diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index 77a3ebe..9109aa5 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt + +- Upgrade some old specfile constructs/macros. + +------------------------------------------------------------------- +Thu Sep 10 22:44:00 UTC 2020 - Hans Petter Jansson + +- Supplement openssh-clients instead of openssh (bsc#1176434). + ------------------------------------------------------------------- Thu Jul 18 14:07:56 UTC 2019 - Fabian Vogt diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 92dfc7e..7df1ed5 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ URL: http://www.openssh.com/ Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc Requires: %{_name} = %{version} -Supplements: packageand(openssh:libgtk-3-0) +Supplements: packageand(openssh-clients:libgtk-3-0) %if 0%{?suse_version} >= 1550 BuildRequires: gtk3-devel %else @@ -40,15 +40,15 @@ for executing commands on a remote machine. This package contains a GNOME-based passphrase dialog for OpenSSH. %prep -%setup -q -n %{_name}-%{version} +%autosetup -p1 -n %{_name}-%{version} %build cd contrib export CFLAGS="%{optflags}" %if 0%{?suse_version} >= 1550 -make %{?_smp_mflags} gnome-ssh-askpass3 +%make_build gnome-ssh-askpass3 %else -make %{?_smp_mflags} gnome-ssh-askpass2 +%make_build gnome-ssh-askpass2 %endif %install diff --git a/openssh.changes b/openssh.changes index 6f11825..cd21072 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,43 @@ +------------------------------------------------------------------- +Thu Oct 8 21:38:27 UTC 2020 - Hans Petter Jansson + +- Work around %service_add_post disabling sshd on upgrade with + package name change (bsc#1177039). + +------------------------------------------------------------------- +Fri Sep 25 13:40:51 UTC 2020 - Dominique Leuenberger + +- Fix fillup-template usage: + + %post server needs to reference ssh (not sshd), which matches + the sysconfig.ssh file name the package ships. + + %post client does not need any fillup_ calls, as there is no + client-relevant sysconfig file present. The naming of the + sysconfig file (ssh instead of sshd) is unfortunate. + +------------------------------------------------------------------- +Fri Sep 25 10:59:50 UTC 2020 - Franck Bui + +- Use of DISABLE_RESTART_ON_UPDATE is deprecated. + + Replace it with %service_del_postun_without_restart + +------------------------------------------------------------------- +Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt + +- Move some Requires to the right subpackage. +- Avoid ">&" bashism in %post. +- Upgrade some old specfile constructs/macros and drop unnecessary + %{?systemd_*}. +- Trim descriptions and straighten out the grammar. + +------------------------------------------------------------------- +Thu Sep 10 21:38:30 UTC 2020 - Hans Petter Jansson + +- Split openssh package into openssh, openssh-common, + openssh-server and openssh-clients. This allows for the ssh + clients to be installed without the server component + (bsc#1176434). + ------------------------------------------------------------------- Fri Jun 5 00:36:08 UTC 2020 - Hans Petter Jansson diff --git a/openssh.spec b/openssh.spec index 00b915f..359ae20 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,6 +30,9 @@ %define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' ) %define CHECKSUM_SUFFIX .hmac %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE" +%define _tmpenableddir %{_localstatedir}/lib/sshd +%define _tmpenabledfile %{_tmpenableddir}/is-enabled.rpmtmp + #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir %{_localstatedir}/adm/fillup-templates @@ -113,14 +116,8 @@ BuildRequires: pkgconfig BuildRequires: zlib-devel BuildRequires: pkgconfig(libfido2) BuildRequires: pkgconfig(libsystemd) -Requires(post): %fillup_prereq -Requires(pre): shadow -Recommends: %{name}-helpers = %{version}-%{release} -Recommends: audit -Conflicts: %{name}-fips < %{version}-%{release} -Conflicts: %{name}-fips > %{version}-%{release} -Conflicts: nonfreessh -%{?systemd_requires} +Requires: %{name}-clients = %{version}-%{release} +Requires: %{name}-server = %{version}-%{release} %if %{with tirpc} BuildRequires: libtirpc-devel %endif @@ -132,40 +129,112 @@ BuildRequires: krb5-mini-devel %description SSH (Secure Shell) is a program for logging into and executing commands -on a remote machine. It is intended to replace rsh (rlogin and rsh) and -provides openssl (secure encrypted communication) between two untrusted +on a remote machine. It replaces rsh (rlogin and rsh) and +provides secure encrypted communication