Accepting request 841947 from network

- Work around %service_add_post disabling sshd on upgrade with package name change (bsc#1177039). - Use of DISABLE_RESTART_ON_UPDATE is deprecated. Replace it with %service_del_postun_without_restart (forwarded request 840337 from hpjansson) OBS-URL: https://build.opensuse.org/request/show/841947 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=143
2020-10-18 14:28:44 +00:00 · 2020-10-18 14:28:44 +00:00 · 8bacc30c33
commit 8bacc30c33
parent 3ce85325a2 f0e7b033d5
4 changed files with 229 additions and 52 deletions
--- a/openssh-askpass-gnome.changes
+++ b/openssh-askpass-gnome.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
+
+- Upgrade some old specfile constructs/macros.
+
+-------------------------------------------------------------------
+Thu Sep 10 22:44:00 UTC 2020 - Hans Petter Jansson <hpj@suse.com>
+
+- Supplement openssh-clients instead of openssh (bsc#1176434).
+
 -------------------------------------------------------------------
 Thu Jul 18 14:07:56 UTC 2019 - Fabian Vogt <fvogt@suse.com>

--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssh-askpass-gnome
 #
-# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -27,7 +27,7 @@ URL:            http://www.openssh.com/
 Source:         http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
 Source42:       http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
 Requires:       %{_name} = %{version}
-Supplements:    packageand(openssh:libgtk-3-0)
+Supplements:    packageand(openssh-clients:libgtk-3-0)
 %if 0%{?suse_version} >= 1550
 BuildRequires:  gtk3-devel
 %else
@ -40,15 +40,15 @@ for executing commands on a remote machine. This package contains a
 GNOME-based passphrase dialog for OpenSSH.

 %prep
-%setup -q -n %{_name}-%{version}
+%autosetup -p1 -n %{_name}-%{version}

 %build
 cd contrib
 export CFLAGS="%{optflags}"
 %if 0%{?suse_version} >= 1550
-make %{?_smp_mflags} gnome-ssh-askpass3
+%make_build gnome-ssh-askpass3
 %else
-make %{?_smp_mflags} gnome-ssh-askpass2
+%make_build gnome-ssh-askpass2
 %endif

 %install
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Thu Oct  8 21:38:27 UTC 2020 - Hans Petter Jansson <hpj@suse.com>
+
+- Work around %service_add_post disabling sshd on upgrade with
+  package name change (bsc#1177039).
+
+-------------------------------------------------------------------
+Fri Sep 25 13:40:51 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Fix fillup-template usage:
+  + %post server needs to reference ssh (not sshd), which matches
+    the sysconfig.ssh file name the package ships.
+  + %post client does not need any fillup_ calls, as there is no
+    client-relevant sysconfig file present. The naming of the
+    sysconfig file (ssh instead of sshd) is unfortunate.
+
+-------------------------------------------------------------------
+Fri Sep 25 10:59:50 UTC 2020 - Franck Bui <fbui@suse.com>
+
+- Use of DISABLE_RESTART_ON_UPDATE is deprecated.
+
+  Replace it with %service_del_postun_without_restart
+
+-------------------------------------------------------------------
+Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
+
+- Move some Requires to the right subpackage.
+- Avoid ">&" bashism in %post.
+- Upgrade some old specfile constructs/macros and drop unnecessary
+  %{?systemd_*}.
+- Trim descriptions and straighten out the grammar.
+
+-------------------------------------------------------------------
+Thu Sep 10 21:38:30 UTC 2020 - Hans Petter Jansson <hpj@suse.com>
+
+- Split openssh package into openssh, openssh-common,
+  openssh-server and openssh-clients. This allows for the ssh
+  clients to be installed without the server component
+  (bsc#1176434).
+
 -------------------------------------------------------------------
 Fri Jun  5 00:36:08 UTC 2020 - Hans Petter Jansson <hpj@suse.com>

--- a/openssh.spec
+++ b/openssh.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssh
 #
-# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -30,6 +30,9 @@
 %define _appdefdir  %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
 %define CHECKSUM_SUFFIX .hmac
 %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
+%define _tmpenableddir  %{_localstatedir}/lib/sshd
+%define _tmpenabledfile %{_tmpenableddir}/is-enabled.rpmtmp
+
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
@ -113,14 +116,8 @@ BuildRequires:  pkgconfig
 BuildRequires:  zlib-devel
 BuildRequires:  pkgconfig(libfido2)
 BuildRequires:  pkgconfig(libsystemd)
-Requires(post): %fillup_prereq
-Requires(pre):  shadow
-Recommends:     %{name}-helpers = %{version}-%{release}
-Recommends:     audit
-Conflicts:      %{name}-fips < %{version}-%{release}
-Conflicts:      %{name}-fips > %{version}-%{release}
-Conflicts:      nonfreessh
-%{?systemd_requires}
+Requires:       %{name}-clients = %{version}-%{release}
+Requires:       %{name}-server = %{version}-%{release}
 %if %{with tirpc}
 BuildRequires:  libtirpc-devel
 %endif
@ -132,40 +129,112 @@ BuildRequires:  krb5-mini-devel

 %description
 SSH (Secure Shell) is a program for logging into and executing commands
-on a remote machine. It is intended to replace rsh (rlogin and rsh) and
-provides openssl (secure encrypted communication) between two untrusted
+on a remote machine. It replaces rsh (rlogin and rsh) and
+provides secure encrypted communication between two untrusted
 hosts over an insecure network.

 xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
 also be forwarded over the secure channel.

