From c5fddd41159a5d1392448478b2ec8aebc6a4a846f92efd5eccc2a6a261bb03ef Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 14 Sep 2020 10:47:29 +0000 Subject: [PATCH 1/3] Accepting request 833579 from home:hpjansson:sle-14821 - Split openssh package into openssh, openssh-server and openssh-clients. This allows for the ssh clients to be installed without the server component (bsc#1176434). - Supplement openssh-clients instead of openssh (bsc#1176434). OBS-URL: https://build.opensuse.org/request/show/833579 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=213 --- openssh-askpass-gnome.changes | 5 ++ openssh-askpass-gnome.spec | 2 +- openssh.changes | 7 +++ openssh.spec | 93 ++++++++++++++++++++++++++--------- 4 files changed, 83 insertions(+), 24 deletions(-) diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index 77a3ebe..d986388 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Sep 10 22:44:00 UTC 2020 - Hans Petter Jansson + +- Supplement openssh-clients instead of openssh (bsc#1176434). + ------------------------------------------------------------------- Thu Jul 18 14:07:56 UTC 2019 - Fabian Vogt diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 92dfc7e..526b21f 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -27,7 +27,7 @@ URL: http://www.openssh.com/ Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc Requires: %{_name} = %{version} -Supplements: packageand(openssh:libgtk-3-0) +Supplements: packageand(openssh-clients:libgtk-3-0) %if 0%{?suse_version} >= 1550 BuildRequires: gtk3-devel %else diff --git a/openssh.changes b/openssh.changes index 6f11825..69d90f0 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Sep 10 21:38:30 UTC 2020 - Hans Petter Jansson + +- Split openssh package into openssh, openssh-server and + openssh-clients. This allows for the ssh clients to be installed + without the server component (bsc#1176434). + ------------------------------------------------------------------- Fri Jun 5 00:36:08 UTC 2020 - Hans Petter Jansson diff --git a/openssh.spec b/openssh.spec index 00b915f..3d6810b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -115,6 +115,9 @@ BuildRequires: pkgconfig(libfido2) BuildRequires: pkgconfig(libsystemd) Requires(post): %fillup_prereq Requires(pre): shadow +PreReq: permissions +Recommends: %{name}-server = %{version}-%{release} +Recommends: %{name}-clients = %{version}-%{release} Recommends: %{name}-helpers = %{version}-%{release} Recommends: audit Conflicts: %{name}-fips < %{version}-%{release} @@ -139,6 +142,24 @@ hosts over an insecure network. xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. +%package server +Summary: SSH (Secure Shell) server +Group: Productivity/Networking/SSH +Requires: openssh = %{version}-%{release} + +%description server +The SSH (Secure Shell) daemon allows clients to securely connect to your +server. + +%package clients +Summary: SSH (Secure Shell) client applications +Group: Productivity/Networking/SSH +Requires: openssh = %{version}-%{release} + +%description clients +This package contains clients for making secure connections to SSH (Secure +Shell) servers. + %package helpers Summary: OpenSSH AuthorizedKeysCommand helpers Group: Productivity/Networking/SSH @@ -264,20 +285,23 @@ done }} -%pre +%pre server getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstatedir}/lib/sshd -s /bin/false -c "SSH daemon" sshd %service_add_pre sshd.service -%post -%{fillup_only -n ssh sshd} +%post server +%{fillup_only -n sshd} %service_add_post sshd.service %set_permissions %{_sysconfdir}/ssh/sshd_config -%preun +%post clients +%{fillup_only -n ssh} + +%preun server %service_del_preun sshd.service -%postun +%postun server # The openssh-fips trigger script for openssh will normally restart sshd once # it gets installed, so only restart the service here is openssh-fips is not # present @@ -287,33 +311,30 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes %triggerin -n openssh-fips -- %{name} = %{version}-%{release} %restart_on_update sshd -%verifyscript +%verifyscript server %verify_permissions -e %{_sysconfdir}/ssh/sshd_config %files -%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX} -%exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX} -%exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX} -%exclude %{_libexecdir}/ssh/cavs* -%dir %attr(755,root,root) %{_localstatedir}/lib/sshd %license LICENCE %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli -%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config -%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1* +%attr(0444,root,root) %{_mandir}/man5/moduli.5* +%attr(0755,root,root) %{_bindir}/ssh-keygen* + +%files server +%attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %{_sbindir}/rcsshd +%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start +%dir %attr(755,root,root) %{_localstatedir}/lib/sshd +%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd %attr(0644,root,root) %{_unitdir}/sshd.service -%attr(0755,root,root) %{_bindir}/* -%attr(0755,root,root) %{_sbindir}/* -%attr(0755,root,root) %dir %{_libexecdir}/ssh -%exclude %{_libexecdir}/ssh/ssh-ldap* -%attr(0755,root,root) %{_libexecdir}/ssh/* -%attr(0444,root,root) %{_mandir}/man1/* -%attr(0444,root,root) %{_mandir}/man5/* -%attr(0444,root,root) %{_mandir}/man8/* -%exclude %{_mandir}/man5/ssh-ldap* -%exclude %{_mandir}/man8/ssh-ldap* +%attr(0444,root,root) %{_mandir}/man5/sshd_config* +%attr(0444,root,root) %{_mandir}/man8/sftp-server.8* +%attr(0444,root,root) %{_mandir}/man8/sshd.8* +%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server %dir %{_sysconfdir}/slp.reg.d %config %{_sysconfdir}/slp.reg.d/ssh.reg %{_fillupdir}/sysconfig.ssh @@ -323,6 +344,32 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes %config %{_fwdefdir}/sshd %endif +%files clients +%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(0755,root,root) %{_bindir}/ssh +%attr(0755,root,root) %{_bindir}/scp* +%attr(0755,root,root) %{_bindir}/sftp* +%attr(0755,root,root) %{_bindir}/ssh-add* +%attr(0755,root,root) %{_bindir}/ssh-agent* +%attr(0755,root,root) %{_bindir}/ssh-copy-id* +%attr(0755,root,root) %{_bindir}/ssh-keyscan* +%attr(0755,root,root) %dir %{_libexecdir}/ssh +%attr(0755,root,root) %{_libexecdir}/ssh/ssh-askpass* +%attr(0755,root,root) %{_libexecdir}/ssh/ssh-keysign* +%attr(0755,root,root) %{_libexecdir}/ssh/ssh-pkcs11-helper* +%attr(0755,root,root) %{_libexecdir}/ssh/ssh-sk-helper* +%attr(0444,root,root) %{_mandir}/man1/scp.1* +%attr(0444,root,root) %{_mandir}/man1/sftp.1* +%attr(0444,root,root) %{_mandir}/man1/ssh-add.1* +%attr(0444,root,root) %{_mandir}/man1/ssh-agent.1* +%attr(0444,root,root) %{_mandir}/man1/ssh-keyscan.1* +%attr(0444,root,root) %{_mandir}/man1/ssh.1* +%attr(0444,root,root) %{_mandir}/man1/ssh-copy-id.1* +%attr(0444,root,root) %{_mandir}/man5/ssh_config.5* +%attr(0444,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* +%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8* +%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8* + %files helpers %attr(0755,root,root) %dir %{_sysconfdir}/ssh %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf From bda5168147039e2ef59671a1209ecf4f176f1682ffb32e9f4ebe1beeb406d124 Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson Date: Fri, 18 Sep 2020 17:44:52 +0000 Subject: [PATCH 2/3] Accepting request 835301 from home:jengelh:branches:network (re)based onto//includes 835039 - Move some Requires to the right subpackage. OBS-URL: https://build.opensuse.org/request/show/835301 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=214 --- openssh-askpass-gnome.changes | 5 ++ openssh-askpass-gnome.spec | 8 +-- openssh.changes | 16 ++++- openssh.spec | 114 ++++++++++++++++++++++++---------- 4 files changed, 104 insertions(+), 39 deletions(-) diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index d986388..9109aa5 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt + +- Upgrade some old specfile constructs/macros. + ------------------------------------------------------------------- Thu Sep 10 22:44:00 UTC 2020 - Hans Petter Jansson diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 526b21f..7df1ed5 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -40,15 +40,15 @@ for executing commands on a remote machine. This package contains a GNOME-based passphrase dialog for OpenSSH. %prep -%setup -q -n %{_name}-%{version} +%autosetup -p1 -n %{_name}-%{version} %build cd contrib export CFLAGS="%{optflags}" %if 0%{?suse_version} >= 1550 -make %{?_smp_mflags} gnome-ssh-askpass3 +%make_build gnome-ssh-askpass3 %else -make %{?