File openssh.spec of Package openssh

#
# spec file for package openssh
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#

%define sandbox_seccomp 0
%ifnarch ppc
%define sandbox_seccomp 1
%endif
%define _fwdir      %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir   %{_fwdir}/services
%define _appdefdir  %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
%bcond_without ldap

%if 0%{?suse_version} >= 1550
%bcond_without wtmpdb
%bcond_with allow_root_password_login_by_default
%else
%bcond_with wtmpdb
%bcond_without allow_root_password_login_by_default
%endif

#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name:           openssh
Version:        9.8p1
Release:        0
Summary:        Secure Shell Client and Server (Remote Login Program)
License:        BSD-2-Clause AND MIT
Group:          Productivity/Networking/SSH
URL:            https://www.openssh.com/
Source0:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2:        sshd.pamd
Source3:        README.SUSE
Source4:        README.kerberos
Source5:        ssh.reg
Source6:        ssh-askpass
Source7:        sshd.fw
Source8:        sysconfig.ssh
Source9:        sshd-gen-keys-start
Source10:       sshd.service
Source11:       README.FIPS
Source12:       cavs_driver-ssh.pl
Source13:       https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
Source14:       sysusers-sshd.conf
Source15:       sshd-sle.pamd
Source16:       sshd@.service
Source17:       sshd.socket
Patch1:         openssh-7.7p1-X11_trusted_forwarding.patch
Patch3:         openssh-7.7p1-enable_PAM_by_default.patch
Patch4:         openssh-7.7p1-eal3.patch
Patch6:         openssh-7.7p1-send_locale.patch
Patch7:         openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Patch8:         openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Patch9:         openssh-7.7p1-pts_names_formatting.patch
Patch10:        openssh-7.7p1-pam_check_locks.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch14:        openssh-7.7p1-seccomp_stat.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch15:        openssh-7.7p1-seccomp_ipc_flock.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
# Local FIPS patchset
Patch17:        openssh-7.7p1-fips.patch
# Local cavs patchset
Patch18:        openssh-7.7p1-cavstest-ctr.patch
# Local cavs patchset
Patch19:        openssh-7.7p1-cavstest-kdf.patch
# Local FIPS patchset
Patch20:        openssh-7.7p1-fips_checks.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22:        openssh-7.7p1-systemd-notify.patch
Patch23:        openssh-8.0p1-gssapi-keyex.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch24:        openssh-8.1p1-audit.patch
# Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26:        openssh-7.7p1-disable_openssl_abi_check.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch27:        openssh-7.7p1-no_fork-no_pid_file.patch
Patch28:        openssh-7.7p1-host_ident.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Patch29:        openssh-7.7p1-sftp_force_permissions.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
Patch30:        openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Patch31:        openssh-7.7p1-ldap.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32:        openssh-7.7p1-IPv6_X_forwarding.patch
Patch33:        openssh-7.7p1-sftp_print_diagnostic_messages.patch
Patch34:        openssh-7.9p1-keygen-preserve-perms.patch
Patch35:        openssh-7.9p1-revert-new-qos-defaults.patch
Patch36:        openssh-8.1p1-seccomp-clock_nanosleep.patch
Patch37:        openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
Patch38:        openssh-8.1p1-seccomp-clock_gettime64.patch
Patch39:        openssh-8.1p1-use-openssl-kdf.patch
Patch40:        openssh-8.1p1-ed25519-use-openssl-rng.patch
Patch41:        openssh-fips-ensure-approved-moduli.patch
Patch42:        openssh-link-with-sk.patch
Patch43:        openssh-reenable-dh-group14-sha1-default.patch
Patch45:        openssh-8.4p1-ssh_config_d.patch
Patch46:        openssh-whitelist-syscalls.patch
Patch47:        openssh-8.4p1-vendordir.patch
Patch48:        openssh-8.4p1-pam_motd.patch
Patch49:        openssh-do-not-send-empty-message.patch
Patch50:        openssh-openssl-3.patch
Patch51:        wtmpdb.patch
Patch52:        logind_set_tty.patch
Patch54:        openssh-mitigate-lingering-secrets.patch
Patch102:       openssh-7.8p1-role-mls.patch
Patch103:       openssh-6.6p1-privsep-selinux.patch
Patch104:       openssh-6.6p1-keycat.patch
Patch105:       openssh-6.6.1p1-selinux-contexts.patch
Patch106:       openssh-7.6p1-cleanup-selinux.patch
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107:       openssh-9.6p1-crypto-policies.patch
Patch108:       openssh-9.6p1-crypto-policies-man.patch
Patch109:       fix-memleak-in-process_server_config_line_depth.patch
# PATCH-FIX-UPSTREAM alarrosa@suse.com -- https://github.com/openssh/openssh-portable/pull/516
Patch110:       fix-audit-fail-attempt.patch
%if 0%{with allow_root_password_login_by_default}
Patch1000:      openssh-7.7p1-allow_root_password_login.patch
%endif
BuildRequires:  audit-devel
BuildRequires:  automake
%if 0%{?sle_version} >= 150500
BuildRequires:  gcc11
%endif
BuildRequires:  groff
BuildRequires:  libedit-devel
BuildRequires:  libselinux-devel
%if %{with ldap}
BuildRequires:  openldap2-devel
%endif
BuildRequires:  openssl-devel
BuildRequires:  pam-devel
BuildRequires:  pkgconfig
BuildRequires:  zlib-devel
BuildRequires:  pkgconfig(libfido2) >= 1.2.0
BuildRequires:  pkgconfig(libsystemd)
BuildRequires:  sysuser-shadow
BuildRequires:  sysuser-tools
Requires:       %{name}-clients = %{version}-%{release}
Requires:       %{name}-server = %{version}-%{release}
%if 0%{?suse_version} >= 1550
BuildRequires:  pkgconfig(krb5)
%else
BuildRequires:  krb5-mini-devel
%endif
%if %{with wtmpdb}
BuildRequires:  pkgconfig(libwtmpdb)
%endif
Requires(pre):  findutils
Requires(pre):  grep

