diff --git a/openssh.spec b/openssh.spec index 2b3e73d..b9baee7 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,10 +1,3 @@ -# Do we want SELinux & Audit -%if 0%{?!noselinux:1} -%define WITH_SELINUX 1 -%else -%define WITH_SELINUX 0 -%endif - # OpenSSH privilege separation requires a user & group ID %define sshd_uid 74 %define sshd_gid 74 @@ -12,74 +5,29 @@ # Do we want to disable building of gnome-askpass? (1=yes 0=no) %define no_gnome_askpass 0 -# Do we want to link against a static libcrypto? (1=yes 0=no) -%define static_libcrypto 0 - # Use GTK2 instead of GNOME in gnome-ssh-askpass %define gtk2 1 -# Build position-independent executables (requires toolchain support)? -%define pie 1 - -# Do we want kerberos5 support (1=yes 0=no) -%define kerberos5 1 - # Do we want libedit support %define libedit 1 -# Do we want LDAP support -%define ldap 1 - -# Whether to build pam_ssh_agent_auth -%if 0%{?!nopam:1} -%define pam_ssh_agent 1 -%else -%define pam_ssh_agent 0 -%endif - # Reserve options to override askpass settings with: # rpm -ba|--rebuild --define 'skip_xxx 1' %{?skip_gnome_askpass:%global no_gnome_askpass 1} -# Add option to build without GTK2 for older platforms with only GTK+. -# Red Hat Linux <= 7.2 and Red Hat Advanced Server 2.1 are examples. -# rpm -ba|--rebuild --define 'no_gtk2 1' -%{?no_gtk2:%global gtk2 0} - -# Options for static OpenSSL link: -# rpm -ba|--rebuild --define "static_openssl 1" -%{?static_openssl:%global static_libcrypto 1} - -# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) -%define rescue 0 -%{?build_rescue:%global rescue 1} -%{?build_rescue:%global rescue_rel rescue} - -# Turn off some stuff for resuce builds -%if %{rescue} -%define kerberos5 0 -%define libedit 0 -%define pam_ssh_agent 0 -%endif - -# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 6.4p1 %define openssh_rel 3 -%define pam_ssh_agent_ver 0.9.3 -%define pam_ssh_agent_rel 1 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}%{?rescue_rel} +Release: %{openssh_rel}%{?dist} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source2: sshd.pam Source3: sshd.init -Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 -Source5: pam_ssh_agent-rmheaders Source6: ssh-keycat.pam Source7: sshd.sysconfig Source9: sshd@.service @@ -88,111 +36,8 @@ Source11: sshd.service Source12: sshd-keygen.service Source13: sshd-keygen -# Internal debug -Patch0: openssh-5.9p1-wIm.patch - -#? -Patch100: openssh-6.3p1-coverity.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1872 -Patch101: openssh-6.3p1-fingerprint.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1894 -#https://bugzilla.redhat.com/show_bug.cgi?id=735889 -Patch102: openssh-5.8p1-getaddrinfo.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1889 -Patch103: openssh-5.8p1-packet.patch - -#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 -Patch200: openssh-6.4p1-audit.patch - -# --- pam_ssh-agent --- -# make it build reusing the openssh sources -Patch300: pam_ssh_agent_auth-0.9.3-build.patch -# check return value of seteuid() -Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch -# explicitly make pam callbacks visible -Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch -# don't use xfree (#1024965) -Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) -Patch400: openssh-6.3p1-role-mls.patch -#https://bugzilla.redhat.com/show_bug.cgi?id=781634 -Patch404: openssh-6.3p1-privsep-selinux.patch - -#?-- unwanted child :( -Patch501: openssh-6.3p1-ldap.patch -#? -Patch502: openssh-6.3p1-keycat.patch - -#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644 -Patch601: openssh-5.2p1-allow-ip-opts.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1701 -Patch602: openssh-5.9p1-randclean.patch -#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h -Patch603: openssh-5.8p1-glob.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1893 -Patch604: openssh-5.8p1-keyperm.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX) -Patch605: openssh-5.8p2-remove-stale-control-socket.