+This is a dummy package that pulls in both the client and server
+components.
+
+%package common
+Summary:        SSH (Secure Shell) common files
+Group:          Productivity/Networking/SSH
+Conflicts:      nonfreessh
+Conflicts:      %{name}-fips < %{version}-%{release}
+Conflicts:      %{name}-fips > %{version}-%{release}
+
+%description common
+SSH (Secure Shell) is a program for logging into and executing commands
+on a remote machine. It replaces rsh (rlogin and rsh) and
+provides secure encrypted communication between two untrusted
+hosts over an insecure network.
+
+xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
+also be forwarded over the secure channel.
+
+This package contains common files for the Secure Shell server and
+clients.
+
+%package server
+Summary:        SSH (Secure Shell) server
+Group:          Productivity/Networking/SSH
+Requires:       %{name}-common = %{version}-%{release}
+Recommends:     audit
+Requires(pre):  shadow
+Requires(post): %fillup_prereq
+Requires(post): permissions
+Provides:       openssh:%{_sbindir}/sshd
+
+%description server
+SSH (Secure Shell) is a program for logging into and executing commands
+on a remote machine. It replaces rsh (rlogin and rsh) and
+provides secure encrypted communication between two untrusted
+hosts over an insecure network.
+
+xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
+also be forwarded over the secure channel.
+
+This package contains the Secure Shell daemon, which allows clients to
+securely connect to your server.
+
+%package clients
+Summary:        SSH (Secure Shell) client applications
+Group:          Productivity/Networking/SSH
+Requires:       %{name}-common = %{version}-%{release}
+Provides:       openssh:%{_bindir}/ssh
+
+%description clients
+SSH (Secure Shell) is a program for logging into and executing commands
+on a remote machine. It replaces rsh (rlogin and rsh) and
+provides secure encrypted communication between two untrusted
+hosts over an insecure network.
+
+xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
+also be forwarded over the secure channel.
+
+This package contains clients for making secure connections to Secure
+Shell servers.
+
 %package helpers
 Summary:        OpenSSH AuthorizedKeysCommand helpers
 Group:          Productivity/Networking/SSH
-Requires:       %{name} = %{version}-%{release}
+Requires:       %{name}-common = %{version}-%{release}

 %description helpers
-Helper applications for OpenSSH which retrieve keys from various sources.
+SSH (Secure Shell) is a program for logging into and executing commands
+on a remote machine. It replaces rsh (rlogin and rsh) and
+provides secure encrypted communication between two untrusted
+hosts over an insecure network.
+
+xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
+also be forwarded over the secure channel.
+
+This package contains helper applications for OpenSSH which retrieve
+keys from various sources.

 %package fips
 Summary:        OpenSSH FIPS crypto module HMACs
 Group:          Productivity/Networking/SSH
-Requires:       %{name} = %{version}-%{release}
-Conflicts:      %{name} < %{version}-%{release}
-Conflicts:      %{name} > %{version}-%{release}
+Requires:       %{name}-common = %{version}-%{release}
+Conflicts:      %{name}-common < %{version}-%{release}
+Conflicts:      %{name}-common > %{version}-%{release}
 Obsoletes:      %{name}-hmac

 %description fips
-Hashes that together with the main package form the FIPS certifiable
-cryptomodule.
+This package contains hashes that, together with the main openssh packages,
+form the FIPS certifiable crypto module.

 %package cavs
 Summary:        OpenSSH FIPS crypto module CAVS tests
 Group:          Productivity/Networking/SSH
-Requires:       %{name} = %{version}-%{release}
+Requires:       %{name}-common = %{version}-%{release}

 %description cavs
-FIPS140 CAVS tests related parts of the OpenSSH package
+This package contains the FIPS-140 CAVS (Cryptographic Algorithm
+Validation Program/Suite) related tests of OpenSSH.

