openssh/openssh.spec

#
# spec file for package openssh
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
  %define _fillupdir /var/adm/fillup-templates
%endif

%if 0%{suse_version} >= 1100
%define has_fw_dir 1
%else
%define has_fw_dir 0
%endif

%if 0%{suse_version} >= 1110
%define has_libselinux 1
%else
%define has_libselinux 0
%endif

%if 0%{?suse_version} >= 1130
%define needs_all_dirs 1
%else
%define needs_all_dirs 0
%endif

%if 0%{?suse_version} >= 1140
%define needs_libedit 1
%else
%define needs_libedit 0
%endif

%if 0%{?suse_version} > 1220
%define uses_systemd 1
%else
%define uses_systemd 0
%endif

%define sandbox_seccomp 0
%ifnarch ppc
%if 0%{?suse_version} > 1220
%define sandbox_seccomp 1
%endif
%endif

%if 0%{?suse_version} >= 1500
%define use_tirpc 1
%endif

%define _fwdir   %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir   %{_fwdir}/services
%define _appdefdir  %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%{!?_initddir:%global _initddir %{_initrddir}}

Name:           openssh
BuildRequires:  audit-devel
BuildRequires:  autoconf
BuildRequires:  groff
BuildRequires:  zlib-devel
BuildRequires:  pkgconfig(krb5)
%if %{needs_libedit}
BuildRequires:  libedit-devel
%endif
%if %{has_libselinux}
BuildRequires:  libselinux-devel
%endif
BuildRequires:  openldap2-devel
BuildRequires:  openssl-devel
BuildRequires:  pam-devel
%if 0%{?use_tirpc}
BuildRequires:  libtirpc-devel
%endif
%if %{uses_systemd}
BuildRequires:  pkgconfig(libsystemd)
BuildRequires:  pkgconfig(systemd)
%{?systemd_requires}
%endif
PreReq:         pwdutils %{fillup_prereq} coreutils
%if ! %{uses_systemd}
PreReq:         %{insserv_prereq}
%endif
Version:        7.7p1
Release:        0
Summary:        Secure Shell Client and Server (Remote Login Program)
License:        BSD-2-Clause AND MIT
Group:          Productivity/Networking/SSH
Url:            http://www.openssh.com/
Source:         http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source42:       http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source1:        sshd.init
Source2:        sshd.pamd
Source3:        README.SUSE
Source4:        README.kerberos
Source5:        ssh.reg
Source6:        ssh-askpass
Source7:        sshd.fw
Source8:        sysconfig.ssh
Source9:        sshd-gen-keys-start
Source10:       sshd.service
Source11:       README.FIPS
Source12:       cavs_driver-ssh.pl
Source100:      openssh-%{version}-SUSE_patches.tar.gz
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
Conflicts:      nonfreessh
Recommends:     audit
Recommends:     xauth
Recommends:     %{name}-helpers = %{version}-%{release}
Conflicts:      %{name}-fips < %{version}-%{release} , %{name}-fips > %{version}-%{release}
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"

%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It is intended to replace rsh (rlogin and rsh) and
provides openssl (secure encrypted communication) between two untrusted
hosts over an insecure network.

xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.


%package helpers
Summary:        OpenSSH AuthorizedKeysCommand helpers
Group:          Productivity/Networking/SSH
Requires:       %{name} = %{version}-%{release}

%description helpers
Helper applications for OpenSSH which retrieve keys from various sources.


%package fips
Summary:        OpenSSH FIPS cryptomodule HMACs
Group:          Productivity/Networking/SSH
Requires:       %{name} = %{version}-%{release}
Conflicts:      %{name} < %{version}-%{release} , %{name} > %{version}-%{release}
Obsoletes:      %{name}-hmac

%description fips
Hashes that together with the main package form the FIPS certifiable
cryptomodule.


%package cavs
Summary:        OpenSSH FIPS cryptomodule CAVS tests
Group:          Productivity/Networking/SSH
Requires:       %{name} = %{version}-%{release}

%description cavs
FIPS140 CAVS tests related parts of the OpenSSH package


%prep
%setup -q -b 100
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
# patch sources
PATCH_DIR="../SUSE_patches"
cat $PATCH_DIR/patch.series | while read p; do
%if %{suse_version} < 1330
    if echo "$p" | grep openssl_1.1.0.patch ; then
        printf ">> skipping '$p'"
        continue
    fi
%endif
    printf ">> applying '$p'\n"
    patch -p2 < "${PATCH_DIR}/$p"
done

# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
    $( grep -Rl @LIBEXECDIR@ \
        $( grep "^+++" $PATCH_DIR/openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
    )

