openssh/openssh.spec

511 lines
19 KiB
RPMSpec
Raw Normal View History

#
# spec file for package openssh
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define sandbox_seccomp 0
%ifnarch ppc
%define sandbox_seccomp 1
%endif
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir %{_fwdir}/services
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Accepting request 960041 from home:hpjansson:openssh-tw - Version update to 8.9p1: = Security * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. = Potentially-incompatible changes * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. = New features * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead of indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. = Bugfixes * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files = Portability * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable. - Rebased patches: * openssh-7.7p1-ldap.patch * openssh-8.0p1-gssapi-keyex.patch * openssh-8.1p1-audit.patch * openssh-8.4p1-vendordir.patch * openssh-reenable-dh-group14-sha1-default.patch OBS-URL: https://build.opensuse.org/request/show/960041 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=237
2022-03-08 08:49:22 +01:00
Version: 8.9p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
Group: Productivity/Networking/SSH
URL: https://www.openssh.com/
Accepting request 863944 from home:dirkmueller:branches:network - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
2021-01-18 02:12:55 +01:00
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pamd
Source3: README.SUSE
Source4: README.kerberos
Source5: ssh.reg
Source6: ssh-askpass
Source7: sshd.fw
Source8: sysconfig.ssh
Source9: sshd-gen-keys-start
Source10: sshd.service
Source11: README.FIPS
Source12: cavs_driver-ssh.pl
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
Source14: sysusers-sshd.conf
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch
Patch6: openssh-7.7p1-send_locale.patch
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Patch9: openssh-7.7p1-pts_names_formatting.patch
Patch10: openssh-7.7p1-pam_check_locks.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch14: openssh-7.7p1-seccomp_stat.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
# Local FIPS patchset
Patch17: openssh-7.7p1-fips.patch
# Local cavs patchset
Patch18: openssh-7.7p1-cavstest-ctr.patch
# Local cavs patchset
Patch19: openssh-7.7p1-cavstest-kdf.patch
# Local FIPS patchset
Patch20: openssh-7.7p1-fips_checks.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22: openssh-7.7p1-systemd-notify.patch
Accepting request 737034 from home:hpjansson:branches:network Version update to 8.1p1: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). * ssh(1): Allow %n to be expanded in ProxyCommand strings * ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" * ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email). * ssh-keygen(1): print key comment when extracting public key from a private key. * ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. * All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. - Additional changes from 8.0p1 release: * scp(1): Add "-T" flag to disable client-side filtering of server file list. * sshd(8): Remove support for obsolete "host/port" syntax. OBS-URL: https://build.opensuse.org/request/show/737034 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=197
2019-10-10 15:32:50 +02:00
Patch23: openssh-8.0p1-gssapi-keyex.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Accepting request 737034 from home:hpjansson:branches:network Version update to 8.1p1: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). * ssh(1): Allow %n to be expanded in ProxyCommand strings * ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" * ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email). * ssh-keygen(1): print key comment when extracting public key from a private key. * ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. * All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. - Additional changes from 8.0p1 release: * scp(1): Add "-T" flag to disable client-side filtering of server file list. * sshd(8): Remove support for obsolete "host/port" syntax. OBS-URL: https://build.opensuse.org/request/show/737034 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=197
2019-10-10 15:32:50 +02:00
Patch24: openssh-8.1p1-audit.patch
# Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
Patch28: openssh-7.7p1-host_ident.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Patch29: openssh-7.7p1-sftp_force_permissions.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Patch31: openssh-7.7p1-ldap.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
Patch34: openssh-7.9p1-keygen-preserve-perms.patch
Patch35: openssh-7.9p1-revert-new-qos-defaults.patch
Patch36: openssh-8.1p1-seccomp-clock_nanosleep.patch
Patch37: openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
Patch38: openssh-8.1p1-seccomp-clock_gettime64.patch
Patch39: openssh-8.1p1-use-openssl-kdf.patch
Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
Patch41: openssh-fips-ensure-approved-moduli.patch
Patch42: openssh-link-with-sk.patch
Patch43: openssh-reenable-dh-group14-sha1-default.patch
Patch45: openssh-8.4p1-ssh_config_d.patch
Patch46: openssh-whitelist-syscalls.patch
Patch47: openssh-8.4p1-vendordir.patch
Patch48: openssh-8.4p1-pam_motd.patch
Patch49: openssh-do-not-send-empty-message.patch
Patch50: openssh-openssl-3.patch
BuildRequires: audit-devel
Accepting request 863944 from home:dirkmueller:branches:network - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features ------------ * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time OBS-URL: https://build.opensuse.org/request/show/863944 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
2021-01-18 02:12:55 +01:00
BuildRequires: automake
BuildRequires: groff
BuildRequires: libedit-devel
BuildRequires: libselinux-devel
BuildRequires: openldap2-devel
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
Accepting request 811897 from home:hpjansson:openssh-8.3 - Version update to 8.3p1: = Potentially-incompatible changes * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. = New features * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. * ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. * all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. * ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - Additional changes from 8.2p1 release: = Potentially-incompatible changes * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation OBS-URL: https://build.opensuse.org/request/show/811897 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=211
2020-06-06 08:49:00 +02:00
BuildRequires: pkgconfig(libfido2)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools
Requires: %{name}-clients = %{version}-%{release}
Requires: %{name}-server = %{version}-%{release}
%if 0%{?suse_version} >= 1550
BuildRequires: pkgconfig(krb5)
%else
BuildRequires: krb5-mini-devel
%endif
Requires(pre): findutils
Requires(pre): grep
%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This is a dummy package that pulls in both the client and server
components.
