increase throughput on fast connections with high RTT (20-150 msec). See the website for '-w' values for your connection and /proc/sys TCP values. BTW. in a LAN you have got generally RTT < 1 msec. %endif @@ -146,13 +178,14 @@ pomiędzy dwoma hostami. Ten pakiet zawiera podstawowe pliki potrzebne zarówno po stronie klienta jak i serwera OpenSSH. Aby był użyteczny, trzeba zainstalować co najmniej jeden z pakietów: openssh-clients lub openssh-server. + %if %{with hpn} Ta wersja zawiera łaty z projektu High Performance SSH/SCP http://www.psc.edu/networking/projects/hpn-ssh/, które mają na celu -zwiększenie przepustowości transmisji dla szybkich połączeń -z dużym RTT (20-150 msec). Na stronie projektu znaleźć można -odpowednie dla danego połączenia wartości parametru '-w' oraz -opcje /proc/sys dla TCP. Nawiasem mówiąc w sieciach LAN RTT < 1 msec. +zwiększenie przepustowości transmisji dla szybkich połączeń z dużym +RTT (20-150 msec). Na stronie projektu znaleźć można odpowednie dla +danego połączenia wartości parametru '-w' oraz opcje /proc/sys dla +TCP. Nawiasem mówiąc w sieciach LAN RTT < 1 msec. %endif %description -l pt.UTF-8 @@ -221,6 +254,7 @@ Group: Applications/Networking Requires: %{name} Provides: ssh-clients Obsoletes: ssh-clients +%requires_eq_to openssl openssl-devel %description clients Ssh (Secure Shell) a program for logging into a remote machine and for @@ -303,19 +337,24 @@ Summary(pt_BR.UTF-8): Servidor OpenSSH para comunicações encriptadas Summary(ru.UTF-8): OpenSSH - сервер протокола Secure Shell (sshd) Summary(uk.UTF-8): OpenSSH - сервер протоколу Secure Shell (sshd) Group: Networking/Daemons -Requires(post): chkconfig >= 0.9 +Requires(post): /sbin/chkconfig Requires(post): grep Requires(post,preun): /sbin/chkconfig Requires(postun): /usr/sbin/userdel Requires(pre): /bin/id Requires(pre): /usr/sbin/useradd +Requires(post,preun,postun): systemd-units >= 38 Requires: %{name} = %{epoch}:%{version}-%{release} -Requires: pam >= 0.99.7.1 -Requires: rc-scripts >= 0.4.1.23 +Requires: pam >= %{pam_ver} +Requires: rc-scripts >= 0.4.3.0 +Requires: systemd-units >= 38 Requires: util-linux +%{?with_ldap:Suggests: %{name}-server-ldap} Suggests: /bin/login +Suggests: xorg-app-xauth Provides: ssh-server Provides: user(sshd) +%requires_eq_to openssl openssl-devel %description server Ssh (Secure Shell) a program for logging into a remote machine and for @@ -379,6 +418,35 @@ Ssh (Secure Shell) - це програма для "заходу" (login) до в частина протоколу Secure Shell, яка дозволяє клієнтам ssh зв'язуватись з вашим хостом. +%package server-ldap +Summary: A LDAP support for open source SSH server daemon +Summary(pl.UTF-8): Wsparcie LDAP dla serwera OpenSSH +Group: Daemons +Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: openldap-nss-config + +%description server-ldap +OpenSSH LDAP backend is a way how to distribute the authorized tokens +among the servers in the network. + +%description server-ldap -l pl.UTF-8 +Backend LDAP dla OpenSSH to metoda rozprowadzania autoryzowanych +tokenów między serwerami w sieci. + +%package server-upstart +Summary: Upstart job description for OpenSSH server +Summary(pl.UTF-8): Opis zadania Upstart dla serwera OpenSSH +Group: Daemons +Requires: %{name}-server = %{epoch}:%{version}-%{release} +Requires: upstart >= 0.6 +Conflicts: syslog-ng < 3.2.4-1 + +%description server-upstart +Upstart job description for OpenSSH. + +%description server-upstart -l pl.UTF-8 +Opis zadania Upstart dla OpenSSH. + %package gnome-askpass Summary: OpenSSH GNOME passphrase dialog Summary(de.UTF-8): OpenSSH GNOME Passwort-Dialog @@ -445,6 +513,9 @@ Summary(pl.UTF-8): Schemat klucza publicznego LDAP dla OpenSSH Group: Networking/Daemons Requires(post,postun): sed >= 4.0 Requires: openldap-servers +%if "%{_rpmversion}" >= "5" +BuildArch: noarch +%endif %description -n openldap-schema-openssh-lpk This package contains OpenSSH LDAP Public Key schema for openldap. @@ -458,43 +529,70 @@ openldap-a. %patch0 -p1 %patch2 -p1 %patch3 -p1 -%{?with_ldap:%patch4 -p1} +%patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch7 -p1 +%patch8 -p1 + %{?with_hpn:%patch9 -p1} %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch14 -p1 +%{!?with_ldap:%patch15 -p1} + +%if "%{pld_release}" == "ac" +# fix for missing x11.pc +%{__sed} -i -e 's/\(`$(PKG_CONFIG) --libs gtk+-2.0\) x11`/\1` -lX11/' contrib/Makefile +%endif + +# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa +sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile* + +grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \ +%{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,' + %build cp /usr/share/automake/config.sub . %{__aclocal} %{__autoconf} +%{__autoheader} CPPFLAGS="-DCHROOT" %configure \ PERL=%{__perl} \ - --with-dns \ - --with-pam \ - --with-mantype=man \ - --with-md5-passwords \ - --with-ipaddr-display \ - %{?with_libedit:--with-libedit} \ + --disable-strip \ + --enable-utmpx \ + --enable-wtmpx \ --with-4in6 \ - --disable-suid-ssh \ - --with-tcp-wrappers \ - %{?with_ldap:--with-libs="-lldap -llber"} \ - %{?with_ldap:--with-cppflags="-DWITH_LDAP_PUBKEY"} \ + %{?with_audit:--with-audit=linux} \ + --with-ipaddr-display \ %{?with_kerberos5:--with-kerberos5=/usr} \ - --with-privsep-path=%{_privsepdir} \ + --with-ldap%{!?with_ldap:=no} \ + %{?with_libedit:--with-libedit} \ + --with-mantype=man \ + --with-md5-passwords \ + --with-pam \ --with-pid-dir=%{_localstatedir}/run \ - --with-xauth=/usr/bin/xauth \ - --enable-utmpx \ - --enable-wtmpx + --with-privsep-path=%{_privsepdir} \ +%if "%{pld_release}" != "ac" + --with-sandbox=seccomp_filter \ +%endif + %{?with_selinux:--with-selinux} \ + --with-tcp-wrappers \ +%if "%{pld_release}" == "ac" + --with-xauth=/usr/X11R6/bin/xauth +%else + --with-xauth=%{_bindir}/xauth +%endif echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h %{__make} +%{?with_tests:%{__make} tests} + cd contrib %if %{with gnome} %{__make} gnome-ssh-askpass1 \ @@ -507,8 +605,8 @@ cd contrib %install rm -rf $RPM_BUILD_ROOT -install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \ - $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir}} +install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{init,pam.d,rc.d/init.d,sysconfig,security,env.d}} \ + $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir},%{systemdunitdir}} install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d} %{__make} install \ @@ -516,19 +614,41 @@ install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d} bzip2 -dc %{SOURCE1} | tar xf - -C $RPM_BUILD_ROOT%{_mandir} -install %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd -install %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sshd -install %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd -install %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d +cp -p %{SOURCE3} sshd.pam +install -p %{SOURCE2} sshd.init + +%if "%{pld_release}" == "ac" +# not present in ac, no point searching it +%{__sed} -i -e '/pam_keyinit.so/d' sshd.pam +# openssl on ac does not have OPENSSL_HAS_ECC +%{__sed} -i -e '/ecdsa/d' sshd.init +%endif + +%if %{without audit} +# remove recording user's login uid to the process attribute +%{__sed} -i -e '/pam_loginuid.so/d' sshd.pam +%endif + +install -p sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd +cp -p sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd +cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh -install %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir} -install %{SOURCE7} $RPM_BUILD_ROOT%{schemadir} +cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir} +cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir} +cp -p %{SOURCE8} $RPM_BUILD_ROOT/etc/init/sshd.conf + +%{__sed} -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' %{SOURCE9} >$RPM_BUILD_ROOT%{systemdunitdir}/sshd.service +cp -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen + +cp -p %{SOURCE11} $RPM_BUILD_ROOT%{systemdunitdir} +cp -p %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir} %if %{with gnome} -install contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass +install -p contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass %endif %if %{with gtk} -install contrib/gnome-ssh-askpass2 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass +install -p contrib/gnome-ssh-askpass2 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass %endif %if %{with gnome} || %{with gtk} cat << 'EOF' >$RPM_BUILD_ROOT/etc/env.d/GNOME_SSH_ASKPASS_GRAB_SERVER @@ -540,10 +660,10 @@ EOF ln -s %{_libexecdir}/ssh/ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/ssh-askpass %endif -install contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir} -install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1 +install -p contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir} +cp -p contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1 -rm -f $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1 +%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1 echo ".so ssh.1" > $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1 touch $RPM_BUILD_ROOT/etc/security/blacklist.sshd @@ -552,8 +672,8 @@ cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS #SSH_ASKPASS="%{_libexecdir}/ssh-askpass" EOF -rm -f $RPM_BUILD_ROOT%{_datadir}/Ssh.bin # ??? -rm -f $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages +%{__rm} $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages +%{?with_ldap:%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf} %clean rm -rf $RPM_BUILD_ROOT @@ -575,22 +695,62 @@ rm -rf $RPM_BUILD_ROOT %post server /sbin/chkconfig --add sshd -%service sshd reload "openssh daemon" -if ! grep -qs ssh /etc/security/passwd.conf ; then - umask 022 - echo "ssh" >> /etc/security/passwd.conf -fi +%service sshd reload "OpenSSH Daemon" +NORESTART=1 +%systemd_post sshd.service %preun server if [ "$1" = "0" ]; then %service sshd stop /sbin/chkconfig --del sshd fi +%systemd_preun sshd.service %postun server if [ "$1" = "0" ]; then %userremove sshd fi +%systemd_reload + +%triggerpostun server -- %{name}-server < 6.2p1-1 +cp -f %{_sysconfdir}/sshd_config{,.rpmorig} +sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config + +%triggerpostun server -- %{name}-server < 2:5.9p1-8 +# lpk.patch to ldap.patch +if grep -qE '^(UseLPK|Lpk)' %{_sysconfdir}/sshd_config; then + echo >&2 "Migrating LPK patch to LDAP patch" + cp -f %{_sysconfdir}/sshd_config{,.rpmorig} + %{__sed} -i -e ' + # disable old configs + # just UseLPK/LkpLdapConf supported for now + s/^\s*UseLPK/## Obsolete &/ + s/^\s*Lpk/## Obsolete &/ + # Enable new ones, assumes /etc/ldap.conf defaults, see HOWTO.ldap-keys + /UseLPK/iAuthorizedKeysCommand %{_libexecdir}/ssh-ldap-wrapper + ' %{_sysconfdir}/sshd_config + if [ ! -x /bin/systemd_booted ] || ! /bin/systemd_booted; then + /bin/systemctl try-restart sshd.service || : + else + %service -q sshd reload + fi +fi +%systemd_trigger sshd.service +if [ -x /bin/systemd_booted ] && /bin/systemd_booted; then +%banner %{name}-server -e << EOF +!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!! +! Native systemd support for sshd has been installed. ! +! Restarting sshd.service with systemctl WILL kill all ! +! active ssh sessions (daemon as such will be started). ! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +EOF +fi + +%post server-upstart +%upstart_post sshd + +%postun server-upstart +%upstart_postun sshd %post -n openldap-schema-openssh-lpk %openldap_schema_register %{schemadir}/openssh-lpk.schema @@ -604,11 +764,11 @@ fi %files %defattr(644,root,root,755) -%doc *.RNG TODO README OVERVIEW CREDITS Change* +%doc TODO README OVERVIEW CREDITS Change* %attr(755,root,root) %{_bindir}/ssh-key* -%attr(755,root,root) %{_bindir}/ssh-vulnkey* +#%attr(755,root,root) %{_bindir}/ssh-vulnkey* %{_mandir}/man1/ssh-key*.1* -%{_mandir}/man1/ssh-vulnkey*.1* +#%{_mandir}/man1/ssh-vulnkey*.1* %dir %{_sysconfdir} %dir %{_libexecdir} @@ -654,9 +814,12 @@ fi %attr(755,root,root) %{_sbindir}/sshd %attr(755,root,root) %{_libexecdir}/sftp-server %attr(755,root,root) %{_libexecdir}/ssh-keysign +%attr(755,root,root) %{_libexecdir}/ssh-pkcs11-helper +%attr(755,root,root) %{_libexecdir}/sshd-keygen %{_mandir}/man8/sshd.8* %{_mandir}/man8/sftp-server.8* %{_mandir}/man8/ssh-keysign.8* +%{_mandir}/man8/ssh-pkcs11-helper.8* %{_mandir}/man5/sshd_config.5* %{_mandir}/man5/moduli.5* %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config @@ -665,6 +828,19 @@ fi %attr(754,root,root) /etc/rc.d/init.d/sshd %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/sshd %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/blacklist.sshd +%{systemdunitdir}/sshd.service +%{systemdunitdir}/sshd.socket +%{systemdunitdir}/sshd@.service + +%if %{with ldap} +%files server-ldap +%defattr(644,root,root,755) +%doc HOWTO.ldap-keys ldap.conf +%attr(755,root,root) %{_libexecdir}/ssh-ldap-helper +%attr(755,root,root) %{_libexecdir}/ssh-ldap-wrapper +%{_mandir}/man5/ssh-ldap.conf.5* +%{_mandir}/man8/ssh-ldap-helper.8* +%endif %if %{with gnome} || %{with gtk} %files gnome-askpass @@ -680,3 +856,9 @@ fi %defattr(644,root,root,755) %{schemadir}/openssh-lpk.schema %endif + +%if "%{pld_release}" != "ti" +%files server-upstart +%defattr(644,root,root,755) +%config(noreplace) %verify(not md5 mtime size) /etc/init/sshd.conf +%endif