Antonio Larrosa
a77a72fabb
to keep it similar to what it used before the 9.9 rebase: * openssh-8.1p1-audit.patch - Add a openssl11 bcond to the spec file for the SLE12 case instead of checking suse_version in different parts. - Move conditional patches to a number >= 1000. OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=276
719 lines
26 KiB
RPMSpec
719 lines
26 KiB
RPMSpec
#
|
|
# spec file for package openssh
|
|
#
|
|
# Copyright (c) 2024 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
%define sandbox_seccomp 0
|
|
%ifnarch ppc
|
|
%define sandbox_seccomp 1
|
|
%endif
|
|
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
|
|
%define _fwdefdir %{_fwdir}/services
|
|
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
|
%define CHECKSUM_SUFFIX .hmac
|
|
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
|
%bcond_without ldap
|
|
|
|
%if 0%{?suse_version} >= 1550
|
|
%bcond_without wtmpdb
|
|
%bcond_with allow_root_password_login_by_default
|
|
%else
|
|
%bcond_with wtmpdb
|
|
%bcond_without allow_root_password_login_by_default
|
|
%endif
|
|
|
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
|
|
%bcond_without crypto_policies
|
|
%else
|
|
%bcond_with crypto_policies
|
|
%endif
|
|
|
|
%if 0%{?suse_version} < 1500
|
|
%bcond_without openssl11
|
|
%else
|
|
%bcond_with openssl11
|
|
%endif
|
|
|
|
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
|
%if ! %{defined _fillupdir}
|
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
|
%endif
|
|
Name: openssh
|
|
Version: 9.9p1
|
|
Release: 0
|
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
|
License: BSD-2-Clause AND MIT
|
|
Group: Productivity/Networking/SSH
|
|
URL: https://www.openssh.com/
|
|
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
|
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
|
Source2: sshd.pamd
|
|
Source3: README.SUSE
|
|
Source4: README.kerberos
|
|
Source5: ssh.reg
|
|
Source6: ssh-askpass
|
|
Source7: sshd.fw
|
|
Source8: sysconfig.ssh
|
|
Source9: sshd-gen-keys-start
|
|
Source10: sshd.service
|
|
Source11: README.FIPS
|
|
Source12: cavs_driver-ssh.pl
|
|
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
|
|
Source14: sysusers-sshd.conf
|
|
Source15: sshd-sle.pamd
|
|
Source16: sshd@.service
|
|
Source17: sshd.socket
|
|
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
|
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
|
Patch4: openssh-7.7p1-eal3.patch
|
|
Patch6: openssh-7.7p1-send_locale.patch
|
|
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
|
|
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
|
|
Patch9: openssh-7.7p1-pts_names_formatting.patch
|
|
Patch10: openssh-7.7p1-pam_check_locks.patch
|
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
|
Patch14: openssh-7.7p1-seccomp_stat.patch
|
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
|
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
|
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
|
# Local FIPS patchset
|
|
Patch17: openssh-7.7p1-fips.patch
|
|
# Local cavs patchset
|
|
Patch18: openssh-7.7p1-cavstest-ctr.patch
|
|
# Local cavs patchset
|
|
Patch19: openssh-7.7p1-cavstest-kdf.patch
|
|
# Local FIPS patchset
|
|
Patch20: openssh-7.7p1-fips_checks.patch
|
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
|
Patch22: openssh-7.7p1-systemd-notify.patch
|
|
Patch23: openssh-8.0p1-gssapi-keyex.patch
|
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
|
Patch24: openssh-8.1p1-audit.patch
|
|
# Local patch to disable runtime abi SSL checks, quite pointless for us
|
|
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
|
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
|
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
|
|
Patch28: openssh-7.7p1-host_ident.patch
|
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
|
|
Patch29: openssh-7.7p1-sftp_force_permissions.patch
|
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
|
|
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
|
|
Patch31: openssh-7.7p1-ldap.patch
