# Version of ssh-askpass
%define aversion 1.2.4.1
# overrides
%define build_skey 0
%define build_krb5 1
%define build_x11askpass 1
%define build_gnomeaskpass 1
%define build_ldap 1
%define build_sftpcontrol 0
%define build_audit 0
%define build_libedit 1
%{?_with_skey: %{expand: %%global build_skey 1}}
%{?_without_skey: %{expand: %%global build_skey 0}}
%{?_with_krb5: %{expand: %%global build_krb5 1}}
%{?_without_krb5: %{expand: %%global build_krb5 0}}
%{?_with_x11askpass: %{expand: %%global build_x11askpass 1}}
%{?_without_x11askpass: %{expand: %%global build_x11askpass 0}}
%{?_with_gnomeaskpass: %{expand: %%global build_gnomeaskpass 1}}
%{?_without_gnomeaskpass: %{expand: %%global build_gnomeaskpass 0}}
%{?_with_ldap: %{expand: %%global build_ldap 1}}
%{?_without_ldap: %{expand: %%global build_ldap 0}}
%{?_with_sftpcontrol: %{expand: %%global build_sftpcontrol 1}}
%{?_without_sftpcontrol: %{expand: %%global build_sftpcontrol 0}}
%{?_with_audit: %{expand: %%global build_audit 1}}
%{?_without_audit: %{expand: %%global build_audit 0}}
%{?_with_libedit: %{expand: %%global build_libedit 1}}
%{?_without_libedit: %{expand: %%global build_libedit 0}}
%define OPENSSH_PATH "/usr/local/bin:%{_bindir}"
%define XAUTH %{_bindir}/xauth
Summary: OpenSSH free Secure Shell (SSH) implementation
Name: openssh
Version: 7.5p1
%define subrel 2
Release: %mkrel 2
License: BSD
Group: Networking/Remote access
URL: http://www.openssh.com/
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.bz2
# ssh-copy-id taken from debian, with "usage" added
Source3: ssh-copy-id
Source7: openssh-xinetd
Source9: README.sftpfilecontrol
%define wversion 4.4p1
Source10: openssh-%{wversion}-watchdog.patch.tgz
Source12: ssh_ldap_key.pl
Source15: ssh-avahi-integration
Source17: sshd.pam
Source22: sshd.service
Source23: sshd@.service
Source24: sshd-keygen.service
Source25: sshd.socket
Source26: sshd-keygen
# patch to set some default configuration
Patch1: openssh-7.4p1-config.patch
# http://sftpfilecontrol.sourceforge.net
# Not applied by default
# P7 is rediffed and slightly adjusted from http://sftplogging.sourceforge.net/download/v1.5/openssh-4.4p1.sftplogging-v1.5.patch
Patch7: openssh-4.9p1.sftplogging-v1.5.diff
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
# record pfs= field in CRYPTO_SESSION audit event
Patch200: openssh-7.2p1-audit.patch
# Audit race condition in forked child (#1310684)
Patch201: openssh-7.1p2-audit-race-condition.patch
Patch501: openssh-6.7p1-ldap.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch601: openssh-6.6p1-allow-ip-opts.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1893 (WONTFIX)
Patch604: openssh-6.6p1-keyperm.patch
#(drop?) https://bugzilla.mindrot.org/show_bug.cgi?id=1925
Patch606: openssh-5.9p1-ipv6man.patch
#?
Patch607: openssh-5.8p2-sigpipe.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Patch609: openssh-7.2p2-x11.patch
#?
Patch702: openssh-5.1p1-askpass-progress.patch
#?
