#
# Conditional build:
%bcond_without audit # sshd audit support
-%bcond_with gnome # with gnome-askpass (GNOME 1.x) utility
-%bcond_without gtk # without GTK+ (2.x)
-%bcond_without ldap # with ldap support
-%bcond_without libedit # without libedit (editline/history support in sftp client)
-%bcond_without kerberos5 # without kerberos5 support
-%bcond_without selinux # build without SELinux support
+%bcond_with gnome # gnome-askpass (GNOME 1.x) utility
+%bcond_without gtk # gnome-askpass (GTK+ 2.x) utility
+%bcond_without ldap # LDAP support
+%bcond_with ldns # DNSSEC support via libldns
+%bcond_without libedit # libedit (editline/history support in sftp client)
+%bcond_without kerberos5 # Kerberos5 support
+%bcond_without selinux # SELinux support
%bcond_without libseccomp # use libseccomp for seccomp privsep (requires 3.5 kernel)
%bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often)
-%bcond_without tests
+%bcond_without tests # test suite
+%bcond_with tests_conch # run conch interoperability tests
# gtk2-based gnome-askpass means no gnome1-based
%{?with_gtk:%undefine with_gnome}
-%define sandbox %{?with_libseccomp:lib}seccomp_filter
-
-%ifarch x32
-%{!?with_libseccomp:%error openssh seccomp implementation is broken! do not disable libseccomp on x32}
-%endif
-
%if "%{pld_release}" == "ac"
%define pam_ver 0.79.0
%else
Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
Name: openssh
-Version: 6.8p1
-Release: 8
+Version: 8.1p1
+Release: 4
Epoch: 2
License: BSD
Group: Applications/Networking
-Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5: 08f72de6751acfbd0892b5f003922701
+Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
+# Source0-md5: 513694343631a99841e815306806edf0
Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5: 66943d481cc422512b537bcc2c7400d1
Source2: %{name}d.init
Source10: sshd-keygen
Source11: sshd.socket
Source12: sshd@.service
-Patch0: %{name}-no_libnsl.patch
+Patch0: %{name}-no-pty-tests.patch
+Patch1: %{name}-tests-reuseport.patch
Patch2: %{name}-pam_misc.patch
Patch3: %{name}-sigpipe.patch
# http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree
Patch9: %{name}-5.2p1-hpn13v6.diff
Patch10: %{name}-include.patch
Patch11: %{name}-chroot.patch
-
+Patch12: openssh-bug-2905.patch
+Patch13: %{name}-skip-interop-tests.patch
Patch14: %{name}-bind.patch
Patch15: %{name}-disable_ldap.patch
-Patch16: libseccomp-sandbox.patch
+Patch16: ossh-bug-3093.patch
URL: http://www.openssh.com/portable.html
BuildRequires: %{__perl}
%{?with_audit:BuildRequires: audit-libs-devel}
%{?with_gnome:BuildRequires: gnome-libs-devel}
%{?with_gtk:BuildRequires: gtk+2-devel}
%{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7}
+%{?with_ldns:BuildRequires: ldns-devel}
%{?with_libedit:BuildRequires: libedit-devel}
BuildRequires: libseccomp-devel
%{?with_selinux:BuildRequires: libselinux-devel}
%{?with_ldap:BuildRequires: openldap-devel}
-BuildRequires: openssl-devel >= 0.9.8f
+BuildRequires: openssl-devel >= 1.1.0g
BuildRequires: pam-devel
%{?with_gtk:BuildRequires: pkgconfig}
+%if %{with tests} && %{with tests_conch}
+BuildRequires: python-TwistedConch
+%endif
BuildRequires: rpm >= 4.4.9-56
BuildRequires: rpmbuild(macros) >= 1.627
BuildRequires: sed >= 4.0
Requires: pam >= %{pam_ver}
Suggests: xorg-app-xauth
%endif
-%{?with_libseccomp:Requires: uname(release) >= 3.5}
Obsoletes: ssh
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
Requires: pam >= %{pam_ver}
Requires: rc-scripts >= 0.4.3.0
Requires: systemd-units >= 38
+%{?with_libseccomp:Requires: uname(release) >= 3.5}
Requires: util-linux
%{?with_ldap:Suggests: %{name}-server-ldap}
Suggests: /bin/login
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%{?with_hpn:%patch9 -p1}
%patch10 -p1
%patch11 -p1
+%patch12 -p1
+%patch13 -p1
%patch14 -p1
%{!?with_ldap:%patch15 -p1}
-%{?with_libseccomp:%patch16 -p1}
%if "%{pld_release}" == "ac"
# fix for missing x11.pc
%{__sed} -i -e 's/\(`$(PKG_CONFIG) --libs gtk+-2.0\) x11`/\1` -lX11/' contrib/Makefile
%endif
+%patch16 -p1
+
# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
-sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile*
+sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*
grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \
%{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,'
# prevent being ovewritten by aclocal calls
-mv aclocal.m4 acinclude.m4
+%{__mv} aclocal.m4 acinclude.m4
%build
cp /usr/share/automake/config.sub .