|
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
|
|
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
|
|
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
|
Patch34: openssh-7.9p1-keygen-preserve-perms.patch
|
|
Patch35: openssh-7.9p1-revert-new-qos-defaults.patch
|
|
Patch36: openssh-8.1p1-seccomp-clock_nanosleep.patch
|
|
Patch37: openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
|
|
Patch38: openssh-8.1p1-seccomp-clock_gettime64.patch
|
|
Patch39: openssh-8.1p1-use-openssl-kdf.patch
|
|
Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
|
|
Patch41: openssh-fips-ensure-approved-moduli.patch
|
|
Patch42: openssh-link-with-sk.patch
|
|
Patch43: openssh-reenable-dh-group14-sha1-default.patch
|
|
Patch45: openssh-8.4p1-ssh_config_d.patch
|
|
Patch46: openssh-whitelist-syscalls.patch
|
|
Patch47: openssh-8.4p1-vendordir.patch
|
|
Patch48: openssh-8.4p1-pam_motd.patch
|
|
Patch49: openssh-do-not-send-empty-message.patch
|
|
Patch50: openssh-openssl-3.patch
|
|
Patch51: wtmpdb.patch
|
|
Patch52: logind_set_tty.patch
|
|
Patch54: openssh-mitigate-lingering-secrets.patch
|
|
Patch102: openssh-7.8p1-role-mls.patch
|
|
Patch103: openssh-6.6p1-privsep-selinux.patch
|
|
Patch104: openssh-6.6p1-keycat.patch
|
|
Patch105: openssh-6.6.1p1-selinux-contexts.patch
|
|
Patch106: openssh-7.6p1-cleanup-selinux.patch
|
|
# 200 - 300 -- Patches submitted to upstream
|
|
# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
|
|
Patch200: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
|
|
# 1000 - 2000 -- Conditional patches
|
|
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
|
|
%if 0%{with crypto_policies}
|
|
Patch1000: openssh-9.6p1-crypto-policies.patch
|
|
Patch1001: openssh-9.6p1-crypto-policies-man.patch
|
|
%endif
|
|
%if 0%{with allow_root_password_login_by_default}
|
|
# PATCH-FIX-SLE Allow root login with password by default (for SLE12 and SLE15)
|
|
Patch1002: openssh-7.7p1-allow_root_password_login.patch
|
|
%endif
|
|
BuildRequires: audit-devel
|
|
BuildRequires: automake
|
|
%if 0%{?suse_version} <= 1600
|
|
BuildRequires: gcc11
|
|
%endif
|
|
BuildRequires: groff
|
|
BuildRequires: libedit-devel
|
|
BuildRequires: libselinux-devel
|
|
%if %{with ldap}
|
|
BuildRequires: openldap2-devel
|
|
%endif
|
|
%if 0%{with openssl11}
|
|
BuildRequires: libopenssl-1_1-devel
|
|
BuildRequires: openssl-1_1
|
|
%else
|
|
BuildRequires: openssl-devel
|
|
%endif
|
|
BuildRequires: pam-devel
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: zlib-devel
|
|
BuildRequires: pkgconfig(libfido2) >= 1.2.0
|
|
BuildRequires: pkgconfig(libsystemd)
|
|
BuildRequires: sysuser-shadow
|
|
BuildRequires: sysuser-tools
|
|
Requires: %{name}-clients = %{version}-%{release}
|
|
Requires: %{name}-server = %{version}-%{release}
|
|
%if 0%{?suse_version} >= 1550 || 0%{?suse_version} < 1500
|
|
BuildRequires: pkgconfig(krb5)
|
|
%else
|
|
BuildRequires: krb5-mini-devel
|
|
%endif
|
|
%if %{with wtmpdb}
|
|
BuildRequires: pkgconfig(libwtmpdb)
|
|
%endif
|
|
Requires(pre): findutils
|
|
Requires(pre): grep
|
|
|
|
%description
|
|
SSH (Secure Shell) is a program for logging into and executing commands
|
|
on a remote machine. It replaces rsh (rlogin and rsh) and
|
|
provides secure encrypted communication between two untrusted
|
|
hosts over an insecure network.
|
|
|
|
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
|
also be forwarded over the secure channel.
|
|
|
|
This is a dummy package that pulls in both the client and server
|
|
components.
|
|
|
|
%package common
|
|
Summary: SSH (Secure Shell) common files
|
|
Group: Productivity/Networking/SSH
|
|
Conflicts: nonfreessh
|
|
Conflicts: %{name}-fips < %{version}-%{release}
|
|
Conflicts: %{name}-fips > %{version}-%{release}
|
|
|
|
%description common
|
|
SSH (Secure Shell) is a program for logging into and executing commands
|
|
on a remote machine. It replaces rsh (rlogin and rsh) and
|
|
provides secure encrypted communication between two untrusted
|
|
hosts over an insecure network.
|
|
|
|
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
|
also be forwarded over the secure channel.
|
|
|
|
This package contains common files for the Secure Shell server and
|
|
clients.
|
|
|
|
%package server
|
|
Summary: SSH (Secure Shell) server
|
|
Group: Productivity/Networking/SSH
|
|
Requires: %{name}-common = %{version}-%{release}
|
|
%if 0%{with crypto_policies}
|
|
Requires: crypto-policies >= 20220824
|
|
%endif
|
|
Recommends: audit
|
|
Requires(pre): findutils
|
|
Requires(pre): grep
|
|
Requires(post): %fillup_prereq
|
|
Requires(post): permissions
|
|
Provides: openssh:%{_sbindir}/sshd
|
|
%if 0%{with allow_root_password_login_by_default}
|
|
# For a brief period of time this package existed in SLE/Leap.
|
|
# It was removed before GM but some people might have it from
|
|
# a beta distribution version (boo#1227350)
|
|
Obsoletes: openssh-server-config-rootlogin <= %{version}
|
|
%endif
|
|
%sysusers_requires
|
|
|
|
%description server
|
|
SSH (Secure Shell) is a program for logging into and executing commands
|
|
on a remote machine. It replaces rsh (rlogin and rsh) and
|
|
provides secure encrypted communication between two untrusted
|
|
hosts over an insecure network.
|
|
|
|
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
|
also be forwarded over the secure channel.
|
|
|
|
This package contains the Secure Shell daemon, which allows clients to
|
|
securely connect to your server.
|
|
|
|
%if 0%{with allow_root_password_login_by_default}
|
|
%package server-config-disallow-rootlogin
|
|
Summary: Config to disallow password root logins to sshd
|
|
Group: Productivity/Networking/SSH
|
|
Requires: %{name}-server = %{version}-%{release}
|
|
Conflicts: %{name}-server-config-rootlogin
|
|
|
|
%description server-config-disallow-rootlogin
|
|
The openssh-server package by default allows password based
|
|
root logins. This package provides a config that disallows root
|
|
to log in using the passwor. It's useful to secure your system
|
|
preventing password attacks on the root account over ssh.
|
|
%else
|
|
%package server-config-rootlogin
|
|
Summary: Config to permit root logins to sshd
|
|
Group: Productivity/Networking/SSH
|
|
Requires: %{name}-server = %{version}-%{release}
|
|
Conflicts: %{name}-server-config-disallow-rootlogin
|
|
|
|
%description server-config-rootlogin
|
|
The openssh-server package by default disallows password based
|
|
root logins. This package provides a config that does. It's useful
|
|
to temporarily have a password based login to be able to use
|
|
ssh-copy-id(1).
|
|
%endif
|
|
|
|
%package clients
|
|
Summary: SSH (Secure Shell) client applications
|
|
Group: Productivity/Networking/SSH
|
|
%if 0%{with crypto_policies}
|
|
Requires: crypto-policies >= 20220824
|
|
%endif
|
|
Requires: %{name}-common = %{version}-%{release}
|
|
Provides: openssh:%{_bindir}/ssh
|
|
|
|
%description clients
|
|
SSH (Secure Shell) is a program for logging into and executing commands
|
|
on a remote machine. It replaces rsh (rlogin and rsh) and
|
|
provides secure encrypted communication between two untrusted
|
|
hosts over an insecure network.
|
|
|
|
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
|
also be forwarded over the secure channel.
|
|
|
|
This package contains clients for making secure connections to Secure
|
|
Shell servers.
|
|
|
|
%if %{with ldap}
|
|
%package helpers
|
|
Summary: OpenSSH AuthorizedKeysCommand helpers
|
|
Group: Productivity/Networking/SSH
|
|
Requires: %{name}-common = %{version}-%{release}
|
|
|
|
%description helpers
|
|
SSH (Secure Shell) is a program for logging into and executing commands
|
|
on a remote machine. It replaces rsh (rlogin and rsh) and
|
|
provides secure encrypted communication between two untrusted
|
|
hosts over an insecure network.
|
|
|
|
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
|
also be forwarded over the secure channel.
|
|
|
|
This package contains helper applications for OpenSSH which retrieve
|
|
keys from various sources.
