openssh/openssh.spec

451 lines
16 KiB
RPMSpec
Raw Normal View History

%define groupid 65002
%define userid 65002
%define with_opensc 0
%define with_chroot 1
%define with_selinux 0
Name: openssh
Version: 6.6p1
Release: 3mamba
Summary: OpenSSH free Secure Shell (SSH) implementation
Group: Network/Security
Vendor: openmamba
Distribution: openmamba
Packager: Silvan Calarco <silvan.calarco@mambasoft.it>
URL: http://www.openssh.com/
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
Source1: openssh-pamdconf
Source2: openssh-sshd-makecerts
Source3: openssh-sshd.service
Source4: openssh-sshd@.service
Source5: openssh-sshd.socket
Source6: openssh-sshd.conf
Patch0: openssh-6.6p1-ssh_config.patch
License: BSD
## AUTOBUILDREQ-BEGIN
BuildRequires: bash
BuildRequires: glibc-devel
BuildRequires: libopenssl-devel
BuildRequires: libwrap-devel
BuildRequires: libz-devel
BuildRequires: pam-devel
## AUTOBUILDREQ-END
%if "%{stage1}" != "1"
BuildRequires: %{_bindir}/xauth
%endif
%if %with_opensc
BuildRequires: libopensc-devel
BuildRequires: coreutils
%endif
BuildRequires: libwrap-devel
BuildRequires: libopenssl >= 1.0.1c
BuildRoot: %{_tmppath}/%{name}-%{version}-root
# NOTE:
# see http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html
%description
SSH (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine.
It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network.
X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL).
%package common
Summary: OpenSSH free Secure Shell (SSH) implementation
Group: Network/Security
Requires: libopenssl >= 1.0.1
%description common
SSH (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine.
It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network.
X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL).
This package includes the core files necessary for both the OpenSSH client and server.
To make this package useful, you should also install openssh-clients, openssh-server, or both.
%package clients
Summary: OpenSSH Secure Shell protocol clients
Group: Network/Security
Provides: openssh-client
Obsoletes: openssh-client
Requires: openssh-common = %{?epoch:%epoch:}%{version}-%{release}
Provides: openssh
Obsoletes: openssh
%description clients
SSH (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine.
It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network.
X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL).
This package includes the clients necessary to make encrypted connections to SSH servers.
%package server
Summary: OpenSSH Secure Shell protocol server (sshd)
Group: System/Servers
Requires(post): openssh-common = %{?epoch:%epoch:}%{version}-%{release}
%description server
SSH (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine.
It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network.
X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL).
This package contains the secure shell daemon.
The sshd is the server part of the secure shell protocol and allows ssh clients to connect to your host.
%prep
%setup -q
%patch0 -p1
%build
# note: --with-rand-helper unneeded for Linux
# (openSSH uses the Linux kernel random source)
%if %with_chroot
export CFLAGS="%{optflags} -DUSE_CHROOT"
%endif
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--with-pid-dir=/run/sshd \
--with-md5-passwords \
--with-ipv4-default \
--with-mantype=man \
%if %with_opensc
--with-opensc \
%endif
--with-pam \
--with-xauth=%{_bindir}/xauth \
%if %with_selinux
--with-selinux \
%endif
--with-tcp-wrappers \
--without-rsh \
--without-smartcard \
--without-zlib-version-check \
--disable-suid-ssh \
--disable-etc-default-login \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--disable-strip
