pool/openssh
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d83100ae13
openssh/openssh.spec
Petr Cerny d83100ae13 Accepting request 539322 from home:pcerny:factory 
- upgrade to 7.6p1
  see main package changelog for details

- Update to vanilla 7.6p1
  Most important changes (more details below):
  * complete removal of the ancient SSHv1 protocol
  * sshd(8) cannot run without privilege separation
  * removal of suport for arcfourm blowfish and CAST ciphers
    and RIPE-MD160 HMAC
  * refuse RSA keys shorter than 1024 bits
  Distilled upstream log:
- OpenSSH 7.3
  ---- Security
  * sshd(8): Mitigate a potential denial-of-service attack
    against the system's crypt(3) function via sshd(8). An
    attacker could send very long passwords that would cause
    excessive CPU use in crypt(3). sshd(8) now refuses to accept
    password authentication requests of length greater than 1024
    characters. Independently reported by Tomas Kuthan (Oracle),
    Andres Rojas and Javier Nieto.
  * sshd(8): Mitigate timing differences in password
    authentication that could be used to discern valid from
    invalid account names when long passwords were sent and
    particular password hashing algorithms are in use on the
    server. CVE-2016-6210, reported by EddieEzra.Harari at
    verint.com
  * ssh(1), sshd(8): Fix observable timing weakness in the CBC
    padding oracle countermeasures. Reported by Jean Paul
    Degabriele, Kenny Paterson, Torben Hansen and Martin
    Albrecht. Note that CBC ciphers are disabled by default and

OBS-URL: https://build.opensuse.org/request/show/539322
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
2017-11-06 14:50:53 +00:00