|
|
%endif
|
|
|
|
%package fips
|
|
Summary: OpenSSH FIPS crypto module HMACs
|
|
Group: Productivity/Networking/SSH
|
|
Requires: %{name}-common = %{version}-%{release}
|
|
Conflicts: %{name}-common < %{version}-%{release}
|
|
Conflicts: %{name}-common > %{version}-%{release}
|
|
Obsoletes: %{name}-hmac
|
|
|
|
%description fips
|
|
This package contains hashes that, together with the main openssh packages,
|
|
form the FIPS certifiable crypto module.
|
|
|
|
%package cavs
|
|
Summary: OpenSSH FIPS crypto module CAVS tests
|
|
Group: Productivity/Networking/SSH
|
|
Requires: %{name}-common = %{version}-%{release}
|
|
|
|
%description cavs
|
|
This package contains the FIPS-140 CAVS (Cryptographic Algorithm
|
|
Validation Program/Suite) related tests of OpenSSH.
|
|
|
|
%prep
|
|
%setup -q
|
|
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
|
|
|
%autopatch -p1
|
|
|
|
# set libexec dir in the LDAP patch
|
|
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
|
$( grep -Rl @LIBEXECDIR@ \
|
|
$( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
|
)
|
|
|
|
%build
|
|
%if 0%{?suse_version} <= 1600
|
|
export CC=gcc-11
|
|
%endif
|
|
autoreconf -fiv
|
|
%ifarch s390 s390x %{sparc}
|
|
PIEFLAGS="-fPIE"
|
|
%else
|
|
PIEFLAGS="-fpie"
|
|
%endif
|
|
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
|
|
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
|
|
LDFLAGS="-pie -Wl,--as-needed"
|
|
#CPPFLAGS="%%{optflags} -DUSE_INTERNAL_B64"
|
|
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|
%configure \
|
|
--sysconfdir=%{_sysconfdir}/ssh \
|
|
--libexecdir=%{_libexecdir}/ssh \
|
|
--with-selinux \
|
|
--with-pid-dir=/run \
|
|
--with-systemd \
|
|
--with-ssl-engine \
|
|
--with-pam \
|
|
--with-kerberos5=%{_prefix} \
|
|
--with-privsep-path=%{_localstatedir}/lib/empty \
|
|
%if %{sandbox_seccomp}
|
|
--with-sandbox=seccomp_filter \
|
|
%else
|
|
--with-sandbox=rlimit \
|
|
%endif
|
|
--disable-strip \
|
|
--with-audit=linux \
|
|
%if %{with ldap}
|
|
--with-ldap \
|
|
%endif
|
|
--with-xauth=%{_bindir}/xauth \
|
|
--with-libedit \
|
|
%if %{with wtmpdb}
|
|
--with-wtmpdb \
|
|
%endif
|
|
%if 0%{?suse_version} >= 1550
|
|
--disable-lastlog \
|
|
--with-logind \
|
|
%endif
|
|
--enable-dsa-keys \
|
|
--with-security-key-builtin \
|
|
--target=%{_target_cpu}-suse-linux
|
|
|
|
%make_build
|
|
%sysusers_generate_pre %{SOURCE14} sshd sshd.conf
|
|
|
|
%install
|
|
%make_install
|
|
%if %{defined _distconfdir}
|
|
install -d -m 755 %{buildroot}%{_pam_vendordir}
|
|
install -m 644 %{SOURCE2} %{buildroot}%{_pam_vendordir}/sshd
|
|
%else
|
|
# SLE has no distconfdir, so use sle PAM config
|
|
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
|
|
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/sshd
|
|
%endif
|
|
install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd
|
|
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
|
|
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d
|
|
%if 0%{?suse_version} < 1600
|
|
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
|
|
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
|
|
%endif
|
|
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
|
|
install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service
|
|
install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket
|
|
ln -s service %{buildroot}%{_sbindir}/rcsshd
|
|
install -d -m 755 %{buildroot}%{_fillupdir}
|
|
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
|
# install shell script to automate the process of adding your public key to a remote machine
|
|
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
|
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
|
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
|
|
|
%if 0%{with allow_root_password_login_by_default}
|
|
echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
|
%else
|
|
echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
|
%endif
|
|
|
|
# Move /etc to /usr/etc/ssh
|
|
%if %{defined _distconfdir}
|
|
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
|
|
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
|
|
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
|
|
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
|
|
%if 0%{with allow_root_password_login_by_default}
|
|
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
|
%else
|
|
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
|
%endif
|
|
%endif
|
|
|
|
%if 0%{with crypto_policies}
|
|
install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
|
%if %{defined _distconfdir}
|
|
install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
|
%else
|
|
install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
|
%endif
|
|
%endif
|
|
|
|
%if 0%{?suse_version} < 1550
|
|
# install firewall definitions
|
|
mkdir -p %{buildroot}%{_fwdefdir}
|
|
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
|
|
%endif
|
|
|
|
# askpass wrapper
|
|
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
|
|
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
|
|
rm -f %{buildroot}%{_datadir}/Ssh.bin
|
|
# sshd keys generator wrapper
|
|
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
|
|
|
|
# Install sysusers.d config for sshd user
|
|
mkdir -p %{buildroot}%{_sysusersdir}
|
|
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
|
|
|
|
# the hmac hashes - taken from openssl
|
|
#
|
|
# re-define the __os_install_post macro: the macro strips
|
|
# the binaries and thereby invalidates any hashes created earlier.
|
|
#
|
|
# this shows up earlier because otherwise the %%expand of
|
|
# the macro is too late.
|
|
%if 0%{with openssl11}
|
|
%define opensslbin openssl-1_1
|
|
%else
|
|
%define opensslbin openssl
|
|
%endif
|
|
|
|
%{expand:%%global __os_install_post {%__os_install_post
|
|
for b in \
|
|
%{_bindir}/ssh \
|
|
%{_sbindir}/sshd \
|
|
%{_libexecdir}/ssh/sftp-server \
|
|
; do
|
|
%{opensslbin} dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
|
|
done
|
|
|
|
}}
|
|
|
|
%pre server -f sshd.pre
|
|
%if %{defined _distconfdir}
|
|
# Prepare for migration to /usr/etc.
|
|
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
|
|
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||:
|
|
%endif
|
|
|
|
%service_add_pre sshd.service sshd.socket
|
|
|
|
%post server
|
|
%{fillup_only -n ssh}
|
|
%service_add_post sshd.service sshd.socket
|
|
|
|
%if 0%{with crypto_policies}
|
|
%if ! %{defined _distconfdir}
|
|
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
|
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
|
|
echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't"
|
|
echo "be honored until the following line is added at the start of"
|
|
echo "/etc/ssh/sshd_config :"
|
|
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
|
|
%endif
|
|
%endif
|
|
|
|
%preun server
|
|
%service_del_preun sshd.service sshd.socket
|
|
|
|
%postun server
|
|
# The openssh-fips trigger script for openssh will normally restart sshd once
|
|
# it gets installed, so only restart the service here if openssh-fips is not
|
|
# present.
|
|
if rpm -q openssh-fips >/dev/null 2>/dev/null; then
|
|
%service_del_postun_without_restart sshd.service sshd.socket
|
|
else
|
|
%service_del_postun sshd.service sshd.socket
|
|
fi
|
|
|
|
%if 0%{with crypto_policies}
|
|
%if ! %{defined _distconfdir}
|
|
%post server-config-disallow-rootlogin
|
|
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
|
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
|
|
echo " /etc/ssh/sshd_config.d/ . The config file installed by"
|
|
echo "openssh-server-config-disallow-rootlogin won't be used until"
|
|
echo "the following line is added at the start of /etc/ssh/sshd_config :"
|
|
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
|
|
%endif
|
|
%endif
|
|
|
|
%if %{defined _distconfdir}
|
|
%posttrans server
|
|
# Migration to /usr/etc.
|
|
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd ||:
|
|
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config ||:
|
|
%endif
|
|
|
|
%if %{defined _distconfdir}
|
|
%pre clients
|
|
# Prepare for migration to /usr/etc.
|
|
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
|
|
%endif
|
|
|
|
%if 0%{with crypto_policies}
|
|
%if ! %{defined _distconfdir}
|
|
%post clients
|
|
test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
|
|
echo "WARNING: /etc/ssh/ssh_config doesn't include config files from"
|
|
echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't"
|
|
echo "be honored until the following line is added at the start of"
|
|
echo "/etc/ssh/ssh_config :"