%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.

xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.

This is a dummy package that pulls in both the client and server
components.

%package common
Summary:        SSH (Secure Shell) common files
Group:          Productivity/Networking/SSH
Conflicts:      nonfreessh
Conflicts:      %{name}-fips < %{version}-%{release}
Conflicts:      %{name}-fips > %{version}-%{release}

%description common
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.

xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.

This package contains common files for the Secure Shell server and
clients.

%package server
Summary:        SSH (Secure Shell) server
Group:          Productivity/Networking/SSH
Requires:       %{name}-common = %{version}-%{release}
Requires:       crypto-policies >= 20220824
Recommends:     audit
Requires(pre):  findutils
Requires(pre):  grep
Requires(post): %fillup_prereq
Requires(post): permissions
Provides:       openssh:%{_sbindir}/sshd
%if 0%{with allow_root_password_login_by_default}
# For a brief period of time this package existed in SLE/Leap.
# It was removed before GM but some people might have it from
# a beta distribution version (boo#1227350)
Obsoletes:      openssh-server-config-rootlogin <= %{version}
%endif
%sysusers_requires

%description server
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.

xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.

This package contains the Secure Shell daemon, which allows clients to
securely connect to your server.

%if 0%{with allow_root_password_login_by_default}
%package server-config-disallow-rootlogin
Summary:        Config to disallow password root logins to sshd
Group:          Productivity/Networking/SSH
Requires:       %{name}-server = %{version}-%{release}
Conflicts:      %{name}-server-config-rootlogin

%description server-config-disallow-rootlogin
The openssh-server package by default allows password based
root logins. This package provides a config that disallows root
to log in using the passwor. It's useful to secure your system
preventing password attacks on the root account over ssh.
%else
%package server-config-rootlogin
Summary:        Config to permit root logins to sshd
Group:          Productivity/Networking/SSH
Requires:       %{name}-server = %{version}-%{release}
Conflicts:      %{name}-server-config-disallow-rootlogin

%description server-config-rootlogin
The openssh-server package by default disallows password based
root logins. This package provides a config that does. It's useful
to temporarily have a password based login to be able to use
ssh-copy-id(1).
%endif

%package clients
Summary:        SSH (Secure Shell) client applications
Group:          Productivity/Networking/SSH
Requires:       crypto-policies >= 20220824
Requires:       %{name}-common = %{version}-%{release}
Provides:       openssh:%{_bindir}/ssh

%description clients
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.

xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.