414 lines
12 KiB
RPMSpec
Raw Blame History

#
# spec file for package openssh
#
# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%if 0%{suse_version} >= 1100
%define has_fw_dir 1
%else
%define has_fw_dir 0
%endif
%if 0%{suse_version} >= 1110
%define has_libselinux 1
%else
%define has_libselinux 0
%endif
%if 0%{?suse_version} >= 1130
%define needs_all_dirs 1
%else
%define needs_all_dirs 0
%endif
%if 0%{?suse_version} >= 1140
%define needs_libedit 1
%else
%define needs_libedit 0
%endif
%if 0%{?suse_version} > 1140
%define has_krb_mini 1
%else
%define has_krb_mini 0
%endif
%if 0%{?suse_version} > 1220
%define uses_systemd 1
%else
%define uses_systemd 0
%endif
%define sandbox_seccomp 0
%if 0%{?suse_version} > 1220
%define sandbox_seccomp 1
%endif
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir %{_fwdir}/services
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%{!?_initddir:%global _initddir %{_initrddir}}
Name: openssh
BuildRequires: audit-devel
BuildRequires: autoconf
BuildRequires: groff
%if %{has_krb_mini}
BuildRequires: krb5-mini-devel
%else
BuildRequires: krb5-devel
%endif
%if %{needs_libedit}
BuildRequires: libedit-devel
%endif
%if %{has_libselinux}
BuildRequires: libselinux-devel
%endif
%if %{suse_version} < 1330
BuildRequires: openssl-devel
%else
BuildRequires: libopenssl-1_0_0-devel
%endif
BuildRequires: openldap2-devel
BuildRequires: pam-devel
%if %{uses_systemd}
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%endif
BuildRequires: tcpd-devel
PreReq: pwdutils %{fillup_prereq} coreutils
%if ! %{uses_systemd}
PreReq: %{insserv_prereq}
%endif
Version: 7.6p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause and MIT
Group: Productivity/Networking/SSH
Url: http://www.openssh.com/
Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source1: sshd.init
Source2: sshd.pamd
Source3: README.SUSE
Source4: README.kerberos
Source5: ssh.reg
Source6: ssh-askpass
Source7: sshd.fw
Source8: sysconfig.ssh
Source9: sshd-gen-keys-start
Source10: sshd.service
Source11: README.FIPS
Source12: cavs_driver-ssh.pl
Patch00: openssh-7.6p1-allow_root_password_login.patch
Patch01: openssh-7.6p1-X11_trusted_forwarding.patch
Patch02: openssh-7.6p1-lastlog.patch
Patch03: openssh-7.6p1-enable_PAM_by_default.patch
Patch04: openssh-7.6p1-eal3.patch
Patch05: openssh-7.6p1-blocksigalrm.patch
Patch06: openssh-7.6p1-send_locale.patch
Patch07: openssh-7.6p1-hostname_changes_when_forwarding_X.patch
Patch08: openssh-7.6p1-remove_xauth_cookies_on_exit.patch
Patch09: openssh-7.6p1-pts_names_formatting.patch
Patch10: openssh-7.6p1-pam_check_locks.patch
Patch11: openssh-7.6p1-disable_short_DH_parameters.patch
Patch12: openssh-7.6p1-seccomp_getuid.patch
Patch13: openssh-7.6p1-seccomp_geteuid.patch
Patch14: openssh-7.6p1-seccomp_stat.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Conflicts: nonfreessh
Recommends: audit
Recommends: xauth
Recommends: %{name}-helpers = %{version}-%{release}
Conflicts: %{name}-fips < %{version}-%{release} , %{name}-fips > %{version}-%{release}
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It is intended to replace rsh (rlogin and rsh) and
provides openssl (secure encrypted communication) between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
%package helpers
Summary: OpenSSH AuthorizedKeysCommand helpers
Group: Productivity/Networking/SSH
Requires: %{name} = %{version}-%{release}
%description helpers
Helper applications for OpenSSH which retrieve keys from various sources.
%package fips
Summary: OpenSSH FIPS cryptomodule HMACs
Group: Productivity/Networking/SSH
Requires: %{name} = %{version}-%{release}
Conflicts: %{name} < %{version}-%{release} , %{name} > %{version}-%{release}
Obsoletes: %{name}-hmac
%description fips
Hashes that together with the main package form the FIPS certifiable
cryptomodule.
%package cavs
Summary: OpenSSH FIPS cryptomodule CAVS tests
Group: Productivity/Networking/SSH
Requires: %{name} = %{version}-%{release}
%description cavs
FIPS140 CAVS tests related parts of the OpenSSH package
%prep
%setup -q
%patch00 -p2
%patch01 -p2
%patch02 -p2
%patch03 -p2
%patch04 -p2
%patch05 -p2
%patch06 -p2
%patch07 -p2
%patch08 -p2
%patch09 -p2
%patch10 -p2
%patch11 -p2
%patch12 -p2
%patch13 -p2
%patch14 -p2
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
%build
### TODO: # set libexec dir in the LDAP patch
### TODO: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
### TODO: $( grep -Rl @LIBEXECDIR@ \
### TODO: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
### TODO: )
autoreconf -fiv
%ifarch s390 s390x %sparc
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
LDFLAGS="-pie -Wl,--as-needed"
#CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64"
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
--prefix=%{_prefix} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/ssh \
--with-tcp-wrappers \
%if %{has_libselinux}
--with-selinux \
%endif
%if %{uses_systemd}
--with-pid-dir=/run \
%endif
--with-ssl-engine \
--with-pam \
--with-kerberos5=%{_prefix} \
--with-privsep-path=/var/lib/empty \
%if %{sandbox_seccomp}
--with-sandbox=seccomp_filter \
%else
--with-sandbox=rlimit \
%endif
%ifnarch s390 s390x
--with-opensc \
%endif
--disable-strip \
--with-audit=linux \
--with-ldap \
--with-xauth=%{_bindir}/xauth \
%if %{needs_libedit}
--with-libedit \
%endif
--with-ssh1 \
--target=%{_target_cpu}-suse-linux \
### configure end
make %{?_smp_mflags}
#make %{?_smp_mflags} -C converter
%install
make install DESTDIR=%{buildroot}
#make install DESTDIR=%{buildroot} -C converter
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -d -m 755 %{buildroot}/var/lib/sshd
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
install -d -m 755 %{buildroot}%{_initddir}
%if %{uses_systemd}
install -m 0755 %{SOURCE1} .
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
ln -s /sbin/service %{buildroot}%{_sbindir}/rcsshd
%else
install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
install -m 0644 %{SOURCE10} .
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
%endif
install -d -m 755 %{buildroot}/var/adm/fillup-templates
install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates
# install shell script to automate the process of adding your public key to a remote machine
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@/usr/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
%if %{has_fw_dir}
#install firewall definitions format is described here:
#%{_datadir}/SuSEfirewall2/services/TEMPLATE
mkdir -p %{buildroot}%{_fwdefdir}
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
%endif
# askpass wrapper
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
# the binaries and thereby invalidates any hashes created earlier.
#
# this shows up earlier because otherwise the %expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
for b in \
%{_bindir}/ssh \
%{_sbindir}/sshd \
%{_libexecdir}/ssh/sftp-server \
; do
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
done
}}
%pre
getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd
%if %{uses_systemd}
%service_add_pre sshd.service
%endif
%post
%if %{uses_systemd}
%{fillup_only -n ssh sshd}
%service_add_post sshd.service
%else
%{fillup_and_insserv -n ssh sshd}
%endif
%set_permissions /etc/ssh/sshd_config
%preun
%if %{uses_systemd}
%service_del_preun sshd.service
%else
%stop_on_removal sshd
%endif
%postun
# The openssh-fips trigger script for openssh will normally restart sshd once
# it gets installed, so only restart the service here is openssh-fips is not
# present
rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
%if %{uses_systemd}
%service_del_postun sshd.service
%else
%restart_on_update sshd
%{insserv_cleanup}
%endif
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update sshd
%verifyscript
%verify_permissions -e /etc/ssh/sshd_config
%files
%defattr(-,root,root)
%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
%exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
%exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
%exclude %{_libexecdir}/ssh/cavs*
%dir %attr(755,root,root) /var/lib/sshd
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO LICENCE CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%if %{uses_systemd}
%doc sshd.init
%attr(0644,root,root) %config %{_unitdir}/sshd.service
%else
%attr(0755,root,root) %config %{_initddir}/sshd
%doc sshd.service
%endif
%attr(0755,root,root) %{_bindir}/*
%attr(0755,root,root) %{_sbindir}/*
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%exclude %{_libexecdir}/ssh/ssh-ldap*
%attr(0755,root,root) %{_libexecdir}/ssh/*
%attr(0444,root,root) %doc %{_mandir}/man1/*
%attr(0444,root,root) %doc %{_mandir}/man5/*
%attr(0444,root,root) %doc %{_mandir}/man8/*
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
/var/adm/fillup-templates/sysconfig.ssh
%if %{has_fw_dir}
%if %{needs_all_dirs}
%dir %{_fwdir}
%dir %{_fwdefdir}
%endif
%config %{_fwdefdir}/sshd
%endif
%files helpers
%defattr(-,root,root)
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
#verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
%attr(0755,root,root) %dir %{_libexecdir}/ssh
#attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
#doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
%files fips
%defattr(-,root,root)
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
%files cavs
%defattr(-,root,root)
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
%changelog
Reference in New Issue View Git Blame Copy Permalink