%build
autoreconf -fiv
%ifarch s390 s390x %sparc
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
LDFLAGS="-pie -Wl,--as-needed"
#CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64"
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
    --prefix=%{_prefix} \
    --mandir=%{_mandir} \
    --infodir=%{_infodir} \
    --sysconfdir=%{_sysconfdir}/ssh \
    --libexecdir=%{_libexecdir}/ssh \
    --with-tcp-wrappers \
%if %{has_libselinux}
    --with-selinux \
%endif
%if %{uses_systemd}
    --with-pid-dir=/run \
    --with-systemd \
%endif
    --with-ssl-engine \
    --with-pam \
    --with-kerberos5=%{_prefix} \
    --with-privsep-path=/var/lib/empty \
%if %{sandbox_seccomp}
    --with-sandbox=seccomp_filter \
%else
    --with-sandbox=rlimit \
%endif
%ifnarch s390 s390x
    --with-opensc \
%endif
    --disable-strip \
    --with-audit=linux \
    --with-ldap \
    --with-xauth=%{_bindir}/xauth \
%if %{needs_libedit}
    --with-libedit \
%endif
    --with-ssh1 \
    --target=%{_target_cpu}-suse-linux \

### configure end
make %{?_smp_mflags}

#make %{?_smp_mflags} -C converter

%install
make install DESTDIR=%{buildroot}
#make install DESTDIR=%{buildroot} -C converter

install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -d -m 755 %{buildroot}/var/lib/sshd
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
install -d -m 755 %{buildroot}%{_initddir}
%if %{uses_systemd}
install -m 0755 %{SOURCE1} .
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
ln -s /sbin/service %{buildroot}%{_sbindir}/rcsshd
%else
install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
install -m 0644 %{SOURCE10} .
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
%endif
install -d -m 755 %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
# install shell script to automate the process of adding your public key to a remote machine
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@/usr/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config

%if %{has_fw_dir}
#install firewall definitions format is described here:
#%{_datadir}/SuSEfirewall2/services/TEMPLATE
mkdir -p %{buildroot}%{_fwdefdir}
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
%endif

# askpass wrapper
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start

# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
# the binaries and thereby invalidates any hashes created earlier.
#
# this shows up earlier because otherwise the %expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
for b in \
        %{_bindir}/ssh \
        %{_sbindir}/sshd \
        %{_libexecdir}/ssh/sftp-server \
        ; do
    openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
done

}}

%pre
getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd
%if %{uses_systemd}
%service_add_pre sshd.service
%endif

%post
%if %{uses_systemd}
%{fillup_only -n ssh sshd}
%service_add_post sshd.service
%else
%{fillup_and_insserv -n ssh sshd}
%endif
%set_permissions /etc/ssh/sshd_config

%preun
%if %{uses_systemd}
%service_del_preun sshd.service
%else
%stop_on_removal sshd
%endif

%postun
# The openssh-fips trigger script for openssh will normally restart sshd once
# it gets installed, so only restart the service here is openssh-fips is not
# present
rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
%if %{uses_systemd}
%service_del_postun sshd.service
%else
%restart_on_update sshd
%{insserv_cleanup}
%endif

%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update sshd

%verifyscript
%verify_permissions -e /etc/ssh/sshd_config

%files
%defattr(-,root,root)
%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
%exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
%exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
%exclude %{_libexecdir}/ssh/cavs*
%dir %attr(755,root,root) /var/lib/sshd
%license LICENCE
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%if %{uses_systemd}
%doc sshd.init
%attr(0644,root,root) %config %{_unitdir}/sshd.service
%else
%attr(0755,root,root) %config %{_initddir}/sshd
%doc sshd.service
%endif
%attr(0755,root,root) %{_bindir}/*
%attr(0755,root,root) %{_sbindir}/*
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%exclude %{_libexecdir}/ssh/ssh-ldap*
%attr(0755,root,root) %{_libexecdir}/ssh/*
%attr(0444,root,root) %doc %{_mandir}/man1/*
%attr(0444,root,root) %doc %{_mandir}/man5/*
%attr(0444,root,root) %doc %{_mandir}/man8/*
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
%{_fillupdir}/sysconfig.ssh
%if %{has_fw_dir}
%if %{needs_all_dirs}
%dir %{_fwdir}
%dir %{_fwdefdir}
%endif
%config %{_fwdefdir}/sshd
%endif

%files helpers
%defattr(-,root,root)
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema

%files fips
%defattr(-,root,root)
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}

%files cavs
%defattr(-,root,root)
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*

%changelog