--with-ipaddr-display \
%{?with_kerberos5:--with-kerberos5=/usr} \
--with-ldap%{!?with_ldap:=no} \
+ %{?with_ldns:--with-ldns} \
%{?with_libedit:--with-libedit} \
--with-mantype=man \
--with-md5-passwords \
%if "%{pld_release}" == "ac"
--with-xauth=/usr/X11R6/bin/xauth
%else
- --with-sandbox=%{sandbox} \
+ --with-sandbox=seccomp_filter \
--with-xauth=%{_bindir}/xauth
%endif
%{__make}
-%{?with_tests:%{__make} -j1 tests}
+%if %{with tests}
+%{__make} -j1 tests \
+ TEST_SSH_PORT=$((4242 + ${RANDOM:-$$} % 1000)) \
+ TEST_SSH_TRACE="yes" \
+%if %{without tests_conch}
+ SKIP_LTESTS="conch-ciphers"
+%endif
+%endif
cd contrib
%if %{with gnome}
cp -p %{SOURCE9} %{SOURCE11} %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir}
install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
-%{__sed} -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \
+%{__sed} -i -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \
$RPM_BUILD_ROOT/etc/rc.d/init.d/sshd \
$RPM_BUILD_ROOT%{systemdunitdir}/sshd.service \
+ $RPM_BUILD_ROOT%{systemdunitdir}/sshd@.service \
$RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
%if %{with gnome}
install -p contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}
cp -p contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1
-%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1
-echo ".so ssh.1" > $RPM_BUILD_ROOT%{_mandir}/man1/slogin.1
-
touch $RPM_BUILD_ROOT/etc/security/blacklist.sshd
cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS
fi
%systemd_reload
+%triggerpostun server -- %{name}-server < 2:7.0p1-2
+%banner %{name}-server -e << EOF
+!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!
+! Starting from openssh 7.0 DSA keys are disabled !
+! on server and client side. You will NOT be able !
+! to use DSA keys for authentication. Please read !
+! about PubkeyAcceptedKeyTypes in man ssh_config. !
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+EOF
+
%triggerpostun server -- %{name}-server < 6.2p1-1
cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config
%files clients
%defattr(644,root,root,755)
%attr(755,root,root) %{_bindir}/ssh
-%attr(755,root,root) %{_bindir}/slogin
%attr(755,root,root) %{_bindir}/sftp
%attr(755,root,root) %{_bindir}/ssh-agent
%attr(755,root,root) %{_bindir}/ssh-add
%config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS
%{_mandir}/man1/scp.1*
%{_mandir}/man1/ssh.1*
-%{_mandir}/man1/slogin.1*
%{_mandir}/man1/sftp.1*
%{_mandir}/man1/ssh-agent.1*
%{_mandir}/man1/ssh-add.1*
%{_mandir}/man5/moduli.5*
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sshd
-%attr(640,root,root) %{_sysconfdir}/moduli
+%{_sysconfdir}/moduli
%attr(754,root,root) /etc/rc.d/init.d/sshd
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/sshd
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/blacklist.sshd