This package contains clients for making secure connections to Secure
Shell servers.

%if %{with ldap}
%package helpers
Summary:        OpenSSH AuthorizedKeysCommand helpers
Group:          Productivity/Networking/SSH
Requires:       %{name}-common = %{version}-%{release}

%description helpers
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.

xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.

This package contains helper applications for OpenSSH which retrieve
keys from various sources.
%endif

%package fips
Summary:        OpenSSH FIPS crypto module HMACs
Group:          Productivity/Networking/SSH
Requires:       %{name}-common = %{version}-%{release}
Conflicts:      %{name}-common < %{version}-%{release}
Conflicts:      %{name}-common > %{version}-%{release}
Obsoletes:      %{name}-hmac

%description fips
This package contains hashes that, together with the main openssh packages,
form the FIPS certifiable crypto module.

%package cavs
Summary:        OpenSSH FIPS crypto module CAVS tests
Group:          Productivity/Networking/SSH
Requires:       %{name}-common = %{version}-%{release}

%description cavs
This package contains the FIPS-140 CAVS (Cryptographic Algorithm
Validation Program/Suite) related tests of OpenSSH.

%prep
%setup -q
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .

%autopatch -p1

# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
    $( grep -Rl @LIBEXECDIR@ \
        $( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
    )

%build
%if 0%{?sle_version} >= 150500
export CC=gcc-11
%endif
autoreconf -fiv
%ifarch s390 s390x %{sparc}
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
LDFLAGS="-pie -Wl,--as-needed"
#CPPFLAGS="%%{optflags} -DUSE_INTERNAL_B64"
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
    --sysconfdir=%{_sysconfdir}/ssh \
    --libexecdir=%{_libexecdir}/ssh \
    --with-selinux \
    --with-pid-dir=/run \
    --with-systemd \
    --with-ssl-engine \
    --with-pam \
    --with-kerberos5=%{_prefix} \
    --with-privsep-path=%{_localstatedir}/lib/empty \
%if %{sandbox_seccomp}
    --with-sandbox=seccomp_filter \
%else
    --with-sandbox=rlimit \
%endif
    --disable-strip \
    --with-audit=linux \
%if %{with ldap}
    --with-ldap \
%endif
    --with-xauth=%{_bindir}/xauth \
    --with-libedit \
%if %{with wtmpdb}
    --with-wtmpdb \
%endif
%if 0%{?suse_version} >= 1550
    --disable-lastlog \
    --with-logind \
%endif
    --enable-dsa-keys \
    --with-security-key-builtin \
    --target=%{_target_cpu}-suse-linux

%make_build
%sysusers_generate_pre %{SOURCE14} sshd sshd.conf

%install
%make_install
%if %{defined _distconfdir}
install -d -m 755 %{buildroot}%{_pam_vendordir}
install -m 644 %{SOURCE2} %{buildroot}%{_pam_vendordir}/sshd
%else
# SLE has no distconfdir, so use sle PAM config
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/sshd
%endif
install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d
%if 0%{?suse_version} < 1600
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
%endif
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service
install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket
ln -s service %{buildroot}%{_sbindir}/rcsshd
install -d -m 755 %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
# install shell script to automate the process of adding your public key to a remote machine
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config

%if 0%{with allow_root_password_login_by_default}
echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%else
echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif

# Move /etc to /usr/etc/ssh
%if %{defined _distconfdir}
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
%if 0%{with allow_root_password_login_by_default}
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%else
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
%endif

install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
%if %{defined _distconfdir}
install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%else
install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%endif

%if 0%{?suse_version} < 1550
# install firewall definitions
mkdir -p %{buildroot}%{_fwdefdir}
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
%endif

# askpass wrapper
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start

# Install sysusers.d config for sshd user
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf

rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat
#rm -r %{buildroot}/usr/lib/debug/.build-id

# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
# the binaries and thereby invalidates any hashes created earlier.
#
# this shows up earlier because otherwise the %%expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
for b in \
        %{_bindir}/ssh \
        %{_sbindir}/sshd \
        %{_libexecdir}/ssh/sftp-server \
        ; do
    openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
done