%make
%install
[ "%{buildroot}" != / ] && rm -rf %{buildroot}
install -d %{buildroot}%{_var}/empty
install -d %{buildroot}%{_sysconfdir}/{ssh,pam.d}
# note: 'make check-config' fails but it's an harmless error
%makeinstall
install -D -m 600 %{S:1} %{buildroot}%{_sysconfdir}/pam.d/sshd
install -D -m 755 %{SOURCE2} %{buildroot}%{_bindir}/ssh-makecerts
install -D -m 644 %{SOURCE3} %{buildroot}/lib/systemd/system/sshd.service
install -D -m 644 %{SOURCE4} %{buildroot}/lib/systemd/system/sshd@.service
install -D -m 644 %{SOURCE5} %{buildroot}/lib/systemd/system/sshd.socket
install -D -m 644 %{SOURCE6} %{buildroot}%{_prefix}/lib/tmpfiles.d/sshd.conf
rm -f %{buildroot}%{_datadir}/Ssh.bin
# customize the configuration files of ssh server
sed -i 's/#Protocol 2,1/Protocol 2/
s/#\(UsePAM\).*/\1 yes/
s/#X11Forwarding no/X11Forwarding yes/
s/#\(UsePrivilegeSeparation yes\)/\1/
s/#\(AllowTcpForwarding\) .*/\1 no/' \
%{buildroot}%{_sysconfdir}/ssh/sshd_config
echo "AcceptEnv LANG LC_*" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config
install -m0755 contrib/ssh-copy-id %{buildroot}%{_bindir}/ssh-copy-id
install -m0644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1/ssh-copy-id.1
%clean
[ "%{buildroot}" != / ] && rm -rf %{buildroot}
%post clients
if [ $1 -gt 1 ]; then
grep "SendEnv" %{_sysconfdir}/ssh/ssh_config >/dev/null || \
echo " SendEnv LANG LC_*" >> %{_sysconfdir}/ssh/ssh_config
grep "ServerAliveInterval" %{_sysconfdir}/ssh/ssh_config >/dev/null || \
echo " ServerAliveInterval 60" >> %{_sysconfdir}/ssh/ssh_config
fi
:
%pre server
/usr/sbin/groupadd sshd -g %{groupid} 2>/dev/null || :
/usr/sbin/useradd -u %{userid} -g sshd -c 'ssh daemon' -d /var/empty \
-s /bin/false sshd 2>/dev/null
exit 0
%post server
if [ $1 -eq 1 ]; then
# new install
%{_bindir}/ssh-makecerts
# /sbin/chkconfig --add sshd
# service sshd start
fi
if [ $1 -gt 1 ]; then
# update
sed -i 's/#\(AllowTcpForwarding\) .*/\1 no/
s/#X11Forwarding no/X11Forwarding yes/' \
%{_sysconfdir}/ssh/sshd_config
grep "AcceptEnv" %{_sysconfdir}/ssh/sshd_config >/dev/null || \
echo " AcceptEnv LANG LC_*" >> %{_sysconfdir}/ssh/sshd_config
fi
exit 0
%posttrans server
systemctl -q daemon-reload
systemctl -q enable sshd.socket
systemctl -q start sshd.socket
exit 0
%preun server
if [ $1 -eq 0 ]; then
# erase
systemctl -q stop sshd.socket
systemctl -q disable sshd.socket
fi
exit 0
%postun server
systemctl -q daemon-reload
exit 0
%files common
%defattr(-,root,root)
%{_bindir}/ssh-copy-id
%{_bindir}/ssh-keygen
%{_bindir}/ssh-keyscan
%{_bindir}/ssh-makecerts
%{_libexecdir}/openssh/ssh-keysign
%{_libexecdir}/openssh/ssh-pkcs11-helper
%{_mandir}/man1/ssh-copy-id.1*
%{_mandir}/man1/ssh-keygen.1*
%{_mandir}/man1/ssh-keyscan.1*
%{_mandir}/man8/ssh-keysign.8*
%{_mandir}/man8/ssh-pkcs11-helper.8*
%files clients
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/ssh/ssh_config
%{_bindir}/scp
%{_bindir}/sftp
%{_bindir}/slogin
%{_bindir}/ssh
%{_bindir}/ssh-add
%{_bindir}/ssh-agent
%{_mandir}/man1/scp.*
%{_mandir}/man1/sftp.*
%{_mandir}/man1/ssh-add.*
%{_mandir}/man1/ssh-agent.*
%{_mandir}/man1/ssh.*
%{_mandir}/man1/slogin.*
%{_mandir}/man5/ssh_config.*
%files server
%defattr(-,root,root)
%attr(0600,root,root) %{_sysconfdir}/pam.d/sshd
%config(noreplace) %{_sysconfdir}/ssh/moduli
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/ssh/sshd_config
%{_sbindir}/sshd
/lib/systemd/system/sshd.service
/lib/systemd/system/sshd.socket
/lib/systemd/system/sshd@.service
%{_prefix}/lib/tmpfiles.d/sshd.conf
%{_libexecdir}/openssh/sftp-server
%attr(0755,root,sys) %dir /var/empty
%{_mandir}/man5/sshd_config.*
%{_mandir}/man8/sftp-server.*
%{_mandir}/man8/sshd.*
%{_mandir}/man5/moduli.*
%changelog
* Tue Apr 29 2014 Silvan Calarco <silvan.calarco@mambasoft.it> 6.6p1-3mamba
- openssh-sshd-makecerts: support ed25519 host key generation
* Wed Apr 09 2014 Silvan Calarco <silvan.calarco@mambasoft.it> 6.6p1-2mamba
- patch ssh_config with default configuration; set 'ServerAliveInterval 60'
* Sun Mar 16 2014 Automatic Build System <autodist@mambasoft.it> 6.6p1-1mamba
- automatic version update by autodist
* Thu Jan 30 2014 Automatic Build System <autodist@mambasoft.it> 6.5p1-1mamba
- automatic version update by autodist
* Tue Nov 12 2013 Silvan Calarco <silvan.calarco@mambasoft.it> 6.4p1-2mamba
- install ssh-copy-id from contrib/
* Fri Nov 08 2013 Automatic Build System <autodist@mambasoft.it> 6.4p1-1mamba
- automatic version update by autodist
* Mon Oct 14 2013 Silvan Calarco <silvan.calarco@mambasoft.it> 6.3p1-3mamba
- ssh-makecerts: remove usage of success and failure functions from obsoleted initscripts functions
* Thu Sep 26 2013 Silvan Calarco <silvan.calarco@mambasoft.it> 6.3p1-2mamba
- switched to systemd
* Fri Sep 13 2013 Automatic Build System <autodist@mambasoft.it> 6.3p1-1mamba
- automatic version update by autodist
* Thu May 16 2013 Automatic Build System <autodist@mambasoft.it> 6.2p2-1mamba
- automatic version update by autodist
* Tue Mar 26 2013 Automatic Build System <autodist@mambasoft.it> 6.2p1-1mamba
- automatic version update by autodist
* Wed Aug 29 2012 Automatic Build System <autodist@mambasoft.it> 6.1p1-1mamba
- automatic version update by autodist
* Tue Jul 03 2012 Silvan Calarco <silvan.calarco@mambasoft.it> 6.0p1-2mamba
- rebuilt with openssl 1.0.1c
* Sun Apr 22 2012 Automatic Build System <autodist@mambasoft.it> 6.0p1-1mamba
- automatic version update by autodist
* Thu Apr 12 2012 Silvan Calarco <silvan.calarco@mambasoft.it> 5.9p1-6mamba
- Add SendEnv/AcceptEnv configuration entries to pass LANG and LC_* variables
* Thu Mar 15 2012 Silvan Calarco <silvan.calarco@mambasoft.it> 5.9p1-5mamba
- rebuilt with openssl 1.0.1
* Sat Jan 07 2012 Davide Madrisan <davide.madrisan@gmail.com> 5.9p1-4mamba
- make the initscript dash compliant
* Tue Dec 06 2011 Silvan Calarco <silvan.calarco@mambasoft.it> 5.9p1-3mamba
- added post code to generate host keys at rpm installation
* Thu Sep 15 2011 Silvan Calarco <silvan.calarco@mambasoft.it> 5.9p1-2mamba
- openssh-common: don't obsolete openssh; move obsolete to openssh-clients
* Tue Sep 06 2011 Automatic Build System <autodist@mambasoft.it> 5.9p1-1mamba
- automatic version update by autodist
* Tue May 03 2011 Automatic Build System <autodist@mambasoft.it> 5.8p2-1mamba
- automatic update by autodist
* Wed Mar 02 2011 Davide Madrisan <davide.madrisan@gmail.com> 5.8p1-2mamba
- initscript: remove bashisms
- initscript: also create /etc/ssh/ssh_host_ecdsa_key when not found
* Fri Feb 04 2011 Automatic Build System <autodist@mambasoft.it> 5.8p1-1mamba
- automatic update by autodist
* Tue Jan 25 2011 Automatic Build System <autodist@mambasoft.it> 5.7p1-1mamba
- automatic update by autodist
* Mon Aug 23 2010 Automatic Build System <autodist@mambasoft.it> 5.6p1-1mamba
- automatic update to 5.6p1 by autodist
* Fri Apr 16 2010 Automatic Build System <autodist@mambasoft.it> 5.5p1-1mamba
- automatic update to 5.5p1 by autodist
* Fri Mar 12 2010 Automatic Build System <autodist@mambasoft.it> 5.4p1-1mamba
- automatic update to 5.4p1 by autodist
* Thu Oct 01 2009 Automatic Build System <autodist@mambasoft.it> 5.3p1-1mamba
- automatic update to 5.3p1 by autodist
* Mon Feb 23 2009 Silvan Calarco <silvan.calarco@mambasoft.it> 5.2p1-1mamba
- automatic update to 5.2p1 by autodist
* Fri Aug 29 2008 Ercole 'ercolinux' Carpanetto <ercole69@gmail.com> 5.1p1-1mamba
- update to 5.1p1
* Sun Dec 16 2007 Silvan Calarco <silvan.calarco@mambasoft.it> 4.7p1-2mamba
- make openssh-common obsolete openssh instead of openssh-clients
* Thu Dec 13 2007 Silvan Calarco <silvan.calarco@mambasoft.it> 4.7p1-1mamba
- update to 4.7p1
- openssh-client renamed to openssh-clients
- scp moved to openssh-clients
- openssh renamed to openssh-common
- openssh-clients obsoletes and provides openssh
* Mon Jun 25 2007 Silvan Calarco <silvan.calarco@mambasoft.it> 4.6p1-2mamba
- changed pam file for pam 0.99.7
- don't restart the service on upgrade
* Tue Apr 24 2007 Davide Madrisan <davide.madrisan@gmail.com> 4.6p1-1mamba
- update to 4.6p1
- enable support for tcp wrappers
- restrict permissions for sshd_config and sshd (pam configuration)
- initscript reworked
* Tue Dec 26 2006 Silvan Calarco <silvan.calarco@mambasoft.it> 4.5p1-2qilnx
- fix xauth path for Xorg 7.1
* Fri Nov 10 2006 Silvan Calarco <silvan.calarco@mambasoft.it> 4.5p1-1qilnx
- update to version 4.5p1 by autospec
* Fri Nov 03 2006 Silvan Calarco <silvan.calarco@mambasoft.it> 4.4p1-1qilnx
- update to version 4.4p1 by autospec
- removed patch against CVE-2006-0225 (fixed upstream in version 4.3p1)
* Tue Jun 20 2006 Davide Madrisan <davide.madrisan@qilinux.it> 3.9p1-6qilnx
- security update: fixed CVE-2006-0225
- updated initscript
- added a patch from OpenPKG to use ssh in a chroot environment not enabled
by default
* Fri Jan 27 2006 Silvan Calarco <silvan.calarco@mambasoft.it> 3.9p1-5qilnx
- use "service" script to start/stop initscript
* Tue Oct 18 2005 Davide Madrisan <davide.madrisan@qilinux.it> 3.9p1-4qilnx
- security fix QSA-2005-121 (CAN-2005-2798)
* Fri Oct 14 2005 Davide Madrisan <davide.madrisan@qilinux.it> 3.9p1-3qilnx
- rebuilt
* Tue Mar 29 2005 Silvan Calarco <silvan.calarco@mambasoft.it> 3.9p1-2qilnx
- added pam_group support in sshd authentication
- disabled Tcp Forwarding in default configuration for security reasons with nx
* Thu Feb 10 2005 Davide Madrisan <davide.madrisan@qilinux.it> 3.9p1-1qilnx
- update to version 3.9p1 by autospec
* Fri Feb 27 2004 Davide Madrisan <davide.madrisan@qilinux.it> 3.7.1p2-1qilnx
- specfile updated to permit a non root user to build the package
* Tue Oct 04 2003 Silvan Calarco <silvan.calarco@mambasoft.it> 3.7.1p2-2qilnx
- fixed a pam error which caused the password being asked twice
- sshd groupid and userid assignment as in QiLinux resources database
* Wed Sep 24 2003 Davide Madrisan <davide.madrisan@qinet.it> 3.7.1p2-1qilnx
- rebuild with 3.7.1p2
- updated install block to activate PAM (disabled by defaut from this version on)
- fixed bash commands in openssh-server -> %%pre
* Wed Sep 17 2003 Davide Madrisan <davide.madrisan@qinet.it> 3.7.1p1-1qilnx
- first build of 3.7.1p1
- added some options to pass to the configure script
* Tue Jun 17 2003 Silvan Calarco <silvan.calarco@qinet.it> 3.6.1p2-1qilnx
- first build of 3.6.1p2
- changed configuration scripts to enable X11 tunnelling
* Wed May 21 2003 Silvan Calarco <silvan.calarco@qinet.it> 3.6.1p1-5qilnx
- changed pamd default authentication with ldap (from required to sufficient)
* Mon May 05 2003 Alessandro Ramazzina <alessandro.ramazzina@qinet.it> 3.6.1p1-4qilnx
- added sshd group and sshd user for openssh-server
* Wed Apr 30 2003 Alessandro Ramazzina <alessandro.ramazzina@qinet.it> 3.6.1p1-3qilnx
- fixed a configuration files location error
* Wed Apr 30 2003 Alessandro Ramazzina <alessandro.ramazzina@qinet.it> 3.6.1p1-2qilnx
- added -n openssh-server to the %%post and %%preun parameters
* Fri Apr 18 2003 Alessandro Ramazzina <alessandro.ramazzina@qinet.it> 3.6.1p1-1qilnx
- creation of openssh package