File gsi-openssh-SLE_15_SP1.spec of Package gsi-openssh
#
# spec file for package gsi-openssh
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2019, 2020 Frank Scheiner, HLRS, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define sandbox_seccomp 0
%ifnarch ppc
%define sandbox_seccomp 1
%endif
%if 0%{?suse_version} >= 1500
%bcond_without tirpc
%else
%bcond_with tirpc
%endif
%define DIST SLE_15_SP1
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir %{_fwdir}/services
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:GSI-OpenSSH-FIPS@SLE"
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: gsi-openssh
Version: 7.9p1
Release: 1
Summary: GSI and HPN enabled Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
Group: Productivity/Networking/SSH
URL: http://www.openssh.com/
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: gsisshd-%{DIST}.pamd
Source3: README-%{DIST}.SUSE
#Source4: README.kerberos
Source5: gsissh-%{DIST}.reg
Source6: ssh-askpass-%{DIST}
Source7: gsisshd-%{DIST}.fw
Source8: sysconfig-%{DIST}.gsissh
Source9: gsisshd-gen-keys-start-%{DIST}
Source10: gsisshd-%{DIST}.service
Source11: README-%{DIST}.FIPS
Source12: cavs_driver-ssh-%{DIST}.pl
Patch0: openssh-7.7p1-allow_root_password_login-%{DIST}.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding-%{DIST}.patch
Patch3: openssh-7.7p1-enable_PAM_by_default-%{DIST}.patch
Patch4: openssh-7.7p1-eal3-%{DIST}.patch
Patch6: openssh-7.7p1-send_locale-%{DIST}.patch
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X-%{DIST}.patch
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit-%{DIST}.patch
Patch9: openssh-7.7p1-pts_names_formatting-%{DIST}.patch
Patch10: openssh-7.7p1-pam_check_locks-%{DIST}.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch14: openssh-7.7p1-seccomp_stat-%{DIST}.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch15: openssh-7.7p1-seccomp_ipc_flock-%{DIST}.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11-%{DIST}.patch
# Local FIPS patchset
Patch17: openssh-7.7p1-fips-%{DIST}.patch
# Local cavs patchset
Patch18: openssh-7.7p1-cavstest-ctr-%{DIST}.patch
# Local cavs patchset
Patch19: openssh-7.7p1-cavstest-kdf-%{DIST}.patch
# Local FIPS patchset
Patch20: openssh-7.7p1-fips_checks-%{DIST}.patch
Patch21: openssh-7.7p1-seed-prng-%{DIST}.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22: openssh-7.7p1-systemd-notify-%{DIST}.patch
Patch23: openssh-7.7p1-gssapi_key_exchange-%{DIST}.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch24: openssh-7.7p1-audit-%{DIST}.patch
# Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26: openssh-7.7p1-disable_openssl_abi_check-%{DIST}.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch27: openssh-7.7p1-no_fork-no_pid_file-%{DIST}.patch
Patch28: openssh-7.7p1-host_ident-%{DIST}.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Patch29: openssh-7.7p1-sftp_force_permissions-%{DIST}.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6-%{DIST}.patch
Patch31: openssh-7.7p1-ldap-%{DIST}.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32: openssh-7.7p1-IPv6_X_forwarding-%{DIST}.patch
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages-%{DIST}.patch
Patch34: openssh-openssl-1_0_0-compatibility-%{DIST}.patch
Patch35: openssh-7.9p1-CVE-2018-20685-%{DIST}.patch
Patch36: openssh-CVE-2019-6109-sanitize-scp-filenames-%{DIST}.patch
Patch37: openssh-CVE-2019-6109-force-progressmeter-update-%{DIST}.patch
Patch38: openssh-CVE-2019-6111-scp-client-wildcard-%{DIST}.patch
Patch39: openssh-7.9p1-brace-expansion-%{DIST}.patch
Patch40: 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to-%{DIST}.patch
Patch41: openssh-7.9p1-revert-new-qos-defaults-%{DIST}.patch
Patch42: openssh-7.9p1-keygen-preserve-perms-%{DIST}.patch
Patch43: openssh-7.9p1-gsissh--from-fedora-31-gsi-openssh-package-modified-%{DIST}.patch
