File gsi-openssh-openSUSE_Tumbleweed.spec of Package gsi-openssh
#
# spec file for package gsi-openssh
#
# Copyright (c) 2019, 2020 SUSE LLC.
# Copyright (c) 2021 Frank Scheiner, HLRS, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define sandbox_seccomp 0
%ifnarch ppc
%define sandbox_seccomp 1
%endif
%if 0%{?suse_version} >= 1500
%bcond_without tirpc
%else
%bcond_with tirpc
%endif
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir %{_fwdir}/services
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:GSI-OpenSSH-FIPS@SLE"
%define _tmpenableddir %{_localstatedir}/lib/sshd
%define _tmpenabledfile %{_tmpenableddir}/is-enabled.rpmtmp
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: gsi-openssh
Version: 8.4p1
Release: 0
Summary: GSI enabled Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
Group: Productivity/Networking/SSH
URL: https://www.openssh.com/
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pamd
Source3: README.SUSE
#Source4: README.kerberos
Source5: ssh.reg
#Source6: ssh-askpass
Source7: sshd.fw
Source8: sysconfig.ssh
Source9: sshd-gen-keys-start
Source10: sshd.service
Source11: README.FIPS
Source12: cavs_driver-ssh.pl
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
Source14: sysusers-sshd.conf
Patch0: openssh-7.7p1-allow_root_password_login.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch
Patch6: openssh-7.7p1-send_locale.patch
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Patch9: openssh-7.7p1-pts_names_formatting.patch
Patch10: openssh-7.7p1-pam_check_locks.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch14: openssh-7.7p1-seccomp_stat.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
# Local FIPS patchset
Patch17: openssh-7.7p1-fips.patch
# Local cavs patchset
Patch18: openssh-7.7p1-cavstest-ctr.patch
# Local cavs patchset
Patch19: openssh-7.7p1-cavstest-kdf.patch
# Local FIPS patchset
Patch20: openssh-7.7p1-fips_checks.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22: openssh-7.7p1-systemd-notify.patch
Patch23: openssh-8.0p1-gssapi-keyex.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch24: openssh-8.1p1-audit.patch
# Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
Patch28: openssh-7.7p1-host_ident.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Patch29: openssh-7.7p1-sftp_force_permissions.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Patch31: openssh-7.7p1-ldap.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
Patch34: openssh-7.9p1-keygen-preserve-perms.patch
Patch35: openssh-7.9p1-revert-new-qos-defaults.patch
Patch36: openssh-8.1p1-seccomp-clock_nanosleep.patch
Patch37: openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
Patch38: openssh-8.1p1-seccomp-clock_gettime64.patch
Patch39: openssh-8.1p1-use-openssl-kdf.patch
Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
Patch41: openssh-fips-ensure-approved-moduli.patch
Patch42: openssh-link-with-sk.patch
Patch43: openssh-reenable-dh-group14-sha1-default.patch
Patch44: openssh-fix-ssh-copy-id.patch
Patch45: openssh-8.4p1-ssh_config_d.patch
Patch46: openssh-whitelist-syscalls.patch
Patch47: openssh-8.4p1-vendordir.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
BuildRequires: libedit-devel
BuildRequires: libselinux-devel
BuildRequires: openldap2-devel
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
BuildRequires: pkgconfig(libfido2)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools
Requires: %{name}-clients = %{version}-%{release}
Requires: %{name}-server = %{version}-%{release}
%if %{with tirpc}
BuildRequires: libtirpc-devel
%endif
%if 0%{?suse_version} >= 1550
BuildRequires: pkgconfig(krb5)
%else
BuildRequires: krb5-mini-devel
%endif
Requires(pre): findutils
Requires(pre): grep
%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This version of OpenSSH has been modified to support GSI authentication.
This is a dummy package that pulls in both the client and server
components.
%package common
Summary: GSISSH (Secure Shell) common files
Group: Productivity/Networking/SSH
Conflicts: nonfreessh
Conflicts: %{name}-fips < %{version}-%{release}
Conflicts: %{name}-fips > %{version}-%{release}
%description common
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This version of OpenSSH has been modified to support GSI authentication.
This package contains common files for the Secure Shell server and
clients.