%package common
Summary: SSH (Secure Shell) common files
Group: Productivity/Networking/SSH
Conflicts: nonfreessh
Conflicts: %{name}-fips < %{version}-%{release}
Conflicts: %{name}-fips > %{version}-%{release}
%description common
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This package contains common files for the Secure Shell server and
clients.
%package server
Summary: SSH (Secure Shell) server
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Recommends: audit
Requires(pre): findutils
Requires(pre): grep
Requires(post): %fillup_prereq
Requires(post): permissions
Provides: openssh:%{_sbindir}/sshd
%sysusers_requires
%description server
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This package contains the Secure Shell daemon, which allows clients to
securely connect to your server.
%package server-config-rootlogin
Summary: Config to permit root logins to sshd
Group: Productivity/Networking/SSH
Requires: %{name}-server = %{version}-%{release}
%description server-config-rootlogin
The openssh-server package by default disallows password based
root logins. This package provides a config that does. It's useful
to temporarily have a password based login to be able to use
ssh-copy-id(1).
%package clients
Summary: SSH (Secure Shell) client applications
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Provides: openssh:%{_bindir}/ssh
%description clients
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This package contains clients for making secure connections to Secure
Shell servers.
Accepting request 220466 from home:pcerny:factory - Update of the underlying OpenSSH to 6.4p1 - Update to 6.4p1 Features since 6.2p2: * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or hostkeys on smartcards. * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config as well as on the client. * sshd(8): standardise logging of information during user authentication. * The presented key/cert and the remote username (if available) is now logged in the authentication success/failure message on the same log line as the local username, remote host/port and protocol in use. Certificates contents and the key fingerprint of the signing CA are logged too. * ssh(1) ability to query what cryptographic algorithms are supported in the binary. * ssh(1): ProxyCommand=- for cases where stdin and stdout already point to the proxy. * ssh(1): allow IdentityFile=none * ssh(1)/sshd(8): -E option to append debugging logs to a specified file instead of stderr or syslog. * sftp(1): support resuming partial downloads with the "reget" command and on the sftp commandline or on the "get" commandline with the "-a" (append) option. * ssh(1): "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives. * sshd(8): support for submethods to be appended to required authentication methods listed via AuthenticationMethods. OBS-URL: https://build.opensuse.org/request/show/220466 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=58
2014-01-31 13:18:41 +01:00
%package helpers
Summary: OpenSSH AuthorizedKeysCommand helpers
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Accepting request 220466 from home:pcerny:factory - Update of the underlying OpenSSH to 6.4p1 - Update to 6.4p1 Features since 6.2p2: * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or hostkeys on smartcards. * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config as well as on the client. * sshd(8): standardise logging of information during user authentication. * The presented key/cert and the remote username (if available) is now logged in the authentication success/failure message on the same log line as the local username, remote host/port and protocol in use. Certificates contents and the key fingerprint of the signing CA are logged too. * ssh(1) ability to query what cryptographic algorithms are supported in the binary. * ssh(1): ProxyCommand=- for cases where stdin and stdout already point to the proxy. * ssh(1): allow IdentityFile=none * ssh(1)/sshd(8): -E option to append debugging logs to a specified file instead of stderr or syslog. * sftp(1): support resuming partial downloads with the "reget" command and on the sftp commandline or on the "get" commandline with the "-a" (append) option. * ssh(1): "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives. * sshd(8): support for submethods to be appended to required authentication methods listed via AuthenticationMethods. OBS-URL: https://build.opensuse.org/request/show/220466 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=58
2014-01-31 13:18:41 +01:00
%description helpers
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This package contains helper applications for OpenSSH which retrieve
keys from various sources.