between two untrusted hosts over an insecure network. xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. +This is a dummy package that pulls in both the client and server +components. + +%package common +Summary: SSH (Secure Shell) common files +Group: Productivity/Networking/SSH +Conflicts: nonfreessh +Conflicts: %{name}-fips < %{version}-%{release} +Conflicts: %{name}-fips > %{version}-%{release} + +%description common +SSH (Secure Shell) is a program for logging into and executing commands +on a remote machine. It replaces rsh (rlogin and rsh) and +provides secure encrypted communication between two untrusted +hosts over an insecure network. + +xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can +also be forwarded over the secure channel. + +This package contains common files for the Secure Shell server and +clients. + +%package server +Summary: SSH (Secure Shell) server +Group: Productivity/Networking/SSH +Requires: %{name}-common = %{version}-%{release} +Recommends: audit +Requires(pre): shadow +Requires(post): %fillup_prereq +Requires(post): permissions +Provides: openssh:%{_sbindir}/sshd + +%description server +SSH (Secure Shell) is a program for logging into and executing commands +on a remote machine. It replaces rsh (rlogin and rsh) and +provides secure encrypted communication between two untrusted +hosts over an insecure network. + +xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can +also be forwarded over the secure channel. + +This package contains the Secure Shell daemon, which allows clients to +securely connect to your server. + +%package clients +Summary: SSH (Secure Shell) client applications +Group: Productivity/Networking/SSH +Requires: %{name}-common = %{version}-%{release} +Provides: openssh:%{_bindir}/ssh + +%description clients +SSH (Secure Shell) is a program for logging into and executing commands +on a remote machine. It replaces rsh (rlogin and rsh) and +provides secure encrypted communication between two untrusted +hosts over an insecure network. + +xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can +also be forwarded over the secure channel. + +This package contains clients for making secure connections to Secure +Shell servers. + %package helpers Summary: OpenSSH AuthorizedKeysCommand helpers Group: Productivity/Networking/SSH -Requires: %{name} = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} %description helpers -Helper applications for OpenSSH which retrieve keys from various sources. +SSH (Secure Shell) is a program for logging into and executing commands +on a remote machine. It replaces rsh (rlogin and rsh) and +provides secure encrypted communication between two untrusted +hosts over an insecure network. + +xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can +also be forwarded over the secure channel. + +This package contains helper applications for OpenSSH which retrieve +keys from various sources. %package fips -Summary: OpenSSH FIPS cryptomodule HMACs +Summary: OpenSSH FIPS crypto module HMACs Group: Productivity/Networking/SSH -Requires: %{name} = %{version}-%{release} -Conflicts: %{name} < %{version}-%{release} -Conflicts: %{name} > %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Conflicts: %{name}-common < %{version}-%{release} +Conflicts: %{name}-common > %{version}-%{release} Obsoletes: %{name}-hmac %description fips -Hashes that together with the main package form the FIPS certifiable -cryptomodule. +This package contains hashes that, together with the main openssh packages, +form the FIPS certifiable crypto module. %package cavs -Summary: OpenSSH FIPS cryptomodule CAVS tests +Summary: OpenSSH FIPS crypto module CAVS tests Group: Productivity/Networking/SSH -Requires: %{name} = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} %description cavs -FIPS140 CAVS tests related parts of the OpenSSH package +This package contains the FIPS-140 CAVS (Cryptographic Algorithm +Validation Program/Suite) related tests of OpenSSH. %prep %setup -q @@ -265,55 +334,87 @@ done }} %pre +# Remember whether the sshd service was enabled prior to an upgrade. This +# is needed when upgrading to a split-off openssh-server package. The +# %%service_add_post scriptlet (in %%post server) will see it as a new service +# and apply the preset, disabling it. We need to reenable it afterwards if +# necessary. +if [ -x %{_bindir}/systemctl ]; then + mkdir -p %{_tmpenableddir} || : + %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : +fi + +%pre server getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstatedir}/lib/sshd -s /bin/false -c "SSH daemon" sshd + +# See %%pre. +if [ -x %{_bindir}/systemctl ]; then + mkdir -p %{_tmpenableddir} || : + %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : +fi + %service_add_pre sshd.service -%post -%{fillup_only -n ssh sshd} +%post server +%{fillup_only -n ssh} %service_add_post sshd.service %set_permissions %{_sysconfdir}/ssh/sshd_config -%preun +# Work around %%service_add_post disabling the service on upgrades where +# the package name changed. +if [ -x %{_bindir}/systemctl ] && [ -f %{_tmpenabledfile} ] \ + && [ x$(cat %{_tmpenabledfile} || :) == "xenabled" ]; then + systemctl enable sshd || : +fi + +rm -f %{_tmpenabledfile} + +%preun server %service_del_preun sshd.service -%postun +%postun server # The openssh-fips trigger script for openssh will normally restart sshd once -# it gets installed, so only restart the service here is openssh-fips is not -# present -rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes +# it gets installed, so only restart the service here if openssh-fips is not +# present. +if rpm -q openssh-fips >/dev/null 2>/dev/null; then +%service_del_postun_without_restart sshd.service +else %service_del_postun sshd.service +fi %triggerin -n openssh-fips -- %{name} = %{version}-%{release} %restart_on_update sshd -%verifyscript +%verifyscript server %verify_permissions -e %{_sysconfdir}/ssh/sshd_config %files -%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX} -%exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX} -%exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX} -%exclude %{_libexecdir}/ssh/cavs* -%dir %attr(755,root,root) %{_localstatedir}/lib/sshd +# openssh is an empty package that depends on -clients and -server, +# resulting in a clean upgrade path from prior to the split even when +# recommends are disabled. + +%files common %license LICENCE %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli -%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config -%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1* +%attr(0444,root,root) %{_mandir}/man5/moduli.5* +%attr(0755,root,root) %{_bindir}/ssh-keygen* + +%files server +%attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %{_sbindir}/rcsshd +%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start +%dir %attr(755,root,root) %{_localstatedir}/lib/sshd +%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd %attr(0644,root,root) %{_unitdir}/sshd.service -%attr(0755,root,root) %{_bindir}/* -%attr(0755,root,root) %{_sbindir}/* -%attr(0755,root,root) %dir %{_libexecdir}/ssh -%exclude %{_libexecdir}/ssh/ssh-ldap* -%attr(0755,root,root) %{_libexecdir}/ssh/* -%attr(0444,root,root) %{_mandir}/man1/* -%attr(0444,root,root) %{_mandir}/man5/* -%attr(0444,root,root) %{_mandir}/man8/* -%exclude %{_mandir}/man5/ssh-ldap* -%exclude %{_mandir}/man8/ssh-ldap* +%attr(0444,root,root) %{_mandir}/man5/sshd_config* +%attr(0444,root,root) %{_mandir}/man8/sftp-server.8* +%attr(0444,root,root) %{_mandir}/man8/sshd.8* +%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server %dir %{_sysconfdir}/slp.reg.d %config %{_sysconfdir}/slp.reg.d/ssh.reg %{_fillupdir}/sysconfig.ssh @@ -323,6 +424,32 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes %config %{_fwdefdir}/sshd %endif +%files clients +%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(0755,root,root) %{_bindir}/ssh +%attr(0755,root,root) %{_bindir}/scp* +%attr(0755,root,root) %{_bindir}/sftp* +%attr(0755,root,root) %{_bindir}/ssh-add* +%attr(0755,root,root) %{_bindir}/ssh-agent* +%attr(0755,root,root) %{_bindir}/ssh-copy-id* +%attr(0755,root,root) %{_bindir}/ssh-keyscan* +%attr(0755,root,root) %dir %{_libexecdir}/ssh +%attr(0755,root,root) %{_libexecdir}/ssh/ssh-askpass* +%attr(0755,root,root) %{_libexecdir}/ssh/ssh-keysign* +%attr(0755,root,root) %{_libexecdir}/ssh/ssh-pkcs11-helper* +%attr(0755,root,root) %{_libexecdir}/ssh/ssh-sk-helper* +%attr(0444,root,root) %{_mandir}/man1/scp.1* +%attr(0444,root,root) %{_mandir}/man1/sftp.1* +%attr(0444,root,root) %{_mandir}/man1/ssh-add.1* +%attr(0444,root,root) %{_mandir}/man1/ssh-agent.1* +%attr(0444,root,root) %{_mandir}/man1/ssh-keyscan.1* +%attr(0444,root,root) %{_mandir}/man1/ssh.1* +%attr(0444,root,root) %{_mandir}/man1/ssh-copy-id.1* +%attr(0444,root,root) %{_mandir}/man5/ssh_config.5* +%attr(0444,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* +%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8* +%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8* + %files helpers %attr(0755,root,root) %dir %{_sysconfdir}/ssh %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf