Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
openssh.14161
openssh.spec
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssh.spec of Package openssh.14161
# # spec file for package openssh # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir /var/adm/fillup-templates %endif %if 0%{suse_version} >= 1100 %define has_fw_dir 1 %else %define has_fw_dir 0 %endif %if 0%{suse_version} >= 1110 %define has_libselinux 1 %else %define has_libselinux 0 %endif %if 0%{?suse_version} >= 1130 %define needs_all_dirs 1 %else %define needs_all_dirs 0 %endif %if 0%{?suse_version} >= 1140 %define needs_libedit 1 %else %define needs_libedit 0 %endif %if 0%{?suse_version} > 1140 %define has_krb_mini 1 %else %define has_krb_mini 0 %endif %if 0%{?suse_version} > 1220 %define uses_systemd 1 %else %define uses_systemd 0 %endif %define sandbox_seccomp 0 %if 0%{?suse_version} > 1220 %define sandbox_seccomp 1 %endif %if 0%{?suse_version} >= 1500 %define use_tirpc 1 %endif %define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d %define _fwdefdir %{_fwdir}/services %define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' ) %{!?_initddir:%global _initddir %{_initrddir}} Name: openssh BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: groff %if %{has_krb_mini} BuildRequires: krb5-mini-devel %else BuildRequires: krb5-devel %endif %if %{needs_libedit} BuildRequires: libedit-devel %endif %if %{has_libselinux} BuildRequires: libselinux-devel %endif BuildRequires: openldap2-devel BuildRequires: openssl-devel BuildRequires: pam-devel %if 0%{?use_tirpc} BuildRequires: libtirpc-devel %endif %if %{uses_systemd} BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(systemd) %{?systemd_requires} %endif PreReq: pwdutils %{fillup_prereq} coreutils %if ! %{uses_systemd} PreReq: %{insserv_prereq} %endif Version: 7.6p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT Group: Productivity/Networking/SSH Url: http://www.openssh.com/ Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source1: sshd.init Source2: sshd.pamd Source3: README.SUSE Source4: README.kerberos Source5: ssh.reg Source6: ssh-askpass Source7: sshd.fw Source8: sysconfig.ssh Source9: sshd-gen-keys-start Source10: sshd.service Source11: README.FIPS Source12: cavs_driver-ssh.pl Patch0: openssh-7.6p1-allow_root_password_login.patch Patch1: openssh-7.6p1-X11_trusted_forwarding.patch Patch2: openssh-7.6p1-lastlog.patch Patch3: openssh-7.6p1-enable_PAM_by_default.patch Patch4: openssh-7.6p1-eal3.patch Patch5: openssh-7.6p1-blocksigalrm.patch Patch6: openssh-7.6p1-send_locale.patch Patch7: openssh-7.6p1-hostname_changes_when_forwarding_X.patch Patch8: openssh-7.6p1-remove_xauth_cookies_on_exit.patch Patch9: openssh-7.6p1-pts_names_formatting.patch Patch10: openssh-7.6p1-pam_check_locks.patch Patch12: openssh-7.6p1-seccomp_getuid.patch Patch13: openssh-7.6p1-seccomp_geteuid.patch Patch14: openssh-7.6p1-seccomp_stat.patch Patch15: openssh-7.6p1-seccomp_ipc_flock.patch Patch16: openssh-7.6p1-seccomp_ioctl_s390_EP11.patch Patch17: openssh-7.6p1-fips.patch Patch18: openssh-7.6p1-cavstest-ctr.patch Patch19: openssh-7.6p1-cavstest-kdf.patch Patch20: openssh-7.6p1-fips_checks.patch Patch21: openssh-7.6p1-missing_headers.patch Patch22: openssh-7.6p1-seed-prng.patch Patch23: openssh-7.6p1-systemd-notify.patch Patch24: openssh-7.6p1-gssapi_key_exchange.patch Patch25: openssh-7.6p1-audit.patch Patch26: openssh-7.6p1-openssl_1.1.0.patch Patch27: openssh-7.6p1-disable_openssl_abi_check.patch