Patch44: openssh-7.9p1-match-final--from-fedora-31-gsi-openssh-package-modified-%{DIST}.patch
Patch45: openssh-7.9p1-gsskex-method--from-fedora-31-gsi-openssh-package-modified-%{DIST}.patch
Patch46: openssh-7.9p1-gsissh-fix-%{DIST}.patch
Patch47: openssh-7.9p1-hpn-14.18-modified-%{DIST}.patch
BuildRequires: audit-devel
BuildRequires: autoconf
BuildRequires: groff
BuildRequires: libedit-devel
BuildRequires: libselinux-devel
BuildRequires: openldap2-devel
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
BuildRequires: pkgconfig(libsystemd)
BuildRequires: globus-gss-assist-devel >= 8
BuildRequires: globus-gssapi-gsi-devel >= 12.12
BuildRequires: globus-common-devel >= 14
Requires(post): %fillup_prereq
Requires(pre): pwdutils
Recommends: %{name}-helpers = %{version}-%{release}
Recommends: audit
Recommends: xauth
Conflicts: %{name}-fips < %{version}-%{release}
Conflicts: %{name}-fips > %{version}-%{release}
Conflicts: nonfreessh
%{?systemd_requires}
%if %{with tirpc}
BuildRequires: libtirpc-devel
%endif
%if 0%{?suse_version} >= 1550
BuildRequires: pkgconfig(krb5)
%else
BuildRequires: krb5-mini-devel
%endif
%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It is intended to replace rsh (rlogin and rsh) and
provides openssl (secure encrypted communication) between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This version of OpenSSH has been modified to support GSI authentication and High Performance Networking.
%package fips
Summary: OpenSSH FIPS cryptomodule HMACs
Group: Productivity/Networking/SSH
Requires: %{name} = %{version}-%{release}
Conflicts: %{name} < %{version}-%{release}
Conflicts: %{name} > %{version}-%{release}
Obsoletes: %{name}-hmac
%description fips
Hashes that together with the main package form the FIPS certifiable
cryptomodule.
%package cavs
Summary: OpenSSH FIPS cryptomodule CAVS tests
Group: Productivity/Networking/SSH
Requires: %{name} = %{version}-%{release}
%description cavs
FIPS140 CAVS tests related parts of the GSI-OpenSSH package
%prep
%setup -q -n openssh-%{version}
cp %{SOURCE3} ./README.SUSE
cp %{SOURCE11} ./README.FIPS
%autopatch -p1
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/gsissh,' \
$( grep -Rl @LIBEXECDIR@ \
$( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
%build
autoreconf -fiv
%ifarch s390 s390x %{sparc}
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
LDFLAGS="-pie -Wl,--as-needed"
#CPPFLAGS="%%{optflags} -DUSE_INTERNAL_B64"
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
--sysconfdir=%{_sysconfdir}/gsissh \
--libexecdir=%{_libexecdir}/gsissh \
--with-selinux \
--with-pid-dir=/run \
--with-systemd \
--with-ssl-engine \
--with-pam \
--with-gsi \
--with-privsep-path=%{_localstatedir}/lib/empty \
%if %{sandbox_seccomp}
--with-sandbox=seccomp_filter \
%else
--with-sandbox=rlimit \
%endif
--disable-strip \
--with-audit=linux \
--with-ldap \
--with-xauth=%{_bindir}/xauth \
--with-libedit \
--target=%{_target_cpu}-suse-linux
make %{?_smp_mflags} SSH_PROGRAM=%{_bindir}/gsissh
#make tests || /bin/true
%install
%make_install
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -d -m 755 %{buildroot}%{_localstatedir}/lib/gsisshd
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/gsisshd
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/gsissh.reg
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/gsisshd.service
ln -s service %{buildroot}%{_sbindir}/rcgsisshd
install -d -m 755 %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}/sysconfig.gsissh
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/gsissh/sshd_config
# install firewall definitions
mkdir -p %{buildroot}%{_fwdefdir}
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/gsisshd
# askpass wrapper
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/gsissh/ssh-askpass
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/gsissh/cavs_driver-ssh.pl
rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/gsisshd-gen-keys-start
# remove stuff not used by GSI-OpenSSH
rm $RPM_BUILD_ROOT%{_bindir}/ssh-add
rm $RPM_BUILD_ROOT%{_bindir}/ssh-agent
rm $RPM_BUILD_ROOT%{_bindir}/ssh-keyscan
rm $RPM_BUILD_ROOT%{_sysconfdir}/gsissh/ldap.conf
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-ldap-helper
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-ldap-wrapper
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-pkcs11-helper
rm $RPM_BUILD_ROOT%{_mandir}/man1/ssh-add.1*
rm $RPM_BUILD_ROOT%{_mandir}/man1/ssh-agent.1*
rm $RPM_BUILD_ROOT%{_mandir}/man1/ssh-keyscan.1*
rm $RPM_BUILD_ROOT%{_mandir}/man5/ssh-ldap.conf.5*
rm $RPM_BUILD_ROOT%{_mandir}/man8/ssh-ldap-helper.8*
rm $RPM_BUILD_ROOT%{_mandir}/man8/ssh-pkcs11-helper.8*
# add gsi prefix
for f in $RPM_BUILD_ROOT%{_bindir}/* \
$RPM_BUILD_ROOT%{_sbindir}/* \
$RPM_BUILD_ROOT%{_mandir}/man*/* ; do
if [ "`basename $f`" = "gsisshd-gen-keys-start" ]; then
continue
fi
if [ "`basename $f`" = "rcgsisshd" ]; then
continue
fi
mv $f `dirname $f`/gsi`basename $f`
done
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
# the binaries and thereby invalidates any hashes created earlier.
#
# this shows up earlier because otherwise the %%expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
for b in \
%{_bindir}/gsissh \
%{_sbindir}/gsisshd \
%{_libexecdir}/gsissh/sftp-server \
; do
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
done
}}
%pre
getent group gsisshd >/dev/null || %{_sbindir}/groupadd -r gsisshd
getent passwd gsisshd >/dev/null || %{_sbindir}/useradd -r -g gsisshd -d %{_localstatedir}/lib/gsisshd -s /bin/false -c "GSI-SSH daemon" gsisshd
%service_add_pre sshd.service
%post
%{fillup_only -n gsissh gsisshd}
%service_add_post gsisshd.service
%set_permissions %{_sysconfdir}/gsissh/sshd_config
%preun
%service_del_preun gsisshd.service
%postun
# The openssh-fips trigger script for openssh will normally restart sshd once
# it gets installed, so only restart the service here if openssh-fips is not
# present
rpm -q gsi-openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
%service_del_postun gsisshd.service
%triggerin -n gsi-openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update gsisshd
%verifyscript
%verify_permissions -e %{_sysconfdir}/gsissh/sshd_config
%files
%exclude %{_bindir}/gsissh%{CHECKSUM_SUFFIX}
%exclude %{_sbindir}/gsisshd%{CHECKSUM_SUFFIX}
%exclude %{_libexecdir}/gsissh/sftp-server%{CHECKSUM_SUFFIX}
%exclude %{_libexecdir}/gsissh/cavs*
%dir %attr(755,root,root) %{_localstatedir}/lib/gsisshd
%license LICENCE
%doc README.SUSE HPN-README README.FIPS ChangeLog OVERVIEW README TODO CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/gsissh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/gsissh/moduli
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/gsissh/ssh_config
%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/gsissh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/gsisshd
%attr(0644,root,root) %{_unitdir}/gsisshd.service
%attr(0755,root,root) %{_bindir}/*
%attr(0755,root,root) %{_sbindir}/*
%attr(0755,root,root) %dir %{_libexecdir}/gsissh
%exclude %{_libexecdir}/gsissh/ssh-ldap*
%attr(0755,root,root) %{_libexecdir}/gsissh/*
%attr(0444,root,root) %{_mandir}/man1/*
%attr(0444,root,root) %{_mandir}/man5/*
%attr(0444,root,root) %{_mandir}/man8/*
%exclude %{_mandir}/man5/ssh-ldap*
%exclude %{_mandir}/man8/ssh-ldap*
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/gsissh.reg
%{_fillupdir}/sysconfig.gsissh
%dir %{_fwdir}
%dir %{_fwdefdir}
%config %{_fwdefdir}/gsisshd
%files fips
%attr(0444,root,root) %{_bindir}/gsissh%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_sbindir}/gsisshd%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_libexecdir}/gsissh/sftp-server%{CHECKSUM_SUFFIX}
%files cavs
%attr(0755,root,root) %{_libexecdir}/gsissh/cavs*
%changelog