Patch703: openssh-4.3p2-askpass-grab-info.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
Patch708: openssh-7.4p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
Patch709: openssh-6.2p1-vendor.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
Patch712: openssh-6.3p1-ctr-evp-fast.patch
#changed cache storage type - #848228
Patch800: openssh-7.4p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
Patch801: openssh-6.6p1-force_krb.patch
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
# CVE-2014-9278
Patch802: openssh-7.4p1-GSSAPIEnablek5users.patch
# Documentation about GSSAPI
# from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
Patch803: openssh-7.1p1-gssapi-documentation.patch
# use default_ccache_name from /etc/krb5.conf (#991186)
Patch804: openssh-6.3p1-krb5-use-default_ccache_name.patch
# Respect k5login_directory option in krk5.conf (#1328243)
Patch805: openssh-7.2p2-k5login_directory.patch
Patch900: openssh-7.4p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-7.4p1-kuserok.patch
# Use tty allocation for a remote scp (#985650)
Patch906: openssh-6.4p1-fromto-remote.patch
# use different values for DH for Cisco servers (#1026430)
Patch917: openssh-6.6.1p1-cisco-dh-keys.patch
# log via monitor in chroots without /dev/log (#2681)
Patch918: openssh-7.4p1-log-in-chroot.patch
# scp file into non-existing directory (#1142223)
Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
# Config parser shouldn't accept ip/port syntax (#1130733)
Patch920: openssh-6.6.1p1-ip-port-config-parser.patch
# restore tcp wrappers support, based on Debian patch
# https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
Patch921: openssh-6.7p1-debian-restore-tcp-wrappers.patch
# apply upstream patch and make sshd -T more consistent (#1187521)
Patch922: openssh-6.8p1-sshdT-output.patch
# Add sftp option to force mode of created files (#1191055)
Patch926: openssh-6.7p1-sftp-force-permission.patch
# Memory problems
# https://bugzilla.mindrot.org/show_bug.cgi?id=2401
Patch928: openssh-6.8p1-memory-problems.patch
# Add GSSAPIKexAlgorithms option for server and client application
Patch932: openssh-7.0p1-gssKexAlgorithms.patch
# Possibility to validate legacy systems by more fingerprints (#1249626)(#2439)
Patch933: openssh-7.0p1-show-more-fingerprints.patch
# expose more information to PAM
# https://github.com/openssh/openssh-portable/pull/47
Patch940: openssh-7.4p1-expose-pam.patch
# Move MAX_DISPLAYS to a configuration option (#1341302)
Patch944: openssh-7.3p1-x11-max-displays.patch
# Help systemd to track the running service
Patch948: openssh-7.4p1-systemd.patch
# Fix typo in sandbox code; missing header for s390
Patch949: openssh-7.5p1-sandbox.patch
# Avoid creation of zero-length files in readonly mode (#1506631)
Patch950: openssh-7.5p1-sftp-empty-files.patch
Patch1000: openssh-7.3p1-CVE-2016-8858.patch
Patch1001: openssh-7.5p1-CVE-2018-15473.patch
Provides: ssh
Requires(post): openssl >= 0.9.7
Requires(post): makedev
Requires(preun): openssl >= 0.9.7
Requires: tcp_wrappers
BuildRequires: groff-for-man
BuildRequires: openssl-devel >= 0.9.7
BuildRequires: pam-devel
BuildRequires: systemd-devel
BuildRequires: tcp_wrappers-devel
BuildRequires: zlib-devel
%if %{build_skey}
BuildRequires: skey-devel
%endif
%if %{build_krb5}
BuildRequires: krb5-devel
%endif
%if %{build_x11askpass}
BuildRequires: imake
BuildRequires: rman
# http://qa.mandriva.com/show_bug.cgi?id=22736
BuildRequires: x11-util-cf-files >= 1.0.2
BuildRequires: gccmakedep
BuildRequires: libx11-devel
BuildRequires: libxt-devel
%endif
%if %{build_gnomeaskpass}
BuildRequires: gtk+2-devel
%endif
%if %{build_ldap}
BuildRequires: openldap-devel >= 2.0
%endif
%if %{build_audit}
BuildRequires: audit-devel
%endif
%if %{build_libedit}
BuildRequires: edit-devel
BuildRequires: ncurses-devel
%endif
BuildConflicts: libgssapi-devel
%description
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to separate libraries (OpenSSL).
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
You can build %{name} with some conditional build swithes;
(ie. use with rpm --rebuild):
--with[out] skey smartcard support (disabled)
--with[out] krb5 kerberos support (enabled)
--with[out] x11askpass X11 ask pass support (enabled)
--with[out] gnomeaskpass Gnome ask pass support (enabled)
--with[out] ldap OpenLDAP support (enabled)
--with[out] sftpcontrol sftp file control support (disabled)
--with[out] audit audit support (disabled)
--with[out] libedit libedit support in sftp (enabled)
%package clients
Summary: OpenSSH Secure Shell protocol clients
Group: Networking/Remote access
Requires: %{name} = %{version}-%{release}
Provides: ssh-clients, sftp, ssh
%description clients
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to separate libraries (OpenSSL).
This package includes the clients necessary to make encrypted connections
to SSH servers.
