Dirk Mueller
c84af5da00
- sshd_config is has now permissions 0600 in secure mode OBS-URL: https://build.opensuse.org/request/show/536578 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=120
480 lines
14 KiB
RPMSpec
480 lines
14 KiB
RPMSpec
#
|
|
# spec file for package openssh
|
|
#
|
|
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%if 0%{suse_version} >= 1100
|
|
%define has_fw_dir 1
|
|
%else
|
|
%define has_fw_dir 0
|
|
%endif
|
|
|
|
%if 0%{suse_version} >= 1110
|
|
%define has_libselinux 1
|
|
%else
|
|
%define has_libselinux 0
|
|
%endif
|
|
|
|
%if 0%{?suse_version} >= 1130
|
|
%define needs_all_dirs 1
|
|
%else
|
|
%define needs_all_dirs 0
|
|
%endif
|
|
|
|
%if 0%{?suse_version} >= 1140
|
|
%define needs_libedit 1
|
|
%else
|
|
%define needs_libedit 0
|
|
%endif
|
|
|
|
%if 0%{?suse_version} > 1140
|
|
%define has_krb_mini 1
|
|
%else
|
|
%define has_krb_mini 0
|
|
%endif
|
|
|
|
%if 0%{?suse_version} > 1220
|
|
%define uses_systemd 1
|
|
%else
|
|
%define uses_systemd 0
|
|
%endif
|
|
|
|
%define sandbox_seccomp 0
|
|
%if 0%{?suse_version} > 1220
|
|
%define sandbox_seccomp 1
|
|
%endif
|
|
|
|
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
|
|
%define _fwdefdir %{_fwdir}/services
|
|
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
|
%{!?_initddir:%global _initddir %{_initrddir}}
|
|
|
|
Name: openssh
|
|
BuildRequires: audit-devel
|
|
BuildRequires: autoconf
|
|
BuildRequires: groff
|
|
%if %{has_krb_mini}
|
|
BuildRequires: krb5-mini-devel
|
|
%else
|
|
BuildRequires: krb5-devel
|
|
%endif
|
|
%if %{needs_libedit}
|
|
BuildRequires: libedit-devel
|
|
%endif
|
|
%if %{has_libselinux}
|
|
BuildRequires: libselinux-devel
|
|
%endif
|
|
%if %{suse_version} < 1330
|
|
BuildRequires: openssl-devel
|
|
%else
|
|
BuildRequires: libopenssl-1_0_0-devel
|
|
%endif
|
|
BuildRequires: openldap2-devel
|
|
BuildRequires: pam-devel
|
|
%if %{uses_systemd}
|
|
BuildRequires: pkgconfig(systemd)
|
|
%{?systemd_requires}
|
|
%endif
|
|
BuildRequires: tcpd-devel
|
|
PreReq: pwdutils %{fillup_prereq} coreutils
|
|
%if ! %{uses_systemd}
|
|
PreReq: %{insserv_prereq}
|
|
%endif
|
|
Version: 7.2p2
|
|
Release: 0
|
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
|
License: BSD-2-Clause and MIT
|
|
Group: Productivity/Networking/SSH
|
|
Url: http://www.openssh.com/
|
|
Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
|
Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
|
Source1: sshd.init
|
|
Source2: sshd.pamd
|
|
Source3: README.SUSE
|
|
Source4: README.kerberos
|
|
Source5: ssh.reg
|
|
Source6: ssh-askpass
|
|
Source7: sshd.fw
|
|
Source8: sysconfig.ssh
|
|
Source9: sshd-gen-keys-start
|
|
Source10: sshd.service
|
|
Source11: README.FIPS
|
|
Source12: cavs_driver-ssh.pl
|
|
Patch00: openssh-7.2p2-allow_root_password_login.patch
|
|
Patch01: openssh-7.2p2-allow_DSS_by_default.patch
|
|
Patch02: openssh-7.2p2-X11_trusted_forwarding.patch
|
|
Patch03: openssh-7.2p2-lastlog.patch
|
|
Patch04: openssh-7.2p2-enable_PAM_by_default.patch
|
|
Patch05: openssh-7.2p2-dont_use_pthreads_in_PAM.patch
|
|
Patch06: openssh-7.2p2-eal3.patch
|
|
Patch07: openssh-7.2p2-blocksigalrm.patch
|
|
Patch08: openssh-7.2p2-send_locale.patch
|
|
Patch09: openssh-7.2p2-hostname_changes_when_forwarding_X.patch
|
|
Patch10: openssh-7.2p2-remove_xauth_cookies_on_exit.patch