}}

%pre server -f sshd.pre
%if %{defined _distconfdir}
# Prepare for migration to /usr/etc.
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||:
%endif

%service_add_pre sshd.service sshd.socket

%post server
%{fillup_only -n ssh}
%service_add_post sshd.service sshd.socket

%if ! %{defined _distconfdir}
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
    echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
    echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't"
    echo "be honored until the following line is added at the start of"
    echo "/etc/ssh/sshd_config :"
    echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
%endif

%preun server
%service_del_preun sshd.service sshd.socket

%postun server
# The openssh-fips trigger script for openssh will normally restart sshd once
# it gets installed, so only restart the service here if openssh-fips is not
# present.
if rpm -q openssh-fips >/dev/null 2>/dev/null; then
%service_del_postun_without_restart sshd.service sshd.socket
else
%service_del_postun sshd.service sshd.socket
fi

%if ! %{defined _distconfdir}
%post server-config-disallow-rootlogin
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
    echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
    echo " /etc/ssh/sshd_config.d/ . The config file installed by"
    echo "openssh-server-config-disallow-rootlogin won't be used until"
    echo "the following line is added at the start of /etc/ssh/sshd_config :"
    echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
%endif

%if %{defined _distconfdir}
%posttrans server
# Migration to /usr/etc.
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd ||:
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config ||:
%endif

%if %{defined _distconfdir}
%pre clients
# Prepare for migration to /usr/etc.
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
%endif

%if ! %{defined _distconfdir}
%post clients
test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
    echo "WARNING: /etc/ssh/ssh_config doesn't include config files from"
    echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't"
    echo "be honored until the following line is added at the start of"
    echo "/etc/ssh/ssh_config :"
    echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
%endif

%if %{defined _distconfdir}
%posttrans clients
# Migration to /usr/etc.
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config ||:
%endif

%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update sshd

%files
# openssh is an empty package that depends on -clients and -server,
# resulting in a clean upgrade path from prior to the split even when
# recommends are disabled.

%files common
%license LICENCE
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
%else
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
%endif
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
%attr(0755,root,root) %{_bindir}/ssh-keygen*

%files server
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_sbindir}/rcsshd
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
%if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
%attr(0640,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config
%attr(0644,root,root) %{_pam_vendordir}/sshd
%else
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%endif
%if %{defined _distconfdir}
%attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%else
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%endif
%attr(0644,root,root) %{_unitdir}/sshd.service
%attr(0644,root,root) %{_unitdir}/sshd@.service
%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_sysusersdir}/sshd.conf
%attr(0444,root,root) %{_mandir}/man5/sshd_config*
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0444,root,root) %{_mandir}/man8/sshd.8*
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session
%if 0%{?suse_version} < 1600
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
%endif
%{_fillupdir}/sysconfig.ssh
%if 0%{?suse_version} < 1550
%dir %{_fwdir}
%dir %{_fwdefdir}
%config %{_fwdefdir}/sshd
%endif

%if 0%{with allow_root_password_login_by_default}
%files server-config-disallow-rootlogin
%if %{defined _distconfdir}
%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%else
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%endif
%else
%files server-config-rootlogin
%if %{defined _distconfdir}
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%else
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
%endif

%files clients
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
%else
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%endif
%attr(0755,root,root) %{_bindir}/ssh
%attr(0755,root,root) %{_bindir}/scp*
%attr(0755,root,root) %{_bindir}/sftp*
%attr(0755,root,root) %{_bindir}/ssh-add*
%attr(0755,root,root) %{_bindir}/ssh-agent*
%attr(0755,root,root) %{_bindir}/ssh-copy-id*
%attr(0755,root,root) %{_bindir}/ssh-keyscan*
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-askpass*
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-keysign*
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-pkcs11-helper*
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-sk-helper*
%attr(0444,root,root) %{_mandir}/man1/scp.1*
%attr(0444,root,root) %{_mandir}/man1/sftp.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0444,root,root) %{_mandir}/man1/ssh.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-copy-id.1*
%attr(0444,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0444,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*

%if %{with ldap}
%files helpers
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
%endif

%files fips
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}

%files cavs
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*

%changelog
openSUSE Build Service is sponsored by