%package server
Summary: OpenSSH Secure Shell protocol server (sshd)
Group: System/Servers
Requires(pre): %{name} = %{version}-%{release} chkconfig >= 0.9
Requires(pre): pam >= 0.74
Requires(post): rpm-helper >= 0.24.8-1
Requires(preun): rpm-helper >= 0.24.8-1
Requires(post): openssl >= 0.9.7
Requires(post): makedev
Requires: %{name}-clients = %{version}-%{release}
%if %{build_skey}
Requires: skey
%endif
%if %{build_audit}
BuildRequires: audit
%endif
Provides: ssh-server, sshd
%description server
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to separate libraries (OpenSSL).
This package contains the secure shell daemon. The sshd is the server
part of the secure shell protocol and allows ssh clients to connect to
your host.
%package askpass-common
Summary: OpenSSH X11 passphrase common scripts
Group: Networking/Remote access
%description askpass-common
OpenSSH X11 passphrase common scripts
%if %{build_x11askpass}
%package askpass
Summary: OpenSSH X11 passphrase dialog
Group: Networking/Remote access
Requires: %{name} = %{version}-%{release}
Requires: %{name}-askpass-common
Provides: ssh-extras, ssh-askpass
Requires(pre): update-alternatives
%description askpass
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to separate libraries (OpenSSL).
This package contains Jim Knoble's <jmknoble@pobox.com> X11 passphrase
dialog.
%endif
%if %{build_gnomeaskpass}
%package askpass-gnome
Summary: OpenSSH GNOME passphrase dialog
Group: Networking/Remote access
Requires: %{name} = %{version}-%{release}
Requires: %{name}-askpass-common
Requires(pre): update-alternatives
Provides: %{name}-askpass, ssh-askpass, ssh-extras
%description askpass-gnome
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to separate libraries (OpenSSL).
This package contains the GNOME passphrase dialog.
%endif
%if %{build_ldap}
%package ldap
Summary: A LDAP support for open source SSH server daemon
Group: Networking/Remote access
Requires: %{name} = %{version}-%{release}
%description ldap
OpenSSH LDAP backend is a way how to distribute the authorized tokens
among the servers in the network.
%endif
%prep
%if %{build_x11askpass}
echo "Building with x11 askpass..."
%endif
%if %{build_gnomeaskpass}
echo "Building with GNOME askpass..."
%endif
%if %{build_krb5}
echo "Building with Kerberos5 support..."
%endif
%if %{build_skey}
echo "Building with S/KEY support..."
%endif
%if %{build_ldap}
echo "Buiding with support for authenticating to public keys in ldap"
%endif
%if %{build_sftpcontrol}
echo "Buiding with support for sftp file control"
%endif
%if %{build_audit}
echo "Buiding with audit support"
%endif
%setup -q -a2 -a10
%patch1 -p1 -b .config
%if %{build_audit}
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race
%endif
%if %{build_ldap}
%patch501 -p1 -b .ldap
%endif
#patch502 -p1 -b .keycat
%if %{build_sftpcontrol}
#cat %{SOURCE8} | patch -p1 -s -z .sftpcontrol
echo "This patch is broken or needs to be updated/rediffed"; exit 1
%patch7 -p1 -b .sftplogging-v1.5
# README with license terms for this patch
install -m 0644 %{SOURCE9} .
%endif
%patch601 -p1 -b .ip-opts
%patch604 -p1 -b .keyperm
%patch606 -p1 -b .ipv6man
%patch607 -p1 -b .sigpipe
%patch609 -p1 -b .x11
%patch702 -p1 -b .progress
%patch703 -p1 -b .grab-info
%patch708 -p1 -b .entropy
%patch709 -p1 -b .vendor
%patch712 -p1 -b .evp-ctr
%patch800 -p1 -b .gsskex
%patch801 -p1 -b .force_krb
%patch803 -p1 -b .gss-docs
%patch804 -p1 -b .ccache_name
%patch805 -p1 -b .k5login
%patch900 -p1 -b .canohost
%patch901 -p1 -b .kuserok
%patch906 -p1 -b .fromto-remote
#%patch917 -p1 -b .cisco-dh # investigate
%patch918 -p1 -b .log-in-chroot
%patch919 -p1 -b .scp
%patch920 -p1 -b .config
%patch802 -p1 -b .GSSAPIEnablek5users
%patch921 -p1 -b .tcp_wrappers
%patch922 -p1 -b .sshdt
%patch926 -p1 -b .sftp-force-mode
%patch928 -p1 -b .memory
%patch932 -p1 -b .gsskexalg
%patch933 -p1 -b .fingerprint
%patch940 -p1 -b .expose-pam
%patch944 -p1 -b .x11max
%patch948 -p1 -b .systemd
%patch949 -p1 -b .sandbox
%patch950 -p1 -b .sftp-empty
%patch1001 -p1 -b .CVE-2018-15473
install %{SOURCE12} .
install -m 0644 %{SOURCE17} sshd.pam
# fix attribs
chmod 644 ChangeLog OVERVIEW README* INSTALL CREDITS LICENCE TODO ssh_ldap_key.pl
# http://qa.mandriva.com/show_bug.cgi?id=22957
perl -pi -e "s|_OPENSSH_PATH_|%{OPENSSH_PATH}|g" sshd_config
%build
autoreconf
%serverbuild
%if %{build_x11askpass}
pushd x11-ssh-askpass-%{aversion}
%configure2_5x \
--prefix=%{_prefix} --libdir=%{_libdir} \
--mandir=%{_mandir} --libexecdir=%{_libexecdir}/openssh \
--with-app-defaults-dir=%{_sysconfdir}/X11/app-defaults \
%if %{build_libedit}
--with-libedit \
%else
--without-libedit \
%endif
xmkmf -a
%ifarch x86_64
perl -pi -e "s|/usr/lib\b|%{_libdir}|g" Makefile
perl -pi -e "s|i586-%{_vendor}-linux-gnu|x86_64-%{_vendor}-linux-gnu|g" Makefile
perl -pi -e "s|%{_libdir}/gcc/|/usr/lib/gcc/|g" Makefile
perl -pi -e "s|-m32|-m64|g" Makefile
perl -pi -e "s|__i386__|__x86_64__|g" Makefile
%endif
make \
BINDIR=%{_libexecdir}/openssh \
CDEBUGFLAGS="$RPM_OPT_FLAGS" \
CXXDEBUGFLAGS="$RPM_OPT_FLAGS"
# For some reason the x11-ssh-askpass.1.html file is not created on 10.0/10.1
# x86_64, so we just do it manually here... (oden)
rm -f x11-ssh-askpass.1x.html x11-ssh-askpass.1x-html
rman -f HTML < x11-ssh-askpass._man > x11-ssh-askpass.1x-html && \
mv -f x11-ssh-askpass.1x-html x11-ssh-askpass.1.html
popd
%endif
%if %{build_gnomeaskpass}
pushd contrib
make gnome-ssh-askpass2 CC="%__cc %optflags %ldflags"
mv gnome-ssh-askpass2 gnome-ssh-askpass
popd
%endif
%configure2_5x \
--prefix=%{_prefix} \
--sysconfdir=%{_sysconfdir}/ssh \
--mandir=%{_mandir} \
--libdir=%{_libdir} \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/ssh \
--disable-strip \
--with-tcp-wrappers \
--with-pam \
--with-default-path=%{OPENSSH_PATH} \
--with-xauth=%{XAUTH} \
--with-privsep-path=/var/empty \
--without-zlib-version-check \
%if %{build_krb5}
--with-kerberos5=%{_prefix} \
%endif
%if %{build_skey}
--with-skey \
%endif
--with-systemd \
%if %{build_ldap}
-with-ldap \
%endif
--with-superuser-path=/usr/local/sbin:/usr/local/bin:%{_sbindir}:%{_bindir} \
%if %{build_libedit}
--with-libedit \
%else
--without-libedit \
%endif
%if %{build_audit}
--with-linux-audit \
%endif
%make
%install
%make_install
install -d %{buildroot}%{_sysconfdir}/ssh
install -d %{buildroot}%{_sysconfdir}/pam.d/
install -d %{buildroot}%{_sysconfdir}/sysconfig
install -m 644 sshd.pam %{buildroot}%{_sysconfdir}/pam.d/sshd
if [ -f sshd_config.out ]; then
install -m 600 sshd_config.out %{buildroot}%{_sysconfdir}/ssh/sshd_config
else
install -m 600 sshd_config %{buildroot}%{_sysconfdir}/ssh/sshd_config
fi
echo "" > %{buildroot}%{_sysconfdir}/ssh/denyusers
if [ -f ssh_config.out ]; then
install -m 644 ssh_config.out %{buildroot}%{_sysconfdir}/ssh/ssh_config
else
install -m 644 ssh_config %{buildroot}%{_sysconfdir}/ssh/ssh_config
fi
echo " StrictHostKeyChecking no" >> %{buildroot}%{_sysconfdir}/ssh/ssh_config
mkdir -p %{buildroot}%{_libexecdir}/openssh
%if %{build_x11askpass}
pushd x11-ssh-askpass-%{aversion}
#make DESTDIR=%{buildroot} install
#make DESTDIR=%{buildroot} install.man
#install -d %{buildroot}%{_prefix}/X11R6/lib/X11/doc/html
#install -m0644 x11-ssh-askpass.1.html %{buildroot}%{_prefix}/X11R6/lib/X11/doc/html/
install -d %{buildroot}%{_libexecdir}/openssh
install -d %{buildroot}%{_sysconfdir}/X11/app-defaults
install -m 644 SshAskpass.ad %{buildroot}%{_sysconfdir}/X11/app-defaults/SshAskpass
install -m 755 x11-ssh-askpass %{buildroot}%{_libexecdir}/openssh/
install -m 644 x11-ssh-askpass.man %{buildroot}%{_mandir}/man1/x11-ssh-askpass.1
popd
%endif
install -d %{buildroot}%{_sysconfdir}/profile.d/
%if %{build_gnomeaskpass}
install -m 755 contrib/gnome-ssh-askpass %{buildroot}%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
cat > %{buildroot}%{_sysconfdir}/profile.d/90ssh-askpass.csh <<EOF
setenv SSH_ASKPASS %{_libexecdir}/openssh/ssh-askpass
EOF
cat > %{buildroot}%{_sysconfdir}/profile.d/90ssh-askpass.sh <<EOF
export SSH_ASKPASS=%{_libexecdir}/openssh/ssh-askpass
EOF
cat > %{buildroot}%{_sysconfdir}/profile.d/90ssh-client.sh <<'EOF'
# fix hanging ssh clients on exit
if [ -n "$BASH_VERSION" ]; then
shopt -s huponexit
elif [ -n "$ZSH_VERSION" ]; then
setopt hup
fi
EOF
install -m 755 %{SOURCE3} %{buildroot}/%{_bindir}/ssh-copy-id
chmod a+x %{buildroot}/%{_bindir}/ssh-copy-id
install -m 644 contrib/ssh-copy-id.1 %{buildroot}/%{_mandir}/man1/
# restore slogin
pushd %{buildroot}%{_bindir}
ln -s ./ssh slogin
pushd %{buildroot}%{_mandir}/man1
ln -s ./ssh.1 slogin.1
popd; popd;
# create pre-authentication directory
install -d -m 755 %{buildroot}/var/empty
# remove unwanted files
rm -f %{buildroot}%{_libexecdir}/openssh/ssh-askpass
# xinetd support (tv)
install -d -m 755 %{buildroot}%{_sysconfdir}/xinetd.d/
install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/xinetd.d/sshd-xinetd
cat > %{buildroot}%{_sysconfdir}/sysconfig/sshd << EOF
#OPTIONS=""
EOF
# avahi integration support (misc)
mkdir -p %{buildroot}%{_sysconfdir}/avahi/services/
install -m 0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/avahi/services/%{name}.service
install -d -m 755 %{buildroot}%{_unitdir}
install -m 644 %{SOURCE22} %{buildroot}%{_unitdir}/sshd.service
install -m 644 %{SOURCE23} %{buildroot}%{_unitdir}/sshd@.service
install -m 644 %{SOURCE24} %{buildroot}%{_unitdir}/sshd-keygen.service
install -m 644 %{SOURCE25} %{buildroot}%{_unitdir}/sshd.socket
install -m 755 %{SOURCE26} %{buildroot}%{_sbindir}/sshd-keygen
# make sure strip can touch it
chmod 755 %{buildroot}%{_libexecdir}/openssh/ssh-keysign
%pre server
%_pre_useradd sshd /var/empty /sbin/nologin
%post server
%_post_service sshd
%preun server
%_preun_service sshd
%postun server
%_postun_userdel sshd
%if %{build_x11askpass}
%post askpass
update-alternatives --install %{_libexecdir}/openssh/ssh-askpass ssh-askpass %{_libexecdir}/openssh/x11-ssh-askpass 10
update-alternatives --install %{_bindir}/ssh-askpass bssh-askpass %{_libexecdir}/openssh/x11-ssh-askpass 10
%postun askpass
[ $1 = 0 ] || exit 0
update-alternatives --remove ssh-askpass %{_libexecdir}/openssh/x11-ssh-askpass
update-alternatives --remove bssh-askpass %{_libexecdir}/openssh/x11-ssh-askpass
%endif
%if %{build_gnomeaskpass}
%post askpass-gnome
update-alternatives --install %{_libexecdir}/openssh/ssh-askpass ssh-askpass %{_libexecdir}/openssh/gnome-ssh-askpass 20
update-alternatives --install %{_bindir}/ssh-askpass bssh-askpass %{_libexecdir}/openssh/gnome-ssh-askpass 20
%postun askpass-gnome
[ $1 = 0 ] || exit 0
update-alternatives --remove ssh-askpass %{_libexecdir}/openssh/gnome-ssh-askpass
