auto-import openssh-3.4p1-1 from openssh-3.4p1-1.src.rpm

2004-09-09 09:43:04 +00:00 · 2004-09-09 09:43:04 +00:00 · 8264e71c40
parent 7c1cbd34c7
commit 8264e71c40
3 changed files with 109 additions and 79 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1,2 +1,2 @@
-openssh-3.1p1.tar.gz
+openssh-3.4p1.tar.gz
 x11-ssh-askpass-1.2.4.1.tar.gz
--- a/openssh.spec
+++ b/openssh.spec
@ -1,3 +1,7 @@
+# OpenSSH privilege separation requires a user & group ID
+%define sshd_uid    74
+%define sshd_gid    74
+
 # Version of ssh-askpass
 %define aversion 1.2.4.1

@ -19,6 +23,12 @@
 # Disable IPv6 (avoids DNS hangs on some glibc versions)
 %define noip6 0

+# Use gtk2 instead of gnome1 for gnome-ssh-askpass.
+%define gtk2 1
+
+# Whether or not /sbin/nologin exists.
+%define nologin 1
+
 # Reserve options to override askpass settings with:
 # rpm -ba|--rebuild --define 'skip_xxx 1'
 %{?skip_x11_askpass:%define no_x11_askpass 1}
@ -51,52 +61,49 @@

 Summary: The OpenSSH implementation of SSH.
 Name: openssh
-Version: 3.1p1
+Version: 3.4p1
 %if %{rescue}
-Release: 10rescue
+Release: 1rescue
 %else
-Release: 10
+Release: 1
 %endif
 URL: http://www.openssh.com/portable.html
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
-Source2: openssh.init
-Source3: gnome-ssh-askpass.sh
-Source4: gnome-ssh-askpass.csh
-Source5: openssh-closing.txt
 Patch0: openssh-SNAP-20020220-redhat.patch
-Patch1: openssh-2.3.0p1-path.patch
-Patch2: openssh-2.9p1-groups.patch
-Patch3: openssh-3.1p1-defaultkeys.patch
-Patch4: openssh-adv.iss.patch
-Patch5: openssh-3.1p1-pam-timing.patch
-Patch6: openssh-3.1p1-buffer-size.patch
-Patch7: openssh-3.1p1-skip-initial.patch
-Patch11: http://www.sxw.org.uk/computing/patches/openssh-mit-krb5-20020326.diff
-Patch12: http://www.sxw.org.uk/computing/patches/openssh-3.1p1-gssapi-20020325.diff
-Patch13: http://bugzilla.mindrot.org/showattachment.cgi?attach_id=37
+Patch1: openssh-2.9p1-groups.patch
+Patch2: gnome-ssh-askpass-gtk2.patch
+Patch3: openssh-TODO.patch
+#Patch11: http://www.sxw.org.uk/computing/patches/openssh-3.2.3p1-gssapi-20020527.diff
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
 Obsoletes: ssh
+%if %{nologin}
+Requires: /sbin/nologin
+%endif
+
 %if %{build6x}
 PreReq: initscripts >= 5.00
 %else
 PreReq: initscripts >= 5.20
 %endif
-BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers
+
+BuildPreReq: openssl-devel, perl, sharutils, tcp_wrappers
 BuildPreReq: /bin/login
+
 %if %{build6x}
 BuildPreReq: glibc-devel, pam
 %else
 BuildPreReq: /usr/include/security/pam_appl.h
 %endif
-BuildPrereq: autoconf
+
 %if ! %{no_x11_askpass}
 BuildPreReq: XFree86-devel
 %endif
+
 %if ! %{no_gnome_askpass}
-BuildPreReq: gnome-libs-devel, db1-devel
+BuildPreReq: gnome-libs-devel
 %endif