_smp_mflags} gnome-ssh-askpass2 +%make_build gnome-ssh-askpass2 %endif %install diff --git a/openssh.changes b/openssh.changes index 69d90f0..d949009 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,9 +1,19 @@ +------------------------------------------------------------------- +Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt + +- Move some Requires to the right subpackage. +- Avoid ">&" bashism in %post. +- Upgrade some old specfile constructs/macros and drop unnecessary + %{?systemd_*}. +- Trim descriptions and straighten out the grammar. + ------------------------------------------------------------------- Thu Sep 10 21:38:30 UTC 2020 - Hans Petter Jansson -- Split openssh package into openssh, openssh-server and - openssh-clients. This allows for the ssh clients to be installed - without the server component (bsc#1176434). +- Split openssh package into openssh, openssh-common, + openssh-server and openssh-clients. This allows for the ssh + clients to be installed without the server component + (bsc#1176434). ------------------------------------------------------------------- Fri Jun 5 00:36:08 UTC 2020 - Hans Petter Jansson diff --git a/openssh.spec b/openssh.spec index 3d6810b..04fcf21 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -113,17 +113,8 @@ BuildRequires: pkgconfig BuildRequires: zlib-devel BuildRequires: pkgconfig(libfido2) BuildRequires: pkgconfig(libsystemd) -Requires(post): %fillup_prereq -Requires(pre): shadow -PreReq: permissions -Recommends: %{name}-server = %{version}-%{release} -Recommends: %{name}-clients = %{version}-%{release} -Recommends: %{name}-helpers = %{version}-%{release} -Recommends: audit -Conflicts: %{name}-fips < %{version}-%{release} -Conflicts: %{name}-fips > %{version}-%{release} -Conflicts: nonfreessh -%{?systemd_requires} +Requires: %{name}-clients = %{version}-%{release} +Requires: %{name}-server = %{version}-%{release} %if %{with tirpc} BuildRequires: libtirpc-devel %endif @@ -135,58 +126,112 @@ BuildRequires: krb5-mini-devel %description SSH (Secure Shell) is a program for logging into and executing commands -on a remote machine. It is intended to replace rsh (rlogin and rsh) and -provides openssl (secure encrypted communication) between two untrusted +on a remote machine. It replaces rsh (rlogin and rsh) and +provides a secure encrypted communication between two untrusted hosts over an insecure network. xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. +This is a dummy package that pulls in both the client and server +components. + +%package common +Summary: SSH (Secure Shell) common files +Group: Productivity/Networking/SSH +Conflicts: nonfreessh +Conflicts: %{name}-fips < %{version}-%{release} +Conflicts: %{name}-fips > %{version}-%{release} + +%description common +SSH (Secure Shell) is a program for logging into and executing commands +on a remote machine. It replaces rsh (rlogin and rsh) and +provides a secure encrypted communication between two untrusted +hosts over an insecure network. + +xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can +also be forwarded over the secure channel. + +This package contains common files for the Secure Shell server and +clients. + %package server Summary: SSH (Secure Shell) server Group: Productivity/Networking/SSH -Requires: openssh = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Recommends: audit +Requires(pre): shadow +Requires(post): %fillup_prereq +Requires(post): permissions +Provides: openssh:%{_sbindir}/sshd %description server -The SSH (Secure Shell) daemon allows clients to securely connect to your -server. +SSH (Secure Shell) is a program for logging into and executing commands +on a remote machine. It replaces rsh (rlogin and rsh) and +provides a secure encrypted communication between two untrusted +hosts over an insecure network. + +xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can +also be forwarded over the secure channel. + +This package contains the Secure Shell daemon, which allows clients to +securely connect to your server. %package clients Summary: SSH (Secure Shell) client applications Group: Productivity/Networking/SSH -Requires: openssh = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Provides: openssh:%{_bindir}/ssh %description clients -This package contains clients for making secure connections to SSH (Secure -Shell) servers. +SSH (Secure Shell) is a program for logging into and executing commands +on a remote machine. It replaces rsh (rlogin and rsh) and +provides a secure encrypted communication between two untrusted +hosts over an insecure network. + +xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can +also be forwarded over the secure channel. + +This package contains clients for making secure connections to Secure +Shell servers. %package helpers Summary: OpenSSH AuthorizedKeysCommand helpers Group: Productivity/Networking/SSH -Requires: %{name} = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} %description helpers -Helper applications for OpenSSH which retrieve keys from various sources. +SSH (Secure Shell) is a program for logging into and executing commands +on a remote machine. It replaces rsh (rlogin and rsh) and +provides a secure encrypted communication between two untrusted +hosts over an insecure network. + +xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can +also be forwarded over the secure channel. + +This package contains helper applications for OpenSSH which retrieve +keys from various sources. %package fips -Summary: OpenSSH FIPS cryptomodule HMACs +Summary: OpenSSH FIPS crypto module HMACs Group: Productivity/Networking/SSH -Requires: %{name} = %{version}-%{release} -Conflicts: %{name} < %{version}-%{release} -Conflicts: %{name} > %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Conflicts: %{name}-common < %{version}-%{release} +Conflicts: %{name}-common > %{version}-%{release} Obsoletes: %{name}-hmac %description fips -Hashes that together with the main package form the FIPS certifiable -cryptomodule. +This package contains hashes that, together with the main openssh packages, +form the FIPS certifiable crypto module. %package cavs -Summary: OpenSSH FIPS cryptomodule CAVS tests +Summary: OpenSSH FIPS crypto module CAVS tests Group: Productivity/Networking/SSH -Requires: %{name} = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} %description cavs -FIPS140 CAVS tests related parts of the OpenSSH package +This package contains the FIPS140 CAVS (Cryptographic Algorithm +Validation Program/Suite) related tests of OpenSSH. %prep %setup -q @@ -305,7 +350,7 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstate # The openssh-fips trigger script for openssh will normally restart sshd once # it gets installed, so only restart the service here is openssh-fips is not # present -rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes +rpm -q openssh-fips >/dev/null 2>/dev/null && DISABLE_RESTART_ON_UPDATE=yes %service_del_postun sshd.service %triggerin -n openssh-fips -- %{name} = %{version}-%{release} @@ -315,6 +360,11 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes %verify_permissions -e %{_sysconfdir}/ssh/sshd_config %files +# openssh is an empty package that depends on -clients and -server, +# resulting in a clean upgrade path from prior to the split even when +# recommends are disabled. + +%files common %license LICENCE %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh From 633a41eb248fc1223755d4d5b96229148e52a4a2d0b86e9d6a15bea8e05e09ac Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson Date: Fri, 25 Sep 2020 19:42:09 +0000 Subject: [PATCH 3/3] Accepting request 837497 from home:dimstar:Factory - Fix fillup-template usage: + %post server needs to reference ssh (not sshd), which matches the sysconfig.ssh file name the package ships. + %post client does not need any fillup_ calls, as there is no client-relevant sysconfig file present. The naming of the sysconfig file (ssh instead of sshd) is unfortunate. OBS-URL: https://build.opensuse.org/request/show/837497 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=215 --- openssh.changes | 10 ++++++++++ openssh.spec | 5 +---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/openssh.changes b/openssh.changes index d949009..4511472 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Sep 25 13:40:51 UTC 2020 - Dominique Leuenberger + +- Fix fillup-template usage: + + %post server needs to reference ssh (not sshd), which matches + the sysconfig.ssh file name the package ships. + + %post client does not need any fillup_ calls, as there is no + client-relevant sysconfig file present. The naming of the + sysconfig file (ssh instead of sshd) is unfortunate. + ------------------------------------------------------------------- Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt diff --git a/openssh.spec b/openssh.spec index 04fcf21..140a4ca 100644 --- a/openssh.spec +++ b/openssh.spec @@ -336,13 +336,10 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstate %service_add_pre sshd.service %post server -%{fillup_only -n sshd} +%{fillup_only -n ssh} %service_add_post sshd.service %set_permissions %{_sysconfdir}/ssh/sshd_config -%post clients -%{fillup_only -n ssh} - %preun server %service_del_preun sshd.service