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
2014-04-14 23:53:01 +02:00
%package fips
Summary: OpenSSH FIPS crypto module HMACs
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
2014-04-14 23:53:01 +02:00
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Conflicts: %{name}-common < %{version}-%{release}
Conflicts: %{name}-common > %{version}-%{release}
Obsoletes: %{name}-hmac
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
2014-04-14 23:53:01 +02:00
%description fips
This package contains hashes that, together with the main openssh packages,
form the FIPS certifiable crypto module.
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
2014-04-14 23:53:01 +02:00
%package cavs
Summary: OpenSSH FIPS crypto module CAVS tests
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
%description cavs
This package contains the FIPS-140 CAVS (Cryptographic Algorithm
Validation Program/Suite) related tests of OpenSSH.
%prep
%setup -q
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
%autopatch -p1
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
$( grep -Rl @LIBEXECDIR@ \
$( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
%build
autoreconf -fiv
%ifarch s390 s390x %{sparc}
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
LDFLAGS="-pie -Wl,--as-needed"
#CPPFLAGS="%%{optflags} -DUSE_INTERNAL_B64"
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/ssh \
--with-selinux \
--with-pid-dir=/run \
--with-systemd \
--with-ssl-engine \
--with-pam \
--with-kerberos5=%{_prefix} \
--with-privsep-path=%{_localstatedir}/lib/empty \
Accepting request 222365 from home:pcerny:factory - Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by OBS-URL: https://build.opensuse.org/request/show/222365 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63
2014-02-14 15:54:10 +01:00
%if %{sandbox_seccomp}
--with-sandbox=seccomp_filter \
%else
--with-sandbox=rlimit \
%endif
--disable-strip \
--with-audit=linux \
--with-ldap \
--with-xauth=%{_bindir}/xauth \
--with-libedit \
Accepting request 811897 from home:hpjansson:openssh-8.3 - Version update to 8.3p1: = Potentially-incompatible changes * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. = New features * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. * ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. * all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. * ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - Additional changes from 8.2p1 release: = Potentially-incompatible changes * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation OBS-URL: https://build.opensuse.org/request/show/811897 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=211
2020-06-06 08:49:00 +02:00
--with-security-key-builtin \
--target=%{_target_cpu}-suse-linux
%make_build
%sysusers_generate_pre %{SOURCE14} sshd sshd.conf
%install
%make_install
%if %{defined _distconfdir}
install -d -m 755 %{buildroot}%{_pam_vendordir}
install -m 644 %{SOURCE2} %{buildroot}%{_pam_vendordir}/sshd
%else
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
%endif
install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
Accepting request 222365 from home:pcerny:factory - Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by OBS-URL: https://build.opensuse.org/request/show/222365 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63
2014-02-14 15:54:10 +01:00
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
ln -s service %{buildroot}%{_sbindir}/rcsshd
install -d -m 755 %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
# install shell script to automate the process of adding your public key to a remote machine
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
# Move /etc to /usr/etc/ssh
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
echo "PermitRootLogin yes" > %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%if 0%{?suse_version} < 1550
# install firewall definitions
mkdir -p %{buildroot}%{_fwdefdir}
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
%endif
# askpass wrapper
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
rm -f %{buildroot}%{_datadir}/Ssh.bin
Accepting request 222365 from home:pcerny:factory - Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by OBS-URL: https://build.opensuse.org/request/show/222365 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63