%package server
Summary: GSISSH (Secure Shell) server
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Recommends: audit
Requires(pre): findutils
Requires(pre): grep
Requires(post): %fillup_prereq
Requires(post): permissions
Provides: gsi-openssh:%{_sbindir}/gsisshd
%sysusers_requires
%description server
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This version of OpenSSH has been modified to support GSI authentication.
This package contains the Secure Shell daemon, which allows clients to
securely connect to your server.
%package clients
Summary: GSISSH (Secure Shell) client applications
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Provides: gsi-openssh:%{_bindir}/gsissh
%description clients
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This version of OpenSSH has been modified to support GSI authentication.
This package contains clients for making secure connections to Secure
Shell servers.
%package fips
Summary: GSI-OpenSSH FIPS crypto module HMACs
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Conflicts: %{name}-common < %{version}-%{release}
Conflicts: %{name}-common > %{version}-%{release}
Obsoletes: %{name}-hmac
%description fips
This package contains hashes that, together with the main gsi-openssh packages,
form the FIPS certifiable crypto module.
%package cavs
Summary: GSI-OpenSSH FIPS crypto module CAVS tests
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
%description cavs
This package contains the FIPS-140 CAVS (Cryptographic Algorithm
Validation Program/Suite) related tests of GSI-OpenSSH.
%prep
%setup -q -n openssh-%{version}
cp %{SOURCE3} %{SOURCE11} .
%autopatch -p1
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/gsissh,' \
$( grep -Rl @LIBEXECDIR@ \
$( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
%build
autoreconf -fiv
%ifarch s390 s390x %{sparc}
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
LDFLAGS="-pie -Wl,--as-needed"
#CPPFLAGS="%%{optflags} -DUSE_INTERNAL_B64"
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
--sysconfdir=%{_sysconfdir}/gsissh \
--libexecdir=%{_libexecdir}/gsissh \
--with-selinux \
--with-pid-dir=/run \
--with-systemd \
--with-ssl-engine \
--with-pam \
--with-gsi \
--with-privsep-path=%{_localstatedir}/lib/empty \
%if %{sandbox_seccomp}
--with-sandbox=seccomp_filter \
%else
--with-sandbox=rlimit \
%endif
--disable-strip \
--with-audit=linux \
--with-ldap \
--with-xauth=%{_bindir}/xauth \
--with-libedit \
--with-security-key-builtin \
--target=%{_target_cpu}-suse-linux
%make_build SSH_PROGRAM=%{_bindir}/gsissh
%sysusers_generate_pre %{SOURCE14} sshd sshd.conf
%install
%make_install
%if %{defined _distconfdir}
install -d -m 755 %{buildroot}%{_distconfdir}/pam.d
install -m 644 %{SOURCE2} %{buildroot}%{_distconfdir}/pam.d/gsisshd
%else
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/gsisshd
%endif
install -d -m 755 %{buildroot}%{_localstatedir}/lib/gsisshd
install -d -m 755 %{buildroot}%{_sysconfdir}/gsissh/ssh_config.d
install -d -m 755 %{buildroot}%{_sysconfdir}/gsissh/sshd_config.d
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/gsissh.reg
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/gsisshd.service
ln -s service %{buildroot}%{_sbindir}/rcgsisshd
install -d -m 755 %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}/sysconfig.gsissh
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/gsissh/sshd_config
# Move /etc to /usr/share/gsissh
mkdir -p %{buildroot}%{_datadir}/gsissh
mv %{buildroot}%{_sysconfdir}/gsissh/moduli %{buildroot}%{_datadir}/gsissh/