 %prep
 %setup -q
@ -265,55 +334,87 @@ done
 }}

 %pre
+# Remember whether the sshd service was enabled prior to an upgrade. This
+# is needed when upgrading to a split-off openssh-server package. The
+# %%service_add_post scriptlet (in %%post server) will see it as a new service
+# and apply the preset, disabling it. We need to reenable it afterwards if
+# necessary.
+if [ -x %{_bindir}/systemctl ]; then
+    mkdir -p %{_tmpenableddir} || :
+    %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
+fi
+
+%pre server
 getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
 getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstatedir}/lib/sshd -s /bin/false -c "SSH daemon" sshd
+
+# See %%pre.
+if [ -x %{_bindir}/systemctl ]; then
+    mkdir -p %{_tmpenableddir} || :
+    %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
+fi
+
 %service_add_pre sshd.service

-%post
-%{fillup_only -n ssh sshd}
+%post server
+%{fillup_only -n ssh}
 %service_add_post sshd.service
 %set_permissions %{_sysconfdir}/ssh/sshd_config

-%preun
+# Work around %%service_add_post disabling the service on upgrades where
+# the package name changed.
+if [ -x %{_bindir}/systemctl ] && [ -f %{_tmpenabledfile} ] \
+    && [ x$(cat %{_tmpenabledfile} || :) == "xenabled" ]; then
+    systemctl enable sshd || :
+fi
+
+rm -f %{_tmpenabledfile}
+
+%preun server
 %service_del_preun sshd.service

-%postun
+%postun server
 # The openssh-fips trigger script for openssh will normally restart sshd once
-# it gets installed, so only restart the service here is openssh-fips is not
-# present
-rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
+# it gets installed, so only restart the service here if openssh-fips is not
+# present.
+if rpm -q openssh-fips >/dev/null 2>/dev/null; then
+%service_del_postun_without_restart sshd.service
+else
 %service_del_postun sshd.service
+fi

 %triggerin -n openssh-fips -- %{name} = %{version}-%{release}
 %restart_on_update sshd

-%verifyscript
+%verifyscript server
 %verify_permissions -e %{_sysconfdir}/ssh/sshd_config

 %files
-%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
-%exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
-%exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
-%exclude %{_libexecdir}/ssh/cavs*
-%dir %attr(755,root,root) %{_localstatedir}/lib/sshd
+# openssh is an empty package that depends on -clients and -server,
+# resulting in a clean upgrade path from prior to the split even when
+# recommends are disabled.
+
+%files common
 %license LICENCE
 %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
-%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
-%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
+%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
+%attr(0444,root,root) %{_mandir}/man5/moduli.5*
+%attr(0755,root,root) %{_bindir}/ssh-keygen*
+
+%files server
+%attr(0755,root,root) %{_sbindir}/sshd
+%attr(0755,root,root) %{_sbindir}/rcsshd
+%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
+%dir %attr(755,root,root) %{_localstatedir}/lib/sshd
+%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
 %attr(0644,root,root) %{_unitdir}/sshd.service
-%attr(0755,root,root) %{_bindir}/*
-%attr(0755,root,root) %{_sbindir}/*
-%attr(0755,root,root) %dir %{_libexecdir}/ssh
-%exclude %{_libexecdir}/ssh/ssh-ldap*
-%attr(0755,root,root) %{_libexecdir}/ssh/*
-%attr(0444,root,root) %{_mandir}/man1/*
-%attr(0444,root,root) %{_mandir}/man5/*
-%attr(0444,root,root) %{_mandir}/man8/*
-%exclude %{_mandir}/man5/ssh-ldap*
-%exclude %{_mandir}/man8/ssh-ldap*
+%attr(0444,root,root) %{_mandir}/man5/sshd_config*
+%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
+%attr(0444,root,root) %{_mandir}/man8/sshd.8*
+%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
 %dir %{_sysconfdir}/slp.reg.d
 %config %{_sysconfdir}/slp.reg.d/ssh.reg
 %{_fillupdir}/sysconfig.ssh
@ -323,6 +424,32 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
 %config %{_fwdefdir}/sshd
 %endif

+%files clients
+%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
+%attr(0755,root,root) %{_bindir}/ssh
+%attr(0755,root,root) %{_bindir}/scp*
+%attr(0755,root,root) %{_bindir}/sftp*
+%attr(0755,root,root) %{_bindir}/ssh-add*
+%attr(0755,root,root) %{_bindir}/ssh-agent*
+%attr(0755,root,root) %{_bindir}/ssh-copy-id*
+%attr(0755,root,root) %{_bindir}/ssh-keyscan*
+%attr(0755,root,root) %dir %{_libexecdir}/ssh
+%attr(0755,root,root) %{_libexecdir}/ssh/ssh-askpass*
+%attr(0755,root,root) %{_libexecdir}/ssh/ssh-keysign*
+%attr(0755,root,root) %{_libexecdir}/ssh/ssh-pkcs11-helper*
+%attr(0755,root,root) %{_libexecdir}/ssh/ssh-sk-helper*
+%attr(0444,root,root) %{_mandir}/man1/scp.1*
+%attr(0444,root,root) %{_mandir}/man1/sftp.1*
+%attr(0444,root,root) %{_mandir}/man1/ssh-add.1*
+%attr(0444,root,root) %{_mandir}/man1/ssh-agent.1*
+%attr(0444,root,root) %{_mandir}/man1/ssh-keyscan.1*
+%attr(0444,root,root) %{_mandir}/man1/ssh.1*
+%attr(0444,root,root) %{_mandir}/man1/ssh-copy-id.1*
+%attr(0444,root,root) %{_mandir}/man5/ssh_config.5*
+%attr(0444,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
+%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
+%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
+
 %files helpers
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
 %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf