File openssh.spec of Package openssh.10219
#
# spec file for package openssh
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{suse_version} >= 1100
%define has_fw_dir 1
%else
%define has_fw_dir 0
%endif
%if 0%{suse_version} >= 1110
%define has_libselinux 1
%else
%define has_libselinux 0
%endif
%if 0%{?suse_version} >= 1130
%define needs_all_dirs 1
%else
%define needs_all_dirs 0
%endif
%if 0%{?suse_version} >= 1140
%define needs_libedit 1
%else
%define needs_libedit 0
%endif
%if 0%{?suse_version} > 1140
%define has_krb_mini 1
%else
%define has_krb_mini 0
%endif
%if 0%{?suse_version} > 1220
%define uses_systemd 1
%else
%define uses_systemd 0
%endif
%define sandbox_seccomp 0
%ifarch %ix86 x86_64
%if 0%{?suse_version} > 1220
%define sandbox_seccomp 1
%endif
%endif
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir %{_fwdir}/services
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%{!?_initddir:%global _initddir %{_initrddir}}
Name: openssh
BuildRequires: audit-devel
BuildRequires: autoconf
BuildRequires: groff
%if %{has_krb_mini}
BuildRequires: krb5-mini-devel
%else
BuildRequires: krb5-devel
%endif
%if %{needs_libedit}
BuildRequires: libedit-devel
%endif
%if %{has_libselinux}
BuildRequires: libselinux-devel
%endif
BuildRequires: openldap2-devel
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: pam-devel
%if %{uses_systemd}
BuildRequires: pkgconfig(libsystemd)
%{?systemd_requires}
%endif
BuildRequires: tcpd-devel
PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils
Version: 6.6p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
Group: Productivity/Networking/SSH
Url: http://www.openssh.com/
Source: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: sshd.init
Source2: sshd.pamd
Source3: README.SUSE
Source4: README.kerberos
Source5: ssh.reg
Source6: ssh-askpass
Source7: sshd.fw
Source8: sysconfig.ssh
Source9: sshd-gen-keys-start
Source10: sshd.service
Source11: README.FIPS
Source12: cavs_driver-ssh.pl
Patch00: openssh-6.6p1-curve25519-6.6.1p1.patch
Patch01: openssh-6.6p1-X11-forwarding.patch
Patch02: openssh-6.6p1-lastlog.patch
Patch03: openssh-6.6p1-pam-fix2.patch
Patch04: openssh-6.6p1-saveargv-fix.patch
Patch05: openssh-6.6p1-pam-fix3.patch
Patch06: openssh-6.6p1-gssapimitm.patch
Patch07: openssh-6.6p1-eal3.patch
Patch08: openssh-6.6p1-blocksigalrm.patch
Patch09: openssh-6.6p1-send_locale.patch
Patch10: openssh-6.6p1-xauthlocalhostname.patch
Patch11: openssh-6.6p1-xauth.patch
Patch12: openssh-6.6p1-default-protocol.patch
Patch13: openssh-6.6p1-pts.patch
Patch14: openssh-6.6p1-pam-check-locks.patch
Patch15: openssh-6.6p1-fingerprint_hash.patch
Patch16: openssh-6.6p1-disable_short_DH_parameters.patch
Patch17: openssh-6.6p1-remove_moduli_under_1536b.patch
Patch18: openssh-6.6p1-fips.patch
Patch19: openssh-6.6p1-fips-checks.patch
Patch20: openssh-6.6p1-audit1-remove_duplicit_audit.patch
Patch21: openssh-6.6p1-audit2-better_audit_of_user_actions.patch
Patch22: openssh-6.6p1-audit3-key_auth_usage.patch
Patch23: openssh-6.6p1-audit3-key_auth_usage-fips.patch
Patch24: openssh-6.6p1-audit4-kex_results.patch
Patch25: openssh-6.6p1-audit4-kex_results-fips.patch
Patch26: openssh-6.6p1-audit5-session_key_destruction.patch
Patch27: openssh-6.6p1-audit6-server_key_destruction.patch
Patch28: openssh-6.6p1-audit8-libaudit_dns_timeouts.patch
Patch29: openssh-6.6p1-seed-prng.patch
Patch30: openssh-6.6p1-gssapi_key_exchange.patch
Patch31: openssh-6.6p1-login_options.patch
Patch32: openssh-6.6p1-disable-openssl-abi-check.patch
Patch33: openssh-6.6p1-no_fork-no_pid_file.patch
Patch34: openssh-6.6p1-host_ident.patch
Patch35: openssh-6.6p1-sftp_homechroot.patch
Patch36: openssh-6.6p1-sftp_force_permissions.patch
Patch37: openssh-6.6p1-seccomp_getuid.patch
Patch38: openssh-6.6p1-seccomp_stat.patch
Patch39: openssh-6.6p1-X_forward_with_disabled_ipv6.patch
Patch40: openssh-6.6p1-ldap.patch
Patch41: openssh-6.6p1-cavstest-ctr.patch
Patch42: openssh-6.6p1-cavstest-kdf.patch
Patch43: openssh-6.6p1-IPv6_X_forwarding.patch
Patch44: openssh-6.6p1-check_sshfp_for_certs.patch
Patch45: openssh-6.6p1-ignore_postauth_SIGXFSZ.patch
Patch46: openssh-6.6p1-sftp_procfs_restrictions.patch
Patch47: openssh-6.6p1-X11_forwarding_timeout.patch
Patch48: openssh-6.6p1-agent_locking_hardening.patch
Patch49: openssh-6.6p1-use_each_kbd_method_just_once.patch
Patch50: openssh-6.6p1-pam_privsep_dont_resend_username.patch
Patch51: openssh-6.6p1-pam_privsep_auth_uaf.patch
Patch52: openssh-6.6p1-disable_roaming.patch
Patch53: openssh-6.6p1-sanitise_xauth_input.patch
Patch54: openssh-6.6p1-untrusted_X_forwarding.patch
Patch55: openssh-6.6p1-ignore_PAM_with_UseLogin.patch
Patch56: openssh-6.6p1-prevent_timing_user_enumeration.patch
Patch57: openssh-6.6p1-limit_password_length.patch
Patch58: openssh-6.6p1-avoid_undefined_display_messages.patch
Patch59: openssh-6.6p1-kex_resource_depletion.patch
Patch60: openssh-6.6p1-verify_CIDR_address_ranges.patch
Patch61: openssh-6.6p1-disable_preauth_compression.patch
Patch62: openssh-6.6p1-restrict_pkcs11-modules.patch
Patch63: openssh-6.6p1-prevent_private_key_leakage.patch
Patch64: openssh-6.6p1-ssh_case_insensitive_host_matching.patch
Patch65: openssh-6.6p1-sftp_print_diagnostic_messages.patch
Patch66: openssh-6.6p1-duplicate_kex.patch
Patch67: openssh-6.6p1-stricter_readonly_sftp.patch
Patch68: openssh-6.6p1-systemd-notify.patch
Patch69: openssh-6.6p1-out_of_seq_newkeys.patch
Patch70: openssh-6.6p1-CVE-2018-15473.patch
Patch71: openssh-6.6p1-sftp-client-return-code.patch
Patch73: openssh-6.6p1-rm_ciphers_from_defaults.patch
Patch74: openssh-7.2p2-CVE-2018-20685.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Conflicts: nonfreessh
Recommends: audit
Recommends: xauth
Recommends: %{name}-helpers = %{version}-%{release}
Conflicts: %{name}-fips < %{version}-%{release} , %{name}-fips > %{version}-%{release}
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It is intended to replace rsh (rlogin and rsh) and
provides openssl (secure encrypted communication) between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
%package helpers
Summary: OpenSSH AuthorizedKeysCommand helpers
Group: Productivity/Networking/SSH
Requires: %{name} = %{version}-%{release}
%description helpers
Helper applications for OpenSSH which retrieve keys from various sources.
%package fips
Summary: OpenSSH FIPS cryptomodule HMACs
Group: Productivity/Networking/SSH
Requires: %{name} = %{version}-%{release}
Conflicts: %{name} < %{version}-%{release} , %{name} > %{version}-%{release}
Obsoletes: %{name}-hmac
%description fips
Hashes that together with the main package form the FIPS certifiable
cryptomodule.
%package cavs
Summary: OpenSSH FIPS cryptomodule CAVS tests
Group: Productivity/Networking/SSH
Requires: %{name} = %{version}-%{release}
%description cavs
FIPS140 CAVS tests related parts of the OpenSSH package
%prep
%setup -q
%patch00 -p2
%patch01 -p2
%patch02 -p2
%patch03 -p2
%patch04 -p2
%patch05 -p2
%patch06 -p2
%patch07 -p2
%patch08 -p2
%patch09 -p2
%patch10 -p2
%patch11 -p2
%patch12 -p2
%patch13 -p2
%patch14 -p2
%patch15 -p2
%patch16 -p2
%patch17 -p2
%patch18 -p2
%patch19 -p2
%patch20 -p2
%patch21 -p2
%patch22 -p2
%patch23 -p2
%patch24 -p2
%patch25 -p2
%patch26 -p2
%patch27 -p2
%patch28 -p2
%patch29 -p2
%patch30 -p2
%patch31 -p2
%patch32 -p2
%patch33 -p2
%patch34 -p2
%patch35 -p2
%patch36 -p2
%patch37 -p2
%patch38 -p2
%patch39 -p2
%patch40 -p2
%patch41 -p2
%patch42 -p2
%patch43 -p2
%patch44 -p2
%patch45 -p2
%patch46 -p2
%patch47 -p2
%patch48 -p2
%patch49 -p2
%patch50 -p2
%patch51 -p2
%patch52 -p2
%patch53 -p2
%patch54 -p2
%patch55 -p2
%patch56 -p2
%patch57 -p2
%patch58 -p2
%patch59 -p2
%patch60 -p2
%patch61 -p2
%patch62 -p2
%patch63 -p2
%patch64 -p2
%patch65 -p2
%patch66 -p2
%patch67 -p2
%patch68 -p2
%patch69 -p2
%patch70 -p1
%patch71 -p1
%patch73 -p1
%patch74 -p1
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
%build
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
$( grep -Rl @LIBEXECDIR@ \
$( grep "^+++" %{PATCH40} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
autoreconf -fiv
%ifarch s390 s390x %sparc
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
LDFLAGS="-pie -Wl,--as-needed"
#CPPFLAGS="%%{optflags} -DUSE_INTERNAL_B64"
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
--prefix=%{_prefix} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/ssh \
--with-tcp-wrappers \
%if %{has_libselinux}
--with-selinux \
%endif
%if %{uses_systemd}
--with-pid-dir=/run \
--with-systemd \
%endif
--with-ssl-engine \
--with-pam \
--with-kerberos5=%{_prefix} \
--with-privsep-path=/var/lib/empty \
%if %{sandbox_seccomp}
--with-sandbox=seccomp_filter \
%else
--with-sandbox=rlimit \
%endif
%ifnarch s390 s390x
--with-opensc \
%endif
--disable-strip \
--with-audit=linux \
--with-ldap \
--with-xauth=%{_bindir}/xauth \
%if %{needs_libedit}
--with-libedit \
%endif
--target=%{_target_cpu}-suse-linux \
### configure end
make %{?_smp_mflags}
#make %%{?_smp_mflags} -C converter
%install
make install DESTDIR=%{buildroot}
#make install DESTDIR=%%{buildroot} -C converter
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -d -m 755 %{buildroot}/var/lib/sshd
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
install -d -m 755 %{buildroot}%{_initddir}
%if %{uses_systemd}
install -m 0755 %{SOURCE1} .
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcsshd
%else
install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
install -m 0644 %{SOURCE10} .
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
%endif
install -d -m 755 %{buildroot}/var/adm/fillup-templates
install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates
# install shell script to automate the process of adding your public key to a remote machine
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@/usr/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
%if %{has_fw_dir}
#install firewall definitions format is described here:
#%%{_datadir}/SuSEfirewall2/services/TEMPLATE
mkdir -p %{buildroot}%{_fwdefdir}
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
%endif
# askpass wrapper
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
# the binaries and thereby invalidates any hashes created earlier.
#
# this shows up earlier because otherwise the %expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
for b in \
%{_bindir}/ssh \
%{_sbindir}/sshd \
%{_libexecdir}/ssh/sftp-server \
; do
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
done
}}
%pre
getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd
%if %{uses_systemd}
%service_add_pre sshd.service
%endif
%post
%if %{uses_systemd}
%{fillup_only -n ssh sshd}
%service_add_post sshd.service
%else
%{fillup_and_insserv -n ssh sshd}
%endif
%preun
%if %{uses_systemd}
%service_del_preun sshd.service
%else
%stop_on_removal sshd
%endif
%postun
# The openssh-fips trigger script for openssh will normally restart sshd once
# it gets installed, so only restart the service here is openssh-fips is not
# present
rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
%if %{uses_systemd}
%service_del_postun sshd.service
%else
%restart_on_update sshd
%{insserv_cleanup}
%endif
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update sshd
%files
%defattr(-,root,root)
%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
%exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
%exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
%exclude %{_libexecdir}/ssh/cavs*
%dir %attr(755,root,root) /var/lib/sshd
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO LICENCE CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%if %{uses_systemd}
%doc sshd.init
%attr(0644,root,root) %config %{_unitdir}/sshd.service
%else
%attr(0755,root,root) %config %{_initddir}/sshd
%doc sshd.service
%endif
%attr(0755,root,root) %{_bindir}/*
%attr(0755,root,root) %{_sbindir}/*
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%exclude %{_libexecdir}/ssh/ssh-ldap*
%attr(0755,root,root) %{_libexecdir}/ssh/*
%attr(0444,root,root) %doc %{_mandir}/man1/*
%attr(0444,root,root) %doc %{_mandir}/man5/*
%attr(0444,root,root) %doc %{_mandir}/man8/*
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
/var/adm/fillup-templates/sysconfig.ssh
%if %{has_fw_dir}
%if %{needs_all_dirs}
%dir %{_fwdir}
%dir %{_fwdefdir}
%endif
%config %{_fwdefdir}/sshd
%endif
%files helpers
%defattr(-,root,root)
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
%files fips
%defattr(-,root,root)
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
%files cavs
%defattr(-,root,root)
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
%changelog
