Accepting request 888799 from network
- Change vendor configuration dir from /usr/share/ssh/ to /usr/etc/ssh/. - Remove upgrade enablement hack. This has been fixed in systemd-rpm-macros (bsc#1180083). (forwarded request 887559 from hpjansson) OBS-URL: https://build.opensuse.org/request/show/888799 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=151
This commit is contained in:
commit
b88621588f
@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server:
|
|||||||
|
|
||||||
* PAM authentication is enabled and mostly even required, do not turn it off.
|
* PAM authentication is enabled and mostly even required, do not turn it off.
|
||||||
|
|
||||||
* root authentiation with password is enabled by default (PermitRootLogin yes).
|
|
||||||
NOTE: this has security implications and is only done in order to not change
|
|
||||||
behaviour of the server in an update. We strongly suggest setting this option
|
|
||||||
either "prohibit-password" or even better to "no" (which disables direct
|
|
||||||
remote root login entirely).
|
|
||||||
|
|
||||||
* DSA authentication is enabled by default for maximum compatibility.
|
* DSA authentication is enabled by default for maximum compatibility.
|
||||||
NOTE: do not use DSA authentication since it is being phased out for a reason
|
NOTE: do not use DSA authentication since it is being phased out for a reason
|
||||||
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
||||||
|
@ -1,59 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
|
|
||||||
Allow root login with password by default. While less secure than upstream
|
|
||||||
default of forbidding access to the root account with a password, we are
|
|
||||||
temporarily introducing this change to keep the default used in older OpenSSH
|
|
||||||
versions shipped with SLE.
|
|
||||||
|
|
||||||
Index: openssh-8.4p1/servconf.c
|
|
||||||
===================================================================
|
|
||||||
--- openssh-8.4p1.orig/servconf.c
|
|
||||||
+++ openssh-8.4p1/servconf.c
|
|
||||||
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
|
|
||||||
if (options->login_grace_time == -1)
|
|
||||||
options->login_grace_time = 120;
|
|
||||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
|
||||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
|
||||||
+ options->permit_root_login = PERMIT_YES;
|
|
||||||
if (options->ignore_rhosts == -1)
|
|
||||||
options->ignore_rhosts = 1;
|
|
||||||
if (options->ignore_user_known_hosts == -1)
|
|
||||||
Index: openssh-8.4p1/sshd_config
|
|
||||||
===================================================================
|
|
||||||
--- openssh-8.4p1.orig/sshd_config
|
|
||||||
+++ openssh-8.4p1/sshd_config
|
|
||||||
@@ -29,7 +29,7 @@
|
|
||||||
# Authentication:
|
|
||||||
|
|
||||||
#LoginGraceTime 2m
|
|
||||||
-#PermitRootLogin prohibit-password
|
|
||||||
+PermitRootLogin yes
|
|
||||||
#StrictModes yes
|
|
||||||
#MaxAuthTries 6
|
|
||||||
#MaxSessions 10
|
|
||||||
Index: openssh-8.4p1/sshd_config.0
|
|
||||||
===================================================================
|
|
||||||
--- openssh-8.4p1.orig/sshd_config.0
|
|
||||||
+++ openssh-8.4p1/sshd_config.0
|
|
||||||
@@ -778,7 +778,7 @@ DESCRIPTION
|
|
||||||
PermitRootLogin
|
|
||||||
Specifies whether root can log in using ssh(1). The argument
|
|
||||||
must be yes, prohibit-password, forced-commands-only, or no. The
|
|
||||||
- default is prohibit-password.
|
|
||||||
+ default is yes.
|
|
||||||
|
|
||||||
If this option is set to prohibit-password (or its deprecated
|
|
||||||
alias, without-password), password and keyboard-interactive
|
|
||||||
Index: openssh-8.4p1/sshd_config.5
|
|
||||||
===================================================================
|
|
||||||
--- openssh-8.4p1.orig/sshd_config.5
|
|
||||||
+++ openssh-8.4p1/sshd_config.5
|
|
||||||
@@ -1331,7 +1331,7 @@ The argument must be
|
|
||||||
or
|
|
||||||
.Cm no .
|
|
||||||
The default is
|
|
||||||
-.Cm prohibit-password .
|
|
||||||
+.Cm yes .