2014-02-14 15:54:10 +01:00
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
# Install sysusers.d config for sshd user
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
2014-04-14 23:53:01 +02:00
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
# the binaries and thereby invalidates any hashes created earlier.
#
# this shows up earlier because otherwise the %%expand of
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
2014-04-14 23:53:01 +02:00
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
for b in \
%{_bindir}/ssh \
%{_sbindir}/sshd \
%{_libexecdir}/ssh/sftp-server \
; do
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
2014-04-14 23:53:01 +02:00
done
}}
%pre server -f sshd.pre
%if %{defined _distconfdir}
# Prepare for migration to /usr/etc.
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||:
%endif
%service_add_pre sshd.service
%post server
%{fillup_only -n ssh}
%service_add_post sshd.service
%preun server
%service_del_preun sshd.service
%postun server
# The openssh-fips trigger script for openssh will normally restart sshd once
# it gets installed, so only restart the service here if openssh-fips is not
# present.
if rpm -q openssh-fips >/dev/null 2>/dev/null; then
%service_del_postun_without_restart sshd.service
else
Accepting request 222365 from home:pcerny:factory - Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by OBS-URL: https://build.opensuse.org/request/show/222365 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63
2014-02-14 15:54:10 +01:00
%service_del_postun sshd.service
fi
%if %{defined _distconfdir}
%posttrans server
# Migration to /usr/etc.
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd ||:
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config ||:
%endif
%if %{defined _distconfdir}
%pre clients
# Prepare for migration to /usr/etc.
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
%endif
%if %{defined _distconfdir}
%posttrans clients
# Migration to /usr/etc.
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config ||:
%endif
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update sshd
%files
# openssh is an empty package that depends on -clients and -server,
# resulting in a clean upgrade path from prior to the split even when
# recommends are disabled.
%files common
%license LICENCE
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0755,root,root) %dir /usr/etc/ssh/ssh_config.d
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
%attr(0755,root,root) %{_bindir}/ssh-keygen*
%files server
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_sbindir}/rcsshd
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
%attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d
%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
%if %{defined _distconfdir}
%attr(0644,root,root) %{_pam_vendordir}/sshd
%else
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%endif
%attr(0644,root,root) %{_unitdir}/sshd.service
%attr(0644,root,root) %{_sysusersdir}/sshd.conf
%attr(0444,root,root) %{_mandir}/man5/sshd_config*
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0444,root,root) %{_mandir}/man8/sshd.8*
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
%{_fillupdir}/sysconfig.ssh
%if 0%{?suse_version} < 1550
%dir %{_fwdir}
%dir %{_fwdefdir}
%config %{_fwdefdir}/sshd
%endif
%files server-config-rootlogin
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%files clients
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
%attr(0755,root,root) %{_bindir}/ssh
%attr(0755,root,root) %{_bindir}/scp*
%attr(0755,root,root) %{_bindir}/sftp*
%attr(0755,root,root) %{_bindir}/ssh-add*
%attr(0755,root,root) %{_bindir}/ssh-agent*
%attr(0755,root,root) %{_bindir}/ssh-copy-id*
%attr(0755,root,root) %{_bindir}/ssh-keyscan*
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-askpass*
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-keysign*
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-pkcs11-helper*
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-sk-helper*
%attr(0444,root,root) %{_mandir}/man1/scp.1*
%attr(0444,root,root) %{_mandir}/man1/sftp.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0444,root,root) %{_mandir}/man1/ssh.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-copy-id.1*
%attr(0444,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0444,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
Accepting request 220466 from home:pcerny:factory - Update of the underlying OpenSSH to 6.4p1 - Update to 6.4p1 Features since 6.2p2: * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or hostkeys on smartcards. * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config as well as on the client. * sshd(8): standardise logging of information during user authentication. * The presented key/cert and the remote username (if available) is now logged in the authentication success/failure message on the same log line as the local username, remote host/port and protocol in use. Certificates contents and the key fingerprint of the signing CA are logged too. * ssh(1) ability to query what cryptographic algorithms are supported in the binary. * ssh(1): ProxyCommand=- for cases where stdin and stdout already point to the proxy. * ssh(1): allow IdentityFile=none * ssh(1)/sshd(8): -E option to append debugging logs to a specified file instead of stderr or syslog. * sftp(1): support resuming partial downloads with the "reget" command and on the sftp commandline or on the "get" commandline with the "-a" (append) option. * ssh(1): "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives. * sshd(8): support for submethods to be appended to required authentication methods listed via AuthenticationMethods. OBS-URL: https://build.opensuse.org/request/show/220466 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=58
2014-01-31 13:18:41 +01:00
%files helpers
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
2014-04-14 23:53:01 +02:00
%files fips
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
%files cavs
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
2014-04-14 23:53:01 +02:00
%changelog