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1925 -Patch606: openssh-5.9p1-ipv6man.patch -#? -Patch607: openssh-5.8p2-sigpipe.patch -#? -Patch608: openssh-6.1p1-askpass-ld.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1789 -Patch609: openssh-5.5p1-x11.patch - -#? -Patch700: openssh-6.3p1-fips.patch -#? -Patch701: openssh-5.6p1-exit-deadlock.patch -#? -Patch702: openssh-5.1p1-askpass-progress.patch -#? -Patch703: openssh-4.3p2-askpass-grab-info.patch -#? -Patch704: openssh-5.9p1-edns.patch -#? -Patch705: openssh-5.1p1-scp-manpage.patch -#? -Patch706: openssh-5.8p1-localdomain.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) -Patch707: openssh-6.3p1-redhat.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) -Patch708: openssh-6.2p1-entropy.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) -Patch709: openssh-6.2p1-vendor.patch -# warn users for unsupported UsePAM=no (#757545) -Patch711: openssh-6.1p1-log-usepam-no.patch -# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL -Patch712: openssh-6.3p1-ctr-evp-fast.patch -# add cavs test binary for the aes-ctr -Patch713: openssh-6.3p1-ctr-cavstest.patch - - -#http://www.sxw.org.uk/computing/patches/openssh.html -#changed cache storage type - #848228 -Patch800: openssh-6.3p1-gsskex.patch -#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html -Patch801: openssh-6.3p1-force_krb.patch -Patch900: openssh-6.1p1-gssapi-canohost.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1780 -Patch901: openssh-6.3p1-kuserok.patch -# use default_ccache_name from /etc/krb5.conf (#991186) -Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch -# increase the size of the Diffie-Hellman groups (#1010607) -Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch -# FIPS mode - adjust the key echange DH groups and ssh-keygen according to SP800-131A (#1001748) -Patch904: openssh-6.4p1-FIPS-mode-SP800-131A.patch -# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375 -Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch -# Use tty allocation for a remote scp (#985650) -Patch906: openssh-6.4p1-fromto-remote.patch - - License: BSD Group: Applications/Internet -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: /sbin/nologin Obsoletes: openssh-clients-fips, openssh-server-fips @@ -205,32 +50,22 @@ BuildRequires: gnome-libs-devel %endif %endif -%if %{ldap} -BuildRequires: openldap-devel -%endif BuildRequires: autoconf, automake, perl, zlib-devel BuildRequires: audit-libs-devel >= 2.0.5 BuildRequires: util-linux, groff BuildRequires: pam-devel BuildRequires: tcp_wrappers-devel -BuildRequires: fipscheck-devel >= 1.3.0 BuildRequires: openssl-devel >= 0.9.8j -BuildRequires: perl-podlators - -%if %{kerberos5} BuildRequires: krb5-devel -%endif %if %{libedit} BuildRequires: libedit-devel ncurses-devel %endif -%if %{WITH_SELINUX} Requires: libselinux >= 1.27.7 BuildRequires: libselinux-devel >= 1.27.7 Requires: audit-libs >= 1.0.8 BuildRequires: audit-libs >= 1.0.8 -%endif BuildRequires: xauth @@ -238,7 +73,6 @@ BuildRequires: xauth Summary: An open source SSH client applications Group: Applications/Internet Requires: openssh = %{version}-%{release} -Requires: fipscheck-lib%{_isa} >= 1.3.0 %package server Summary: An open source SSH server daemon @@ -246,34 +80,15 @@ Group: System Environment/Daemons Requires: openssh = %{version}-%{release} Requires(pre): /usr/sbin/useradd Requires: pam >= 1.0.1-3 -Requires: fipscheck-lib%{_isa} >= 1.3.0 Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -# Not yet ready -# %package server-ondemand -# Summary: Systemd unit file to run an ondemand OpenSSH server -# Group: System Environment/Daemons -# Requires: %{name}-server%{?_isa} = %{version}-%{release} - %package server-sysvinit Summary: The SysV initscript to manage the OpenSSH server. Group: System Environment/Daemons Requires: %{name}-server%{?_isa} = %{version}-%{release} -%if %{ldap} -%package ldap -Summary: A LDAP support for open source SSH server daemon -Requires: openssh = %{version}-%{release} -Group: System Environment/Daemons -%endif - -%package keycat -Summary: A mls keycat backend for openssh -Requires: openssh = %{version}-%{release} -Group: System Environment/Daemons - %package askpass Summary: A passphrase dialog for OpenSSH and X Group: Applications/Internet @@ -281,13 +96,6 @@ Requires: openssh = %{version}-%{release} Obsoletes: openssh-askpass-gnome Provides: openssh-askpass-gnome -%package -n pam_ssh_agent_auth -Summary: PAM module for authentication with ssh-agent -Group: System Environment/Base -Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} -License: BSD - %description SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and @@ -321,116 +129,18 @@ SysV-compatible init system. It is not required when the init system used is systemd. -%if %{ldap} -%description ldap -OpenSSH LDAP backend is a way how to distribute the authorized tokens -among the servers in the network. -%endif - -%description keycat -OpenSSH mls keycat is backend for using the authorized keys in the -openssh in the mls mode. - %description askpass OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package contains an X11 passphrase dialog for OpenSSH. -%description -n pam_ssh_agent_auth -This package contains a PAM module which can be used to authenticate -users using ssh keys stored in a ssh-agent. Through the use of the -forwarding of ssh-agent connection it also allows to authenticate with -remote ssh-agent instance. - -The module is most useful for su and sudo service stacks. - %prep -%setup -q -a 4 -#Do not enable by default -%if 0 -%patch0 -p1 -b .wIm -%endif - -%patch100 -p1 -b .coverity -%patch101 -p1 -b .fingerprint -%patch102 -p1 -b .getaddrinfo -%patch103 -p1 -b .packet - -%patch200 -p1 -b .audit - -%if %{pam_ssh_agent} -pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} -%patch300 -p1 -b .psaa-build -%patch301 -p1 -b .psaa-seteuid -%patch302 -p1 -b .psaa-visibility -%patch303 -p1 -b .psaa-xfree -# Remove duplicate headers -rm -f $(cat %{SOURCE5}) -popd -%endif - -%if %{WITH_SELINUX} -%patch400 -p1 -b .role-mls -%patch404 -p1 -b .privsep-selinux -%endif - -%if %{ldap} -%patch501 -p1 -b .ldap -%endif -%patch502 -p1 -b .keycat - -%patch601 -p1 -b .ip-opts -%patch602 -p1 -b .randclean -%patch603 -p1 -b .glob -%patch604 -p1 -b .keyperm -%patch605 -p1 -b .remove_stale -%patch606 -p1 -b .ipv6man -%patch607 -p1 -b .sigpipe -%patch608 -p1 -b .askpass-ld -%patch609 -p1 -b .x11 - -%patch700 -p1 -b .fips -%patch701 -p1 -b .exit-deadlock -%patch702 -p1 -b .progress -%patch703 -p1 -b .grab-info -%patch704 -p1 -b .edns -%patch705 -p1 -b .manpage -%patch706 -p1 -b .localdomain -%patch707 -p1 -b .redhat -%patch708 -p1 -b .entropy -%patch709 -p1 -b .vendor -%patch711 -p1 -b .log-usepam-no -%patch712 -p1 -b .evp-ctr -%patch713 -p1 -b .ctr-cavs - -%patch800 -p1 -b .gsskex -%patch801 -p1 -b .force_krb - -%patch900 -p1 -b .canohost -%patch901 -p1 -b .kuserok -%patch902 -p1 -b .ccache_name -%patch903 -p1 -b .dh -%patch904 -p1 -b .SP800-131A -%patch905 -p1 -b .legacy-ssh-copy-id -%patch906 -p1 -b .fromto-remote - -%if 0 -# Nothing here yet -%endif - -autoreconf -pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} -autoreconf -popd +%setup -q %build # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth # and it makes the ssh build more clean and even optimized better CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS -%if %{rescue} -CFLAGS="$CFLAGS -Os" -%endif -%if %{pie} %ifarch s390 s390x sparc sparcv9 sparc64 CFLAGS="$CFLAGS -fPIC" %else @@ -442,8 +152,6 @@ LDFLAGS="$LDFLAGS -pie -z relro -z now" export CFLAGS export LDFLAGS -%endif -%if %{kerberos5} if test -r /etc/profile.d/krb5-devel.sh ; then source /etc/profile.d/krb5-devel.sh fi @@ -457,7 +165,6 @@ else CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS CFLAGS="$CFLAGS -I%{_includedir}/gssapi" fi -%endif %configure \ --sysconfdir=%{_sysconfdir}/ssh \ @@ -472,15 +179,7 @@ fi --without-zlib-version-check \ --with-ssl-engine \ --with-ipaddr-display \ -%if %{ldap} - --with-ldap \ -%endif -%if %{rescue} - --without-pam \ -%else --with-pam \ -%endif -%if %{WITH_SELINUX} --with-selinux --with-audit=linux \ %if 0 #seccomp_filter cannot be build right now @@ -488,22 +187,13 @@ fi %else --with-sandbox=rlimit \ %endif -%endif -%if %{kerberos5} --with-kerberos5${krb5_prefix:+=${krb5_prefix}} \ -%else - --without-kerberos5 \ -%endif %if %{libedit} --with-libedit %else --without-libedit %endif -%if %{static_libcrypto} -perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile -%endif - make # Define a variable to toggle gnome1/gtk2 building. This is necessary @@ -526,20 +216,11 @@ fi popd %endif -%if %{pam_ssh_agent} -pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} -LDFLAGS="$SAVE_LDFLAGS" -%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man -make -popd -%endif - # Add generation of HMAC checksums of the final stripped binaries %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \ %{nil} %check @@ -560,9 +241,7 @@ install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/sysconfig/ install -d $RPM_BUILD_ROOT/etc/rc.d/init.d install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh -install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd -install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen @@ -591,11 +270,6 @@ rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.* perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* -%if %{pam_ssh_agent} -pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} -make install DESTDIR=$RPM_BUILD_ROOT -popd -%endif %clean rm -rf $RPM_BUILD_ROOT @@ -634,27 +308,22 @@ getent passwd sshd >/dev/null || \ %doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli -%if ! %{rescue} %attr(0755,root,root) %{_bindir}/ssh-keygen %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0755,root,root) %dir %{_libexecdir}/openssh %attr(2111,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign -%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* -%endif %files clients %defattr(-,root,root) %attr(0755,root,root) %{_bindir}/ssh -%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac %attr(0644,root,root) %{_mandir}/man1/ssh.1* %attr(0755,root,root) %{_bindir}/scp %attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config -%attr(0755,root,root) %{_bindir}/slogin +%attr(-,root,root) %{_bindir}/slogin %attr(0644,root,root) %{_mandir}/man1/slogin.1* %attr(0644,root,root) %{_mandir}/man5/ssh_config.5* -%if ! %{rescue} %attr(2111,root,nobody) %{_bindir}/ssh-agent %attr(0755,root,root) %{_bindir}/ssh-add %attr(0755,root,root) %{_bindir}/ssh-keyscan @@ -667,15 +336,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man1/sftp.1* %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1* %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* -%endif -%if ! %{rescue} %files server %defattr(-,root,root) %dir %attr(0711,root,root) %{_var}/empty/sshd %attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_sbindir}/sshd-keygen -%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* %attr(0644,root,root) %{_mandir}/man5/moduli.5* @@ -688,27 +354,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_unitdir}/sshd@.service %attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd-keygen.service +%endif +%endif %files server-sysvinit %defattr(-,root,root) %attr(0755,root,root) /etc/rc.d/init.d/sshd -%endif - -%if %{ldap} -%files ldap -%defattr(-,root,root) -%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper -%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8* -%attr(0644,root,root) %{_mandir}/man5/ssh-ldap.conf.5* -%endif - -%files keycat -%defattr(-,root,root) -%doc HOWTO.ssh-keycat -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat -%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat %if ! %{no_gnome_askpass} %files askpass @@ -718,14 +369,6 @@ getent passwd sshd >/dev/null || \ %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass %endif -%if %{pam_ssh_agent} -%files -n pam_ssh_agent_auth -%defattr(-,root,root) -%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE -%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so -%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8* -%endif - %changelog * Wed Dec 11 2013 Petr Lautrbach 6.4p1-3 + 0.9.3-1 - sshd-keygen - use correct permissions on ecdsa host key (#1023945)