|
|
Patch11: openssh-7.2p2-pts_names_formatting.patch
|
|
Patch12: openssh-7.2p2-pam_check_locks.patch
|
|
Patch13: openssh-7.2p2-disable_short_DH_parameters.patch
|
|
Patch14: openssh-7.2p2-seccomp_getuid.patch
|
|
Patch15: openssh-7.2p2-seccomp_geteuid.patch
|
|
Patch16: openssh-7.2p2-seccomp_stat.patch
|
|
Patch17: openssh-7.2p2-additional_seccomp_archs.patch
|
|
Patch18: openssh-7.2p2-fips.patch
|
|
Patch19: openssh-7.2p2-cavstest-ctr.patch
|
|
Patch20: openssh-7.2p2-cavstest-kdf.patch
|
|
Patch21: openssh-7.2p2-seed-prng.patch
|
|
Patch22: openssh-7.2p2-gssapi_key_exchange.patch
|
|
Patch23: openssh-7.2p2-audit.patch
|
|
Patch24: openssh-7.2p2-audit_fixes.patch
|
|
Patch25: openssh-7.2p2-audit_seed_prng.patch
|
|
Patch26: openssh-7.2p2-login_options.patch
|
|
Patch27: openssh-7.2p2-disable_openssl_abi_check.patch
|
|
Patch28: openssh-7.2p2-no_fork-no_pid_file.patch
|
|
Patch29: openssh-7.2p2-host_ident.patch
|
|
Patch30: openssh-7.2p2-sftp_homechroot.patch
|
|
Patch31: openssh-7.2p2-sftp_force_permissions.patch
|
|
Patch32: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
|
|
Patch33: openssh-7.2p2-ldap.patch
|
|
Patch34: openssh-7.2p2-IPv6_X_forwarding.patch
|
|
Patch35: openssh-7.2p2-ignore_PAM_with_UseLogin.patch
|
|
Patch36: openssh-7.2p2-prevent_timing_user_enumeration.patch
|
|
Patch37: openssh-7.2p2-limit_password_length.patch
|
|
Patch38: openssh-7.2p2-keep_slogin.patch
|
|
Patch39: openssh-7.2p2-kex_resource_depletion.patch
|
|
Patch40: openssh-7.2p2-verify_CIDR_address_ranges.patch
|
|
Patch41: openssh-7.2p2-restrict_pkcs11-modules.patch
|
|
Patch42: openssh-7.2p2-prevent_private_key_leakage.patch
|
|
Patch43: openssh-7.2p2-secure_unix_sockets_forwarding.patch
|
|
Patch44: openssh-7.2p2-ssh_case_insensitive_host_matching.patch
|
|
Patch45: openssh-7.2p2-disable_preauth_compression.patch
|
|
Patch46: openssh-7.2p2-s390_hw_crypto_syscalls.patch
|
|
Patch47: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
Conflicts: nonfreessh
|
|
Recommends: audit
|
|
Recommends: xauth
|
|
Recommends: %{name}-helpers = %{version}-%{release}
|
|
Conflicts: %{name}-fips < %{version}-%{release} , %{name}-fips > %{version}-%{release}
|
|
%define CHECKSUM_SUFFIX .hmac
|
|
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
|
|
|
%description
|
|
SSH (Secure Shell) is a program for logging into and executing commands
|
|
on a remote machine. It is intended to replace rsh (rlogin and rsh) and
|
|
provides openssl (secure encrypted communication) between two untrusted
|
|
hosts over an insecure network.
|
|
|
|
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
|
also be forwarded over the secure channel.
|
|
|
|
|
|
%package helpers
|
|
Summary: OpenSSH AuthorizedKeysCommand helpers
|
|
Group: Productivity/Networking/SSH
|
|
Requires: %{name} = %{version}-%{release}
|
|
|
|
%description helpers
|
|
Helper applications for OpenSSH which retrieve keys from various sources.
|
|
|
|
|
|
%package fips
|
|
Summary: OpenSSH FIPS cryptomodule HMACs
|
|
Group: Productivity/Networking/SSH
|
|
Requires: %{name} = %{version}-%{release}
|
|
Conflicts: %{name} < %{version}-%{release} , %{name} > %{version}-%{release}
|
|
Obsoletes: %{name}-hmac
|
|
|
|
%description fips
|
|
Hashes that together with the main package form the FIPS certifiable
|
|
cryptomodule.