mv %{buildroot}%{_sysconfdir}/gsissh/ssh_config %{buildroot}%{_datadir}/gsissh/
mv %{buildroot}%{_sysconfdir}/gsissh/sshd_config %{buildroot}%{_datadir}/gsissh/
%if 0%{?suse_version} < 1550
# install firewall definitions
mkdir -p %{buildroot}%{_fwdefdir}
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/gsisshd
%endif
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/gsissh/cavs_driver-gsissh.pl
rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/gsisshd-gen-keys-start
# Install sysusers.d config for gsisshd user
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/gsisshd.conf
# remove stuff not used by GSI-OpenSSH
rm $RPM_BUILD_ROOT%{_bindir}/ssh-add
rm $RPM_BUILD_ROOT%{_bindir}/ssh-agent
rm $RPM_BUILD_ROOT%{_bindir}/ssh-keyscan
rm $RPM_BUILD_ROOT%{_bindir}/ssh-keygen
rm $RPM_BUILD_ROOT%{_sysconfdir}/gsissh/ldap.conf
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-ldap-helper
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-ldap-wrapper
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-pkcs11-helper
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-keysign
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-sk-helper
rm $RPM_BUILD_ROOT%{_mandir}/man1/ssh-add.1*
rm $RPM_BUILD_ROOT%{_mandir}/man1/ssh-agent.1*
rm $RPM_BUILD_ROOT%{_mandir}/man1/ssh-keyscan.1*
rm $RPM_BUILD_ROOT%{_mandir}/man1/ssh-keygen.1*
rm $RPM_BUILD_ROOT%{_mandir}/man5/ssh-ldap.conf.5*
rm $RPM_BUILD_ROOT%{_mandir}/man8/ssh-ldap-helper.8*
rm $RPM_BUILD_ROOT%{_mandir}/man8/ssh-pkcs11-helper.8*
rm $RPM_BUILD_ROOT%{_mandir}/man8/ssh-keysign.8*
rm $RPM_BUILD_ROOT%{_mandir}/man8/ssh-sk-helper.8*
#rm $RPM_BUILD_ROOT%{_prefix}/lib/debug/usr/libexec/gsissh/ssh-keysign-8.4p1-0.x86_64.debug
#rm $RPM_BUILD_ROOT%{_prefix}/lib/debug/usr/libexec/gsissh/ssh-sk-helper-8.4p1-0.x86_64.debug
# add gsi prefix
for f in $RPM_BUILD_ROOT%{_bindir}/* \
$RPM_BUILD_ROOT%{_sbindir}/* \
$RPM_BUILD_ROOT%{_mandir}/man*/* ; do
if [ "`basename $f`" = "gsisshd-gen-keys-start" ]; then
continue
fi
if [ "`basename $f`" = "rcgsisshd" ]; then
continue
fi
mv $f `dirname $f`/gsi`basename $f`
done
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
# the binaries and thereby invalidates any hashes created earlier.
#
# this shows up earlier because otherwise the %%expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
for b in \
%{_bindir}/gsissh \
%{_sbindir}/gsisshd \
%{_libexecdir}/gsissh/sftp-server \
; do
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
done
}}
%pre
# Remember whether the gsisshd service was enabled prior to an upgrade. This
# is needed when upgrading to a split-off openssh-server package. The
# %%service_add_post scriptlet (in %%post server) will see it as a new service
# and apply the preset, disabling it. We need to reenable it afterwards if
# necessary.
mkdir -p %{_tmpenableddir} || :
if [ -x %{_bindir}/systemctl ]; then
%{_bindir}/systemctl is-enabled gsisshd > %{_tmpenabledfile} || :
else
if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+gsisshd' \
-exec readlink -f {} \; | grep '/etc/init.d/gsisshd$' >/dev/null 2>&1
then echo "enabled" > %{_tmpenabledfile} || :; fi
fi
%pre server -f sshd.pre
%if %{defined _distconfdir}
# move outdated pam.d/*.rpmsave file away
test -f /etc/pam.d/gsisshd.rpmsave && mv -v /etc/pam.d/gsisshd.rpmsave /etc/pam.d/gsisshd.rpmsave.old ||:
%endif
# See %%pre.
mkdir -p %{_tmpenableddir} || :
if [ -x %{_bindir}/systemctl ]; then
%{_bindir}/systemctl is-enabled gsisshd > %{_tmpenabledfile} || :