update-alternatives --remove bssh-askpass %{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%triggerpostun server -- openssh-server < 3.8p1
if grep -qE "^\W*auth\W+\w+\W+.*pam_(ldap|winbind|mysql)" /etc/pam.d/system-auth /etc/pam.d/sshd; then
perl -pi -e 's|^#UsePAM no|UsePAM yes|' /etc/ssh/sshd_config
fi
%files
%doc ChangeLog OVERVIEW README* INSTALL CREDITS LICENCE TODO ssh_ldap_key.pl
%if %{build_ldap}
%doc *.schema
%endif
%if %{build_sftpcontrol}
%doc README.sftpfilecontrol
%endif
%{_bindir}/ssh-keygen
%dir %{_sysconfdir}/ssh
%{_bindir}/ssh-keyscan
%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
%{_libexecdir}/openssh/ssh-pkcs11-helper
%{_mandir}/man1/ssh-keygen.1*
%{_mandir}/man1/ssh-keyscan.1*
%{_mandir}/man8/ssh-keysign.8*
%{_mandir}/man8/ssh-pkcs11-helper.8*
%files clients
%{_bindir}/scp
%{_bindir}/ssh
%{_bindir}/ssh-agent
%{_bindir}/ssh-add
%{_bindir}/ssh-copy-id
%{_bindir}/slogin
%{_bindir}/sftp
%{_mandir}/man1/scp.1*
%{_mandir}/man1/ssh-copy-id.1*
%{_mandir}/man1/slogin.1*
%{_mandir}/man1/ssh.1*
%{_mandir}/man1/ssh-agent.1*
%{_mandir}/man1/ssh-add.1*
%{_mandir}/man1/sftp.1*
%{_mandir}/man5/ssh_config.5*
%config(noreplace) %{_sysconfdir}/ssh/ssh_config
%{_sysconfdir}/profile.d/90ssh-client.sh
%files server
%config(noreplace) %{_sysconfdir}/sysconfig/sshd
%{_sbindir}/sshd
%{_sbindir}/sshd-keygen
%dir %{_libexecdir}/openssh
%{_libexecdir}/openssh/sftp-server
%{_mandir}/man5/sshd_config.5*
%{_mandir}/man5/moduli.5*
%{_mandir}/man8/sshd.8*
%{_mandir}/man8/sftp-server.8*
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/denyusers
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%config(noreplace) %_sysconfdir/xinetd.d/sshd-xinetd
%config(noreplace) %{_sysconfdir}/avahi/services/%{name}.service
%config(noreplace) %{_sysconfdir}/ssh/moduli
%{_unitdir}/sshd.service
%{_unitdir}/sshd@.service
%{_unitdir}/sshd.socket
%{_unitdir}/sshd-keygen.service
%dir /var/empty
%files askpass-common
%{_sysconfdir}/profile.d/90ssh-askpass.*
%if %{build_x11askpass}
%files askpass
%doc x11-ssh-askpass-%{aversion}/README
%doc x11-ssh-askpass-%{aversion}/ChangeLog
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
%doc x11-ssh-askpass-%{aversion}/x11-ssh-askpass.1.html
%{_libexecdir}/openssh/x11-ssh-askpass
%{_sysconfdir}/X11/app-defaults/SshAskpass
%{_mandir}/man1/x11-ssh-askpass.1*
%endif
%if %{build_gnomeaskpass}
%files askpass-gnome
%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%if %{build_ldap}
%files ldap
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
%config %{_sysconfdir}/ssh/ldap.conf
%{_libexecdir}/openssh/ssh-ldap-helper
%{_libexecdir}/openssh/ssh-ldap-wrapper
%{_mandir}/man8/ssh-ldap-helper.8*
%{_mandir}/man5/ssh-ldap.conf.5*
%endif
%changelog
* Wed Aug 22 2018 guillomovitch <guillomovitch> 7.5p1-2.2.mga6
(not released yet)
+ Revision: 1253486
- add patch for CVE-2018-15473, stolen from Debian (#23452)
+ luigiwalser <luigiwalser>
- add patch from fedora to fix CVE-2017-15906
* Sun Apr 02 2017 wally <wally> 7.5p1-2.mga6
+ Revision: 1095660
- revert some changes in sshd.service and thus fix server key generation (mga#20618)
* Mon Mar 27 2017 luigiwalser <luigiwalser> 7.5p1-1.mga6
+ Revision: 1094919
- 7.5p1
- sync more patch changes from fedora
* Mon Mar 27 2017 luigiwalser <luigiwalser> 7.4p1-2.mga6
+ Revision: 1094915
- sync some patch changes for 7.4p1 from fedora
* Wed Jan 04 2017 guillomovitch <guillomovitch> 7.4p1-1.mga6
+ Revision: 1080116
- new version 7.4
* Sat Oct 22 2016 guillomovitch <guillomovitch> 7.3p1-3.mga6
+ Revision: 1063112
- use upstream patch to fix CVE-2016-8858
* Tue Oct 04 2016 luigiwalser <luigiwalser> 7.3p1-2.mga6
+ Revision: 1058559
- add patch from fedora to fix NULL dereference
* Sun Aug 07 2016 guillomovitch <guillomovitch> 7.3p1-1.mga6
+ Revision: 1044939
- sync patches with fedora
- new version 7.3p1
* Tue Jul 26 2016 guillomovitch <guillomovitch> 7.2p2-3.mga6
+ Revision: 1043667
- sync patches with Fedora, fixing CVE-2016-6210
* Mon Apr 25 2016 guillomovitch <guillomovitch> 7.2p2-2.mga6
+ Revision: 1006203
- fix CVE-2015-8325 (fix #18222)
* Thu Mar 10 2016 guillomovitch <guillomovitch> 7.2p2-1.mga6
+ Revision: 988872
- new version 7.2p2
first fedora patches syncing pass
* Thu Feb 11 2016 luigiwalser <luigiwalser> 7.1p2-2.mga6
+ Revision: 955836
- add patch from fedora to fix CVE-2016-1908
- start sshd.service after network-online.target (so it works with ListenAddress)
* Thu Jan 14 2016 luigiwalser <luigiwalser> 7.1p2-1.mga6
+ Revision: 923001
- 7.1p2 (fixes CVE-2016-0777)
* Sun Oct 11 2015 guillomovitch <guillomovitch> 7.1p1-1.mga6
+ Revision: 889745
- new version 7.1p1
* Thu Aug 20 2015 guillomovitch <guillomovitch> 7.0p1-1.mga6
+ Revision: 867024
- new version 7.0
* Thu Aug 20 2015 luigiwalser <luigiwalser> 6.9p1-7.mga6
+ Revision: 866033
- disable scp progressmeter patch for now, as it breaks the build
- add patch from fedora with security fixes from upstream OpenSSH 7.0 release
- add patch from fedora to handle control chars in scp progressmeter (rhbz#1247204)
* Thu Jul 23 2015 luigiwalser <luigiwalser> 6.9p1-5.mga6
+ Revision: 856409
- add upstream patch to fix CVE-2015-5600
* Wed Jul 15 2015 neoclust <neoclust> 6.9p1-4.mga6
+ Revision: 854523
- Fix libexecdir path
* Wed Jul 15 2015 neoclust <neoclust> 6.9p1-3.mga6
+ Revision: 854436
- Install as wanted by openssh
* Thu Jul 09 2015 guillomovitch <guillomovitch> 6.9p1-2.mga6
+ Revision: 853152
- drop host key generation logic from spec file, and switch to systemd-triggered generation, as in fedora
- drop ssh 1 host key usage in default configuration
- switch to more secure host keys in default configuration
* Thu Jul 09 2015 guillomovitch <guillomovitch> 6.9p1-1.mga6
+ Revision: 853132
- new version 6.9p1
* Sat Jul 04 2015 luigiwalser <luigiwalser> 6.8p1-2.mga6
+ Revision: 850632
- add upstream patch to fix CVE-2015-5352
* Sun Jun 28 2015 guillomovitch <guillomovitch> 6.8p1-1.mga6
+ Revision: 846658
- new version 6.8p1
- drop untested watchdog and hpn package conditional build option
- try to sync applied patches with fedora ones
* Wed Oct 15 2014 umeabot <umeabot> 6.6p1-5.mga5
+ Revision: 747165
- Second Mageia 5 Mass Rebuild
* Tue Sep 16 2014 umeabot <umeabot> 6.6p1-4.mga5
+ Revision: 683245
- Mageia 5 Mass Rebuild
* Mon Aug 11 2014 wally <wally> 6.6p1-3.mga5
+ Revision: 661694
- when creating sshd system user use /sbin/nologin as login shell instead of /bin/true (every other system user we have uses /sbin/nologin or /bin/false, but not /bin/true)
* Wed Apr 09 2014 luigiwalser <luigiwalser> 6.6p1-2.mga5
+ Revision: 613037
- add patch from debian to fix CVE-2014-2653
* Fri Mar 21 2014 guillomovitch <guillomovitch> 6.6p1-1.mga5
+ Revision: 606391
- new version 6.6p1
* Tue Feb 04 2014 guillomovitch <guillomovitch> 6.5p1-1.mga5
+ Revision: 582109
- new version 6.5p1
* Fri Nov 08 2013 oden <oden> 6.2p2-3.mga4
+ Revision: 549918
- P22: upstream security fix (http://www.openssh.com/txt/gcmrekey.adv)
* Sat Oct 19 2013 umeabot <umeabot> 6.2p2-2.mga4
+ Revision: 528319
- Mageia 4 Mass Rebuild
+ oden <oden>
- ldap support was enabled
- add the ecdsa key as well
- fix the sourcing, so it actually works
- fix #7665, requires more fedora integration than that
* Mon Jun 17 2013 guillomovitch <guillomovitch> 6.2p2-1.mga4
+ Revision: 444184
- update ldap patch
- drop max-startups patch, merged upstream
- sync systemd unit files with fedora
* Wed Feb 13 2013 luigiwalser <luigiwalser> 6.1p1-4.mga3
+ Revision: 398234
- add patch from fedora to fix CVE-2010-5107
* Sun Jan 13 2013 umeabot <umeabot> 6.1p1-3.mga3
+ Revision: 362153
- Mass Rebuild - https://wiki.mageia.org/en/Feature:Mageia3MassRebuild
* Tue Jan 01 2013 lmenut <lmenut> 6.1p1-2.mga3
+ Revision: 337413
- fix default paths after UsrMove
remove /bin and /sbin
* Wed Sep 05 2012 guillomovitch <guillomovitch> 6.1p1-1.mga3
+ Revision: 288573
- replace LPK patch with Redhat ldap patch
- build ldap support by default
- new version
- merge usepam patche with configuration patch, using a better explanation in
configuration file, but dropping specific message in logs
* Mon Aug 13 2012 luigiwalser <luigiwalser> 6.0p1-2.mga3
+ Revision: 281119
- do not disable root login redundantly through PAM in /etc/ssh/denyusers
* Thu Jun 07 2012 guillomovitch <guillomovitch> 6.0p1-1.mga3
+ Revision: 256806
- sync systemd support with fedora
- drop sysinit support
- new version
* Sat Apr 28 2012 tmb <tmb> 5.9p1-5.mga2
+ Revision: 233826
- Require rpm-helper >= 0.24.8-1 for systemd support
* Tue Apr 17 2012 guillomovitch <guillomovitch> 5.9p1-4.mga2
+ Revision: 231185
- don't install keygen service (redhat bug #810419)
* Sun Apr 01 2012 colin <colin> 5.9p1-3.mga2
+ Revision: 227677
- Add missing key generator
* Sun Apr 01 2012 colin <colin> 5.9p1-2.mga2
+ Revision: 227672
- Enable UsePAM by default (needed to prevent killing all SSH connections on service restart mga#5137)
- Fix systemd units to ensure sshd-keygen is run.
- Remove options from default sysconfig file that are not used.
* Sat Oct 08 2011 guillomovitch <guillomovitch> 5.9p1-1.mga2
+ Revision: 152967
- native systemd support
- spec cleanup
+ pterjan <pterjan>
- Update to 5.9
- Drop old Obsoletes
* Thu May 05 2011 saispo <saispo> 5.8p1-2.mga1
+ Revision: 95041
- Bump Release
- Fix bug #1151
* Wed Apr 20 2011 pterjan <pterjan> 5.8p1-1.mga1
+ Revision: 89124
- Update to 5.8p1
* Sat Jan 15 2011 blino <blino> 5.6p1-4.mga1
+ Revision: 18289
- fix vendor in makefile hack
* Sat Jan 15 2011 blino <blino> 5.6p1-3.mga1
+ Revision: 18288
- rename conf patch
- remove old README upgrade files
- remove old version checks and files
+ kharec <kharec>
- imported package openssh
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
f7d598574b57f3d23190e0ef1bfde5b2
>
files
>
47