|
|
|
|
|
|
%package cavs
|
|
Summary: OpenSSH FIPS cryptomodule CAVS tests
|
|
Group: Productivity/Networking/SSH
|
|
Requires: %{name} = %{version}-%{release}
|
|
|
|
%description cavs
|
|
FIPS140 CAVS tests related parts of the OpenSSH package
|
|
|
|
|
|
%prep
|
|
%setup -q
|
|
%patch00 -p2
|
|
%patch01 -p2
|
|
%patch02 -p2
|
|
%patch03 -p2
|
|
%patch04 -p2
|
|
%patch05 -p2
|
|
%patch06 -p2
|
|
%patch07 -p2
|
|
%patch08 -p2
|
|
%patch09 -p2
|
|
%patch10 -p2
|
|
%patch11 -p2
|
|
%patch12 -p2
|
|
%patch13 -p2
|
|
%patch14 -p2
|
|
%patch15 -p2
|
|
%patch16 -p2
|
|
%patch17 -p2
|
|
%patch18 -p2
|
|
%patch19 -p2
|
|
%patch20 -p2
|
|
%patch21 -p2
|
|
%patch22 -p2
|
|
%patch23 -p2
|
|
%patch24 -p2
|
|
%patch25 -p2
|
|
%patch26 -p2
|
|
%patch27 -p2
|
|
%patch28 -p2
|
|
%patch29 -p2
|
|
%patch30 -p2
|
|
%patch31 -p2
|
|
%patch32 -p2
|
|
%patch33 -p2
|
|
%patch34 -p2
|
|
%patch35 -p2
|
|
%patch36 -p2
|
|
%patch37 -p2
|
|
%patch38 -p2
|
|
%patch39 -p2
|
|
%patch40 -p2
|
|
%patch41 -p2
|
|
%patch42 -p2
|
|
%patch43 -p2
|
|
%patch44 -p2
|
|
%patch45 -p2
|
|
%patch46 -p2
|
|
%patch47 -p2
|
|
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
|
|
|
%build
|
|
# set libexec dir in the LDAP patch
|
|
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
|
$( grep -Rl @LIBEXECDIR@ \
|
|
$( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
|
)
|
|
|
|
autoreconf -fiv
|
|
%ifarch s390 s390x %sparc
|
|
PIEFLAGS="-fPIE"
|
|
%else
|
|
PIEFLAGS="-fpie"
|
|
%endif
|
|
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
|
|
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
|
|
LDFLAGS="-pie -Wl,--as-needed"
|
|
#CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64"
|
|
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|
%configure \
|
|
--prefix=%{_prefix} \
|
|
--mandir=%{_mandir} \
|
|
--infodir=%{_infodir} \
|
|
--sysconfdir=%{_sysconfdir}/ssh \
|
|
--libexecdir=%{_libexecdir}/ssh \
|
|
--with-tcp-wrappers \
|
|
%if %{has_libselinux}
|
|
--with-selinux \
|
|
%endif
|
|
%if %{uses_systemd}
|
|
--with-pid-dir=/run \
|
|
%endif
|
|
--with-ssl-engine \
|
|
--with-pam \
|
|
--with-kerberos5=%{_prefix} \
|
|
--with-privsep-path=/var/lib/empty \
|
|
%if %{sandbox_seccomp}
|
|
--with-sandbox=seccomp_filter \
|
|
%else
|
|
--with-sandbox=rlimit \
|
|
%endif
|
|
%ifnarch s390 s390x
|
|
--with-opensc \
|
|
%endif
|
|
--disable-strip \
|
|
--with-audit=linux \
|
|
--with-ldap \
|
|
--with-xauth=%{_bindir}/xauth \
|
|
%if %{needs_libedit}
|
|
--with-libedit \
|
|
%endif
|
|
--with-ssh1 \
|
|
--target=%{_target_cpu}-suse-linux \
|
|
|
|
### configure end
|
|
make %{?_smp_mflags}
|
|
|
|
#make %{?_smp_mflags} -C converter
|
|
|
|
%install
|
|
make install DESTDIR=%{buildroot}
|
|
#make install DESTDIR=%{buildroot} -C converter
|
|
|
|
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
|
|
install -d -m 755 %{buildroot}/var/lib/sshd
|
|
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
|
|
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
|
|
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
|
|
install -d -m 755 %{buildroot}%{_initddir}
|
|
%if %{uses_systemd}
|
|
install -m 0755 %{SOURCE1} .
|
|
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
|
|
ln -s /sbin/service %{buildroot}%{_sbindir}/rcsshd
|
|
%else
|
|
install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
|
|
install -m 0644 %{SOURCE10} .