else
if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+gsisshd' \
-exec readlink -f {} \; | grep '/etc/init.d/gsisshd$' >/dev/null 2>&1
then echo "enabled" > %{_tmpenabledfile} || :; fi
fi
%service_add_pre gsisshd.service
%post server
%{fillup_only -n gsissh}
%service_add_post gsisshd.service
#%set_permissions %{_sysconfdir}/gsissh/sshd_config
# Work around %%service_add_post disabling the service on upgrades where
# the package name changed.
if [ -x %{_bindir}/systemctl ] && [ -f %{_tmpenabledfile} ] \
&& [ x$(cat %{_tmpenabledfile} || :) == "xenabled" ]; then
systemctl enable gsisshd || :
fi
rm -f %{_tmpenabledfile}
%preun server
%service_del_preun gsisshd.service
%postun server
# The openssh-fips trigger script for openssh will normally restart gsisshd once
# it gets installed, so only restart the service here if openssh-fips is not
# present.
if rpm -q gsi-openssh-fips >/dev/null 2>/dev/null; then
%service_del_postun_without_restart gsisshd.service
else
%service_del_postun gsisshd.service
fi
%if %{defined _distconfdir}
%posttrans server
# Migration to /usr/etc.
test -f /etc/pam.d/gsisshd.rpmsave && mv -v /etc/pam.d/gsisshd.rpmsave /etc/pam.d/gsisshd ||:
%endif
%triggerin -n gsi-openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update gsisshd
#%verifyscript server
#%verify_permissions -e %{_sysconfdir}/gsissh/sshd_config
%files
# gsiopenssh is an empty package that depends on -clients and -server,
# resulting in a clean upgrade path from prior to the split even when
# recommends are disabled.
%files common
%license LICENCE
%doc README.SUSE README.FIPS ChangeLog OVERVIEW README TODO CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/gsissh
%attr(0755,root,root) %dir %{_datadir}/gsissh
%attr(0600,root,root) %{_datadir}/gsissh/moduli
%attr(0444,root,root) %{_mandir}/man5/gsimoduli.5*
%files server
%attr(0755,root,root) %{_sbindir}/gsisshd
%attr(0755,root,root) %{_sbindir}/rcgsisshd
%attr(0755,root,root) %{_sbindir}/gsisshd-gen-keys-start
%dir %attr(0755,root,root) %{_localstatedir}/lib/gsisshd
%dir %attr(0755,root,root) %{_sysconfdir}/gsissh/sshd_config.d
%attr(0755,root,root) %dir %{_datadir}/gsissh
%attr(0640,root,root) %{_datadir}/gsissh/sshd_config
%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/pam.d/gsisshd
%else
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/gsisshd
%endif
%attr(0644,root,root) %{_unitdir}/gsisshd.service
%attr(0644,root,root) %{_sysusersdir}/gsisshd.conf
%attr(0444,root,root) %{_mandir}/man5/gsisshd_config*
%attr(0444,root,root) %{_mandir}/man8/gsisftp-server.8*
%attr(0444,root,root) %{_mandir}/man8/gsisshd.8*
%attr(0755,root,root) %{_libexecdir}/gsissh/sftp-server
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/gsissh.reg
%{_fillupdir}/sysconfig.gsissh
%if 0%{?suse_version} < 1550
%dir %{_fwdir}
%dir %{_fwdefdir}
%config %{_fwdefdir}/gsisshd
%endif
%files clients
#%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/gsissh/ssh_config
%attr(0755,root,root) %dir %{_datadir}/gsissh
%dir %attr(0755,root,root) %{_sysconfdir}/gsissh/ssh_config.d
%attr(0644,root,root) %{_datadir}/gsissh/ssh_config
%attr(0755,root,root) %{_bindir}/gsissh
%attr(0755,root,root) %{_bindir}/gsiscp*
%attr(0755,root,root) %{_bindir}/gsisftp*
%attr(0755,root,root) %dir %{_libexecdir}/gsissh
%attr(0444,root,root) %{_mandir}/man1/gsiscp.1*
%attr(0444,root,root) %{_mandir}/man1/gsisftp.1*
%attr(0444,root,root) %{_mandir}/man1/gsissh.1*
%attr(0444,root,root) %{_mandir}/man5/gsissh_config.5*
%files fips
%attr(0444,root,root) %{_bindir}/gsissh%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_sbindir}/gsisshd%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_libexecdir}/gsissh/sftp-server%{CHECKSUM_SUFFIX}
%files cavs
%attr(0755,root,root) %{_libexecdir}/gsissh/cavs*
%changelog