 %package clients
@ -109,7 +116,7 @@ Obsoletes: ssh-clients
 Summary: The OpenSSH server daemon.
 Group: System Environment/Daemons
 Obsoletes: ssh-server
-PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
+PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9, /usr/sbin/useradd
 %if ! %{build6x}
 Requires: /etc/pam.d/system-auth
 %endif
@ -173,43 +180,33 @@ environment.
 %setup -q
 %endif
 %patch0 -p1 -b .redhat
-%patch1 -p1 -b .path
-%patch2 -p1 -b .groups
-%patch3 -p0 -b .defaultkeys
-%patch4 -p0 -b .adv.iss
-%patch5 -p1 -b .pam-timing
-%patch6 -p0 -b .buffer-size
-%patch7 -p1 -b .skip-initial
-
-%if %{build6x}
-%patch13 -p0 -b .openssl095a
+%patch1 -p1 -b .groups
+%if %{gtk2}
+%patch2 -p0 -b .gtk2
 %endif
+%patch3 -p0 -b .TODO

 # Apply gss-specific patches only if the release tag includes "gss".  (Not
 # to be used for actual releases until it's in the mainline.)
-if echo "%{release}" | grep -q gss; then
-%patch11 -p0 -b .krb5
-%patch12 -p1 -b .gssapi
-autoreconf-2.53
-fi
+# if echo "%{release}" | grep -q gss; then
+# %patch11 -p1 -b .gssapi
+# autoreconf-2.53
+# fi

 %build
 %if %{rescue}
 CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
 %endif

-# Only enable Kerberos support if we applied a patch for GSSAPI support.
-moreflags=
-if echo "%{release}" | grep -q gss; then
-moreflags=--with-kerberos5=/usr/kerberos
-fi
-
 %configure \
 	--sysconfdir=%{_sysconfdir}/ssh \
 	--libexecdir=%{_libexecdir}/openssh \
 	--datadir=%{_datadir}/openssh \
 	--with-tcp-wrappers \
 	--with-rsh=%{_bindir}/rsh \
+	--with-default-path=/usr/local/bin:/bin:/usr/bin \
+	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
+	--with-privsep-path=%{_var}/empty/sshd \
 %if %{scard}
 	--with-smartcard \
 %endif
@ -220,9 +217,9 @@ fi
 	--with-ipv4-default \
 %endif
 %if %{rescue}
-	--without-pam --with-md5-passwords $moreflags
+	--without-pam --with-md5-passwords --without-kerberos5
 %else
-	--with-pam $moreflags
+	--with-pam --with-kerberos5=/usr/kerberos
 %endif

 %if %{static_libcrypto}
@ -240,11 +237,25 @@ make
 popd
 %endif

+# Define a variable to toggle gnome1/gtk2 building.  This is necessary
+# because RPM doesn't handle nested %if statements.
+%if %{gtk2}
+gtk2=yes
+%else
+gtk2=no
+%endif
+
 %if ! %{no_gnome_askpass}
 pushd contrib
-gcc $RPM_OPT_FLAGS `gnome-config --cflags gnome gnomeui` \
-        gnome-ssh-askpass.c -o gnome-ssh-askpass \
-        `gnome-config --libs gnome gnomeui`
+if [ $gtk2 = yes ] ; then
+	gcc $RPM_OPT_FLAGS `pkg-config --cflags gtk+-2.0` \
+		gnome-ssh-askpass.c -o gnome-ssh-askpass \
+		`pkg-config --libs gtk+-2.0`
+else
+	gcc $RPM_OPT_FLAGS `gnome-config --cflags gnome gnomeui` \
+		gnome-ssh-askpass.c -o gnome-ssh-askpass \
+		`gnome-config --libs gnome gnomeui`
+fi
 popd
 %endif

@ -252,17 +263,19 @@ popd
 rm -rf $RPM_BUILD_ROOT
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
 make install DESTDIR=$RPM_BUILD_ROOT

 install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
 install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
 %if ! %{build6x}
-install -m644 contrib/redhat/sshd.pam-7.x $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -m644 contrib/redhat/sshd.pam      $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -m755 contrib/redhat/sshd.init     $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
 %else
-install -m644 contrib/redhat/sshd.pam     $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -m644 contrib/redhat/sshd.pam.old  $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -m755 contrib/redhat/sshd.init.old $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
 %endif
-install -m755 $RPM_SOURCE_DIR/openssh.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd

 %if ! %{no_x11_askpass}
 install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
@ -273,12 +286,9 @@ ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
 install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
 %endif

-%if ! %{scard}
-rm -f $RPM_BUILD_ROOT%{_datadir}/openssh/Ssh.bin
-%endif
- 
 install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
-install -m 755 %{SOURCE3} %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/

 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*

@ -313,6 +323,15 @@ if [ "$1" != 0 ] ; then
 	fi
 fi

+%pre server
+%if %{nologin}
+/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \
+	-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
+%else
+/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \
+	-s /dev/null -r -d /var/empty/sshd sshd 2> /dev/null || :
+%endif
+
 %post server
 /sbin/chkconfig --add sshd

@ -337,6 +356,8 @@ fi
 %attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
+%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
+%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
 %endif
 %if %{scard}
 %attr(0755,root,root) %dir %{_datadir}/openssh
@ -345,7 +366,7 @@ fi

 %files clients
 %defattr(-,root,root)
-%attr(4755,root,root) %{_bindir}/ssh
+%attr(0755,root,root) %{_bindir}/ssh
 %attr(0644,root,root) %{_mandir}/man1/ssh.1*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
 %attr(-,root,root) %{_bindir}/slogin
@ -359,13 +380,16 @@ fi
 %attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
 %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
 %attr(0644,root,root) %{_mandir}/man1/sftp.1*
+%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
 %endif

 %if ! %{rescue}
 %files server
 %defattr(-,root,root)
+%dir %attr(0111,root,root) %{_var}/empty/sshd
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
+%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
 %attr(0644,root,root) %{_mandir}/man8/sshd.8*
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
@ -392,33 +416,39 @@ fi
 %endif

 %changelog
-* Tue Sep 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-10
- rebuild
+* Thu Jun 27 2002 Nalin Dahyabhai <nalin@redhat.com> 3.4p1-1
+- 3.4p1
+- drop anon mmap patch

-* Tue Sep 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-9
- apply patch to store the correct buffer size in allocated buffers
-  (CAN-2003-0693)
- skip the initial PAM authentication attempt with an empty password if
-  empty passwords are not permitted in our configuration (#103998)
+* Tue Jun 25 2002 Nalin Dahyabhai <nalin@redhat.com> 3.3p1-2
+- rework the close-on-exit docs
+- include configuration file man pages
+- make use of nologin as the privsep shell optional

-* Fri Jul  4 2003 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-8
- rebuild
+* Mon Jun 24 2002 Nalin Dahyabhai <nalin@redhat.com> 3.3p1-1
+- update to 3.3p1
+- merge in spec file changes from upstream (remove setuid from ssh, ssh-keysign)
+- disable gtk2 askpass
+- require pam-devel by filename rather than by package for erratum
+- include patch from Solar Designer to work around anonymous mmap failures

-* Thu Jun  5 2003 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-7
- backport patch to close timing attacks when PAM authentication is
-  short-circuited by other checks
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild

-* Wed Jun 26 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-6
- rebuild
+* Fri Jun  7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.3p1-3
+- don't require autoconf any more

-* Wed Jun 26 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-5
- include patch from Markus's ISS advisory for missing bounds checks
- re-require db1-devel
- re-require pam-devel by package file
- re-require autoconf instead of autoconf253
- make sure Kerberos is disabled unless the not-enabled gssapi patch was applied
+* Fri May 31 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.3p1-2
+- build gnome-ssh-askpass with gtk2

-* Wed May 17 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-4
+* Tue May 28 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.3p1-1
+- update to 3.2.3p1
+- merge in spec file changes from upstream
+
+* Fri May 17 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.2p1-1
+- update to 3.2.2p1
+
+* Fri May 17 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-4
 - drop buildreq on db1-devel
 - require pam-devel by package name
 - require autoconf instead of autoconf253 again
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-c6a52d4126ed27eb57c31729ec6b2362  openssh-3.1p1.tar.gz
+459c1d0262e939d6432f193c7a4ba8a8  openssh-3.4p1.tar.gz
 8f2e41f3f7eaa8543a2440454637f3c3  x11-ssh-askpass-1.2.4.1.tar.gz