|
|
||||||
.Pp
|
|
||||||
If this option is set to
|
|
||||||
.Cm prohibit-password
|
|
227
openssh-8.4p1-vendordir.patch
Normal file
227
openssh-8.4p1-vendordir.patch
Normal file
@ -0,0 +1,227 @@
|
|||||||
|
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
|
||||||
|
diff -u openssh-8.4p1/dh.c openssh-8.4p1-vendor/dh.c
|
||||||
|
--- openssh-8.4p1/dh.c 2020-09-27 09:25:01.000000000 +0200
|
||||||
|
+++ openssh-8.4p1-vendor/dh.c 2021-01-29 11:49:40.968418136 +0100
|
||||||
|
@@ -151,10 +151,18 @@
|
||||||
|
size_t linesize = 0;
|
||||||
|
int best, bestcount, which, linenum;
|
||||||
|
struct dhgroup dhg;
|
||||||
|
+ char *dh_moduli_path;
|
||||||
|
+ struct stat st;
|
||||||
|
|
||||||
|
- if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
|
||||||
|
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
|
||||||
|
+ stat(_PATH_DH_MODULI, &st) == -1) {
|
||||||
|
+ dh_moduli_path = _PATH_VENDOR_DH_MODULI;
|
||||||
|
+ } else {
|
||||||
|
+ dh_moduli_path = _PATH_DH_MODULI;
|
||||||
|
+ }
|
||||||
|
+ if ((f = fopen(dh_moduli_path, "r")) == NULL) {
|
||||||
|
logit("WARNING: could not open %s (%s), using fixed modulus",
|
||||||
|
- _PATH_DH_MODULI, strerror(errno));
|
||||||
|
+ dh_moduli_path, strerror(errno));
|
||||||
|
return (dh_new_group_fallback(max));
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -185,7 +193,7 @@
|
||||||
|
|
||||||
|
if (bestcount == 0) {
|
||||||
|
fclose(f);
|
||||||
|
- logit("WARNING: no suitable primes in %s", _PATH_DH_MODULI);
|
||||||
|
+ logit("WARNING: no suitable primes in %s", dh_moduli_path);
|
||||||
|
return (dh_new_group_fallback(max));
|
||||||
|
}
|
||||||
|
which = arc4random_uniform(bestcount);
|
||||||
|
@@ -210,7 +218,7 @@
|
||||||
|
fclose(f);
|
||||||
|
if (bestcount != which + 1) {
|
||||||
|
logit("WARNING: selected prime disappeared in %s, giving up",
|
||||||
|
- _PATH_DH_MODULI);
|
||||||
|
+ dh_moduli_path);
|
||||||
|
return (dh_new_group_fallback(max));
|
||||||
|
}
|
||||||
|
|
||||||
|
Gemeinsame Unterverzeichnisse: openssh-8.4p1/.github und openssh-8.4p1-vendor/.github.
|
||||||
|
Gemeinsame Unterverzeichnisse: openssh-8.4p1/m4 und openssh-8.4p1-vendor/m4.
|
||||||
|
Gemeinsame Unterverzeichnisse: openssh-8.4p1/openbsd-compat und openssh-8.4p1-vendor/openbsd-compat.
|
||||||
|
diff -u openssh-8.4p1/pathnames.h openssh-8.4p1-vendor/pathnames.h
|
||||||
|
--- openssh-8.4p1/pathnames.h 2020-09-27 09:25:01.000000000 +0200
|
||||||
|
+++ openssh-8.4p1-vendor/pathnames.h 2021-01-29 11:35:41.655599046 +0100
|
||||||
|
@@ -18,6 +18,8 @@
|
||||||
|
#define SSHDIR ETCDIR "/ssh"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#define VENDORDIR "/usr/etc/ssh"
|
||||||
|
+
|
||||||
|
#ifndef _PATH_SSH_PIDDIR
|
||||||
|
#define _PATH_SSH_PIDDIR "/var/run"
|
||||||
|
#endif
|
||||||
|
@@ -35,13 +37,17 @@
|
||||||
|
* should be world-readable.
|
||||||
|
*/
|
||||||
|
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
|
||||||
|
+#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config"
|
||||||
|
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
|
||||||
|
+#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config"
|
||||||
|
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
|
||||||
|
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
|
||||||
|
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
|
||||||
|
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
|
||||||
|
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
||||||
|
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
||||||
|
+#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli"
|
||||||
|
+
|
||||||
|
|
||||||
|
#ifndef _PATH_SSH_PROGRAM
|
||||||
|
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
||||||
|
Gemeinsame Unterverzeichnisse: openssh-8.4p1/regress und openssh-8.4p1-vendor/regress.
|
||||||
|
diff -u openssh-8.4p1/ssh.c openssh-8.4p1-vendor/ssh.c
|
||||||
|
--- openssh-8.4p1/ssh.c 2020-09-27 09:25:01.000000000 +0200
|
||||||
|
+++ openssh-8.4p1-vendor/ssh.c 2021-01-27 18:22:52.322271681 +0100
|
||||||
|
@@ -593,6 +593,7 @@
|
||||||
|
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
|
||||||
|
int *want_final_pass)
|
||||||
|
{
|
||||||
|
+ struct stat st;
|
||||||
|
char buf[PATH_MAX];
|
||||||
|
int r;
|
||||||
|
|
||||||
|
@@ -611,10 +612,23 @@
|
||||||
|
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
|
||||||
|
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
|
||||||
|
|
||||||
|
- /* Read systemwide configuration file after user config. */
|
||||||
|
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
||||||
|
- host, host_name, &options,
|
||||||
|
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
|
||||||
|
+ /* If only the vendor configuration file exists, use that.
|
||||||
|
+ * Else use the standard configuration file.
|
||||||
|
+ */
|
||||||
|
+ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 &&
|
||||||
|
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
|
||||||
|
+ /* Read vendor distributed configuration file. */
|
||||||
|
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
|
||||||
|
+ pw, host, host_name, &options,
|
||||||
|
+ final_pass ? SSHCONF_FINAL : 0,
|
||||||
|
+ want_final_pass);
|
||||||
|
+ } else {
|
||||||
|
+ /* Read systemwide configuration file after user config. */
|
||||||
|
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
||||||
|
+ host, host_name, &options,
|
||||||
|
+ final_pass ? SSHCONF_FINAL : 0,
|
||||||
|
+ want_final_pass);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Nur in openssh-8.4p1-vendor: #ssh_config.5#.
|
||||||
|
diff -u openssh-8.4p1/ssh_config.5 openssh-8.4p1-vendor/ssh_config.5
|
||||||
|
--- openssh-8.4p1/ssh_config.5 2020-09-27 09:25:01.000000000 +0200
|
||||||
|
+++ openssh-8.4p1-vendor/ssh_config.5 2021-02-24 12:02:53.935729753 +0100
|
||||||
|
@@ -54,6 +54,9 @@
|
||||||
|
.It
|
||||||
|
system-wide configuration file
|
||||||
|
.Pq Pa /etc/ssh/ssh_config
|
||||||
|
+.It
|
||||||
|
+vendor configuration file
|
||||||
|
+.Pq Pa /usr/etc/ssh/ssh_config
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
For each parameter, the first obtained value
|
||||||
|
@@ -1942,6 +1945,11 @@
|
||||||
|
values that are not specified in the user's configuration file, and
|
||||||
|
for those users who do not have a configuration file.
|
||||||
|
This file must be world-readable.
|
||||||
|
+.It Pa /usr/etc/ssh/ssh_config
|
||||||
|
+Vendor specific configuraiton file.
|
||||||
|
+This file provides the vendor defaults and is used as fallback if the
|
||||||
|
+.Ic /etc/ssh/ssh_config
|
||||||
|
+configuration file does not exist.
|
||||||
|
.El
|
||||||
|
.Sh SEE ALSO
|
||||||
|
.Xr ssh 1
|
||||||
|
Nur in openssh-8.4p1-vendor: ssh_config.5~.
|
||||||
|
diff -u openssh-8.4p1/sshd.c openssh-8.4p1-vendor/sshd.c
|
||||||
|
--- openssh-8.4p1/sshd.c 2020-09-27 09:25:01.000000000 +0200
|
||||||
|
+++ openssh-8.4p1-vendor/sshd.c 2021-01-27 18:25:38.370273280 +0100
|
||||||
|
@@ -136,7 +136,7 @@
|
||||||
|
ServerOptions options;
|
||||||
|
|
||||||
|
/* Name of the server configuration file. */
|
||||||
|
-char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||||
|
+char *config_file_name = NULL;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Debug mode flag. This can be set on the command line. If debug
|
||||||
|
@@ -1526,6 +1526,7 @@
|
||||||
|
int
|
||||||
|
main(int ac, char **av)
|
||||||
|
{
|
||||||
|
+ struct stat st;
|
||||||
|
struct ssh *ssh = NULL;
|
||||||
|
extern char *optarg;
|
||||||
|
extern int optind;
|
||||||
|
@@ -1737,7 +1738,21 @@
|
||||||
|
*/
|
||||||
|
(void)atomicio(vwrite, startup_pipe, "\0", 1);
|
||||||
|
}
|
||||||
|
+ } else if (config_file_name == NULL) {
|
||||||
|
+ /* If only the vendor configuration file exists, use that.
|
||||||
|
+ * Else use the standard configuration file.
|
||||||
|
+ */
|
||||||
|
+ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 &&
|
||||||
|
+ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) {
|
||||||
|
+ /* fill with global distributor settings */
|
||||||
|
+ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE;
|
||||||
|
+ } else {
|
||||||
|
+ /* load global admin settings */
|
||||||
|
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||||
|
+ }
|
||||||
|
+ load_server_config(config_file_name, cfg);
|
||||||
|
} else if (strcasecmp(config_file_name, "none") != 0)
|
||||||
|
+ /* load config specified on commandline */
|
||||||
|
load_server_config(config_file_name, cfg);
|
||||||
|
|
||||||
|
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||||
|
diff -u openssh-8.4p1/sshd_config.5 openssh-8.4p1-vendor/sshd_config.5
|
||||||
|
--- openssh-8.4p1/sshd_config.5 2020-09-27 09:25:01.000000000 +0200
|
||||||
|
+++ openssh-8.4p1-vendor/sshd_config.5 2021-02-24 14:14:27.912038335 +0100
|
||||||
|
@@ -44,7 +44,9 @@
|
||||||
|
.Xr sshd 8
|
||||||
|
reads configuration data from
|
||||||
|
.Pa /etc/ssh/sshd_config
|
||||||
|
-(or the file specified with
|
||||||
|
+(
|
||||||
|
+.Pa /usr/etc/ssh/sshd_config
|
||||||
|
+if the file does not exist or the file specified with
|
||||||
|
.Fl f
|
||||||
|
on the command line).
|
||||||
|
The file contains keyword-argument pairs, one per line.
|
||||||
|
Nur in openssh-8.4p1-vendor: sshd_config.5~.
|
||||||
|
diff -u openssh-8.4p1/ssh-keysign.c openssh-8.4p1-vendor/ssh-keysign.c
|
||||||
|
--- openssh-8.4p1/ssh-keysign.c 2020-09-27 09:25:01.000000000 +0200
|
||||||
|
+++ openssh-8.4p1-vendor/ssh-keysign.c 2021-02-24 11:34:17.684570215 +0100
|
||||||
|
@@ -172,6 +172,7 @@
|
||||||
|
u_char *signature, *data, rver;
|
||||||
|
char *host, *fp;
|
||||||
|
size_t slen, dlen;
|
||||||
|
+ struct stat st;
|
||||||
|
|
||||||
|
if (pledge("stdio rpath getpw dns id", NULL) != 0)
|
||||||
|
fatal("%s: pledge: %s", __progname, strerror(errno));
|
||||||
|
@@ -205,8 +206,12 @@
|
||||||
|
|
||||||
|
/* verify that ssh-keysign is enabled by the admin */
|
||||||
|
initialize_options(&options);
|
||||||
|
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
||||||
|
- &options, 0, NULL);
|
||||||
|
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
|
||||||
|
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
||||||
|
+ &options, 0, NULL);
|
||||||
|
+ else
|
||||||
|
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw,
|
||||||
|
+ "", "", &options, 0, NULL);
|
||||||
|
fill_default_options(&options);
|
||||||
|
if (options.enable_ssh_keysign != 1)
|
||||||
|
fatal("ssh-keysign not enabled in %s",
|
||||||
|
Nur in openssh-8.4p1-vendor: ssh-keysign.c~.
|
@ -1,3 +1,26 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 22 12:02:55 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||||
|
|
||||||
|
- Change vendor configuration dir from /usr/share/ssh/ to
|
||||||
|
/usr/etc/ssh/.
|
||||||
|
- Remove upgrade enablement hack. This has been fixed in
|
||||||
|
systemd-rpm-macros (bsc#1180083).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
|
||||||
|
|
||||||
|
- Add support for vendor provided configuration files in
|
||||||
|
/usr/share/ssh/ (openssh-8.4p1-vendordir.patch)
|
||||||
|
- Move configuration files from /etc/ssh/ to /usr/share/ssh/
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 18 13:54:44 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||||
|
|
||||||
|
- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
|
||||||
|
as root via password by default (is also upstream default). Comment
|
||||||
|
indicates that this was a temporary meassure that we now had for
|
||||||
|
five years, time to get rid of it (bsc#1173067)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||||
|
|
||||||
|
59
openssh.spec
59
openssh.spec
@ -15,7 +15,6 @@
|
|||||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
%define sandbox_seccomp 0
|
%define sandbox_seccomp 0
|
||||||
%ifnarch ppc
|
%ifnarch ppc
|
||||||
%define sandbox_seccomp 1
|
%define sandbox_seccomp 1
|
||||||
@ -30,8 +29,6 @@
|
|||||||
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
||||||
%define CHECKSUM_SUFFIX .hmac
|
%define CHECKSUM_SUFFIX .hmac
|
||||||
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
||||||
%define _tmpenableddir %{_localstatedir}/lib/sshd
|
|
||||||
%define _tmpenabledfile %{_tmpenableddir}/is-enabled.rpmtmp
|
|
||||||
|
|
||||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||||
%if ! %{defined _fillupdir}
|
%if ! %{defined _fillupdir}
|
||||||
@ -59,7 +56,6 @@ Source11: README.FIPS
|
|||||||
Source12: cavs_driver-ssh.pl
|
Source12: cavs_driver-ssh.pl
|
||||||
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
|
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
|
||||||
Source14: sysusers-sshd.conf
|
Source14: sysusers-sshd.conf
|
||||||
Patch0: openssh-7.7p1-allow_root_password_login.patch
|
|
||||||
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
||||||
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
||||||
Patch4: openssh-7.7p1-eal3.patch
|
Patch4: openssh-7.7p1-eal3.patch
|
||||||
@ -112,6 +108,7 @@ Patch43: openssh-reenable-dh-group14-sha1-default.patch
|
|||||||
Patch44: openssh-fix-ssh-copy-id.patch
|
Patch44: openssh-fix-ssh-copy-id.patch
|
||||||
Patch45: openssh-8.4p1-ssh_config_d.patch
|
Patch45: openssh-8.4p1-ssh_config_d.patch
|
||||||
Patch46: openssh-whitelist-syscalls.patch
|
Patch46: openssh-whitelist-syscalls.patch
|
||||||
|
Patch47: openssh-8.4p1-vendordir.patch
|
||||||
BuildRequires: audit-devel
|
BuildRequires: audit-devel
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: groff
|
BuildRequires: groff
|
||||||
@ -298,7 +295,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|||||||
--target=%{_target_cpu}-suse-linux
|
--target=%{_target_cpu}-suse-linux
|
||||||
|
|
||||||
%make_build
|
%make_build
|
||||||
%sysusers_generate_pre %{SOURCE14} sshd
|
%sysusers_generate_pre %{SOURCE14} sshd sshd.conf
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install
|
%make_install
|
||||||
@ -323,6 +320,12 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
|||||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||||
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||||
|
|
||||||
|
# Move /etc to /usr/etc/ssh
|
||||||
|
mkdir -p %{buildroot}%{_distconfdir}/ssh
|
||||||
|
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
|
||||||
|
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
|
||||||
|
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
|
||||||
|
|
||||||
%if 0%{?suse_version} < 1550
|
%if 0%{?suse_version} < 1550
|
||||||
# install firewall definitions
|
# install firewall definitions
|
||||||
mkdir -p %{buildroot}%{_fwdefdir}
|
mkdir -p %{buildroot}%{_fwdefdir}
|
||||||
@ -358,52 +361,17 @@ done
|
|||||||
|
|
||||||
}}
|
}}
|
||||||
|
|
||||||
%pre
|
|
||||||
# Remember whether the sshd service was enabled prior to an upgrade. This
|
|
||||||
# is needed when upgrading to a split-off openssh-server package. The
|
|
||||||
# %%service_add_post scriptlet (in %%post server) will see it as a new service
|
|
||||||
# and apply the preset, disabling it. We need to reenable it afterwards if
|
|
||||||
# necessary.
|
|
||||||
mkdir -p %{_tmpenableddir} || :
|
|
||||||
if [ -x %{_bindir}/systemctl ]; then
|
|
||||||
%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