|
|
echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
|
|
%endif
|
|
%endif
|
|
|
|
%if %{defined _distconfdir}
|
|
%posttrans clients
|
|
# Migration to /usr/etc.
|
|
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config ||:
|
|
%endif
|
|
|
|
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
|
%restart_on_update sshd
|
|
|
|
%files
|
|
# openssh is an empty package that depends on -clients and -server,
|
|
# resulting in a clean upgrade path from prior to the split even when
|
|
# recommends are disabled.
|
|
|
|
%files common
|
|
%license LICENCE
|
|
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
|
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
|
%if %{defined _distconfdir}
|
|
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
|
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
|
|
%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
|
|
%else
|
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
|
|
%endif
|
|
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
|
|
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
|
|
%attr(0755,root,root) %{_bindir}/ssh-keygen*
|
|
|
|
%files server
|
|
%attr(0755,root,root) %{_sbindir}/sshd
|
|
%attr(0755,root,root) %{_sbindir}/rcsshd
|
|
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
|
|
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
|
|
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
|
|
%if %{defined _distconfdir}
|
|
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
|
%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
|
|
%attr(0640,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config
|
|
%attr(0644,root,root) %{_pam_vendordir}/sshd
|
|
%else
|
|
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
|
%endif
|
|
%if 0%{with crypto_policies}
|
|
%if %{defined _distconfdir}
|
|
%attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
|
%else
|
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
|
%endif
|
|
%endif
|
|
%attr(0644,root,root) %{_unitdir}/sshd.service
|
|
%attr(0644,root,root) %{_unitdir}/sshd@.service
|
|
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
|
%attr(0644,root,root) %{_sysusersdir}/sshd.conf
|
|
%attr(0444,root,root) %{_mandir}/man5/sshd_config*
|
|
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
|
|
%attr(0444,root,root) %{_mandir}/man8/sshd.8*
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session
|
|
%if 0%{?suse_version} < 1600
|
|
%dir %{_sysconfdir}/slp.reg.d
|
|
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
|
%endif
|
|
%{_fillupdir}/sysconfig.ssh
|
|
%if 0%{?suse_version} < 1550
|
|
%dir %{_fwdir}
|
|
%dir %{_fwdefdir}
|
|
%config %{_fwdefdir}/sshd
|
|
%endif
|
|
|
|
%if 0%{with allow_root_password_login_by_default}
|
|
%files server-config-disallow-rootlogin
|
|
%if %{defined _distconfdir}
|
|
%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
|
%else
|
|
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
|
%endif
|
|
%else
|
|
%files server-config-rootlogin
|
|
%if %{defined _distconfdir}
|
|
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
|
%else
|
|
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
|
%endif
|
|
%endif
|
|
|
|
%files clients
|
|
%if 0%{with crypto_policies}
|
|
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
|
%endif
|
|
%if %{defined _distconfdir}
|
|
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
|
|
%else
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
|
%endif
|
|
%attr(0755,root,root) %{_bindir}/ssh
|
|
%attr(0755,root,root) %{_bindir}/scp*
|
|
%attr(0755,root,root) %{_bindir}/sftp*
|
|
%attr(0755,root,root) %{_bindir}/ssh-add*
|
|
%attr(0755,root,root) %{_bindir}/ssh-agent*
|
|
%attr(0755,root,root) %{_bindir}/ssh-copy-id*
|
|
%attr(0755,root,root) %{_bindir}/ssh-keyscan*
|
|
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-askpass*
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-keysign*
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-pkcs11-helper*
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-sk-helper*
|
|
%attr(0444,root,root) %{_mandir}/man1/scp.1*
|
|
%attr(0444,root,root) %{_mandir}/man1/sftp.1*
|
|
%attr(0444,root,root) %{_mandir}/man1/ssh-add.1*
|
|
%attr(0444,root,root) %{_mandir}/man1/ssh-agent.1*
|
|
%attr(0444,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
|
%attr(0444,root,root) %{_mandir}/man1/ssh.1*
|
|
%attr(0444,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
|
%attr(0444,root,root) %{_mandir}/man5/ssh_config.5*
|
|
%attr(0444,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
|
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
|
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
|
|
|
|
%if %{with ldap}
|
|
%files helpers
|
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
|
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
|
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
|
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
|
|
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
|
|
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
|
%endif
|
|
|
|
%files fips
|
|
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
|
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
|
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
|
|
|
%files cavs
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
|
|
|
|
%changelog
|