|
|
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
|
|
%endif
|
|
install -d -m 755 %{buildroot}/var/adm/fillup-templates
|
|
install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates
|
|
# install shell script to automate the process of adding your public key to a remote machine
|
|
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
|
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
|
sed -i -e s@/usr/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
|
|
|
%if %{has_fw_dir}
|
|
#install firewall definitions format is described here:
|
|
#%{_datadir}/SuSEfirewall2/services/TEMPLATE
|
|
mkdir -p %{buildroot}%{_fwdefdir}
|
|
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
|
|
%endif
|
|
|
|
# askpass wrapper
|
|
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
|
|
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
|
|
rm -f %{buildroot}%{_datadir}/Ssh.bin
|
|
# sshd keys generator wrapper
|
|
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
|
|
|
|
# the hmac hashes - taken from openssl
|
|
#
|
|
# re-define the __os_install_post macro: the macro strips
|
|
# the binaries and thereby invalidates any hashes created earlier.
|
|
#
|
|
# this shows up earlier because otherwise the %expand of
|
|
# the macro is too late.
|
|
%{expand:%%global __os_install_post {%__os_install_post
|
|
for b in \
|
|
%{_bindir}/ssh \
|
|
%{_sbindir}/sshd \
|
|
%{_libexecdir}/ssh/sftp-server \
|
|
; do
|
|
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
|
|
done
|
|
|
|
}}
|
|
|
|
%pre
|
|
getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
|
|
getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd
|
|
%if %{uses_systemd}
|
|
%service_add_pre sshd.service
|
|
%endif
|
|
|
|
%post
|
|
%if %{uses_systemd}
|
|
%{fillup_only -n ssh sshd}
|
|
%service_add_post sshd.service
|
|
%else
|
|
%{fillup_and_insserv -n ssh sshd}
|
|
%endif
|
|
%set_permissions /etc/ssh/sshd_config
|
|
|
|
%preun
|
|
%if %{uses_systemd}
|
|
%service_del_preun sshd.service
|
|
%else
|
|
%stop_on_removal sshd
|
|
%endif
|
|
|
|
%postun
|
|
# The openssh-fips trigger script for openssh will normally restart sshd once
|
|
# it gets installed, so only restart the service here is openssh-fips is not
|
|
# present
|
|
rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
|
%if %{uses_systemd}
|
|
%service_del_postun sshd.service
|
|
%else
|
|
%restart_on_update sshd
|
|
%{insserv_cleanup}
|
|
%endif
|
|
|
|
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
|
%restart_on_update sshd
|
|
|
|
%verifyscript
|
|
%verify_permissions -e /etc/ssh/sshd_config
|
|
|
|
%files
|
|
%defattr(-,root,root)
|
|
%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
|
%exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
|
%exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
|
%exclude %{_libexecdir}/ssh/cavs*
|
|
%dir %attr(755,root,root) /var/lib/sshd
|
|
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO LICENCE CREDITS
|
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
|
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
|
%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
|
%if %{uses_systemd}
|
|
%doc sshd.init
|
|
%attr(0644,root,root) %config %{_unitdir}/sshd.service
|
|
%else
|
|
%attr(0755,root,root) %config %{_initddir}/sshd
|
|
%doc sshd.service
|
|
%endif
|
|
%attr(0755,root,root) %{_bindir}/*
|
|
%attr(0755,root,root) %{_sbindir}/*
|
|
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
|
%exclude %{_libexecdir}/ssh/ssh-ldap*
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/*
|
|
%attr(0444,root,root) %doc %{_mandir}/man1/*
|
|
%attr(0444,root,root) %doc %{_mandir}/man5/*
|
|
%attr(0444,root,root) %doc %{_mandir}/man8/*
|
|
%dir %{_sysconfdir}/slp.reg.d
|
|
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
|
/var/adm/fillup-templates/sysconfig.ssh
|
|
%if %{has_fw_dir}
|
|
%if %{needs_all_dirs}
|
|
%dir %{_fwdir}
|
|
%dir %{_fwdefdir}
|
|
%endif
|
|
%config %{_fwdefdir}/sshd
|
|
%endif
|
|
|
|
%files helpers
|
|
%defattr(-,root,root)
|
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
|
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
|
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
|
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
|
|
|
%files fips
|
|
%defattr(-,root,root)
|
|
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
|
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
|
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
|
|
|
%files cavs
|
|
%defattr(-,root,root)
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
|
|
|
|
%changelog
|