|
|
||||||
else
|
|
||||||
if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \
|
|
||||||
-exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1
|
|
||||||
then echo "enabled" > %{_tmpenabledfile} || :; fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
%pre server -f sshd.pre
|
%pre server -f sshd.pre
|
||||||
%if %{defined _distconfdir}
|
%if %{defined _distconfdir}
|
||||||
# move outdated pam.d/*.rpmsave file away
|
# move outdated pam.d/*.rpmsave file away
|
||||||
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
|
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# See %%pre.
|
|
||||||
mkdir -p %{_tmpenableddir} || :
|
|
||||||
if [ -x %{_bindir}/systemctl ]; then
|
|
||||||
%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
|
|
||||||
else
|
|
||||||
if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \
|
|
||||||
-exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1
|
|
||||||
then echo "enabled" > %{_tmpenabledfile} || :; fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
%service_add_pre sshd.service
|
%service_add_pre sshd.service
|
||||||
|
|
||||||
%post server
|
%post server
|
||||||
%{fillup_only -n ssh}
|
%{fillup_only -n ssh}
|
||||||
%service_add_post sshd.service
|
%service_add_post sshd.service
|
||||||
%set_permissions %{_sysconfdir}/ssh/sshd_config
|
|
||||||
|
|
||||||
# Work around %%service_add_post disabling the service on upgrades where
|
|
||||||
# the package name changed.
|
|
||||||
if [ -x %{_bindir}/systemctl ] && [ -f %{_tmpenabledfile} ] \
|
|
||||||
&& [ x$(cat %{_tmpenabledfile} || :) == "xenabled" ]; then
|
|
||||||
systemctl enable sshd || :
|
|
||||||
fi
|
|
||||||
|
|
||||||
rm -f %{_tmpenabledfile}
|
|
||||||
|
|
||||||
%preun server
|
%preun server
|
||||||
%service_del_preun sshd.service
|
%service_del_preun sshd.service
|
||||||
@ -428,9 +396,6 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
|
|||||||
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
||||||
%restart_on_update sshd
|
%restart_on_update sshd
|
||||||
|
|
||||||
%verifyscript server
|
|
||||||
%verify_permissions -e %{_sysconfdir}/ssh/sshd_config
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
# openssh is an empty package that depends on -clients and -server,
|
# openssh is an empty package that depends on -clients and -server,
|
||||||
# resulting in a clean upgrade path from prior to the split even when
|
# resulting in a clean upgrade path from prior to the split even when
|
||||||
@ -440,7 +405,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
|
|||||||
%license LICENCE
|
%license LICENCE
|
||||||
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
|
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
||||||
|
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
|
||||||
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
|
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||||
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
|
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-keygen*
|
%attr(0755,root,root) %{_bindir}/ssh-keygen*
|
||||||
@ -451,7 +417,8 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
|
|||||||
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
|
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
|
||||||
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
|
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
|
||||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
|
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
|
||||||
%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
||||||
|
%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
|
||||||
%if %{defined _distconfdir}
|
%if %{defined _distconfdir}
|
||||||
%attr(0644,root,root) %{_distconfdir}/pam.d/sshd
|
%attr(0644,root,root) %{_distconfdir}/pam.d/sshd
|
||||||
%else
|
%else
|
||||||
@ -474,7 +441,7 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
|
|||||||
|
|
||||||
%files clients
|
%files clients
|
||||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
||||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
|
||||||
%attr(0755,root,root) %{_bindir}/ssh
|
%attr(0755,root,root) %{_bindir}/ssh
|
||||||
%attr(0755,root,root) %{_bindir}/scp*
|
%attr(0755,root,root) %{_bindir}/scp*
|
||||||
%attr(0755,root,root) %{_bindir}/sftp*
|
%attr(0755,root,root) %{_bindir}/sftp*
|
||||||
|
Loading…
Reference in New Issue
Block a user