Patch28: openssh-7.6p1-no_fork-no_pid_file.patch Patch29: openssh-7.6p1-host_ident.patch Patch30: openssh-7.6p1-sftp_force_permissions.patch Patch31: openssh-7.6p1-X_forward_with_disabled_ipv6.patch Patch32: openssh-7.6p1-ldap.patch Patch33: openssh-7.6p1-IPv6_X_forwarding.patch Patch34: openssh-7.6p1-sftp_print_diagnostic_messages.patch Patch35: openssh-7.6p1-CVE-2018-15473.patch Patch36: openssh-7.6p1-sftp-client-return-code.patch Patch37: openssh-7.9p1-CVE-2018-20685.patch Patch38: openssh-CVE-2019-6109-sanitize-scp-filenames.patch Patch39: openssh-CVE-2019-6109-force-progressmeter-update.patch Patch40: openssh-CVE-2019-6111-scp-client-wildcard.patch Patch41: openssh-7.9p1-brace-expansion.patch Patch42: 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch Patch43: openssh-7.6p1-audit_race_condition.patch Patch44: openssh-8.1p1-use-openssl-kdf.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Conflicts: nonfreessh Recommends: audit Recommends: xauth Recommends: %{name}-helpers = %{version}-%{release} Conflicts: %{name}-fips < %{version}-%{release} , %{name}-fips > %{version}-%{release} %define CHECKSUM_SUFFIX .hmac %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE" %description SSH (Secure Shell) is a program for logging into and executing commands on a remote machine. It is intended to replace rsh (rlogin and rsh) and provides openssl (secure encrypted communication) between two untrusted hosts over an insecure network. xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. %package helpers Summary: OpenSSH AuthorizedKeysCommand helpers Group: Productivity/Networking/SSH Requires: %{name} = %{version}-%{release} %description helpers Helper applications for OpenSSH which retrieve keys from various sources. %package fips Summary: OpenSSH FIPS cryptomodule HMACs Group: Productivity/Networking/SSH Requires: %{name} = %{version}-%{release} Conflicts: %{name} < %{version}-%{release} , %{name} > %{version}-%{release} Obsoletes: %{name}-hmac %description fips Hashes that together with the main package form the FIPS certifiable cryptomodule. %package cavs Summary: OpenSSH FIPS cryptomodule CAVS tests Group: Productivity/Networking/SSH Requires: %{name} = %{version}-%{release} %description cavs FIPS140 CAVS tests related parts of the OpenSSH package %prep %setup -q cp %{SOURCE3} %{SOURCE4} %{SOURCE11} . %autopatch -p1 # set libexec dir in the LDAP patch sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ $( grep -Rl @LIBEXECDIR@ \ $( grep "^+++" $PATCH_DIR/openssh-7.6p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) ) %build autoreconf -fiv %ifarch s390 s390x %sparc PIEFLAGS="-fPIE" %else PIEFLAGS="-fpie" %endif CFLAGS="%{optflags} $PIEFLAGS -fstack-protector" CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector" LDFLAGS="-pie -Wl,--as-needed" #CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64" export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS %configure \ --prefix=%{_prefix} \ --mandir=%{_mandir} \ --infodir=%{_infodir} \ --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/ssh \ --with-tcp-wrappers \ %if %{has_libselinux} --with-selinux \ %endif %if %{uses_systemd} --with-pid-dir=/run \ --with-systemd \ %endif --with-ssl-engine \ --with-pam \ --with-kerberos5=%{_prefix} \ --with-privsep-path=/var/lib/empty \ %if %{sandbox_seccomp} --with-sandbox=seccomp_filter \ %else --with-sandbox=rlimit \ %endif %ifnarch s390 s390x --with-opensc \ %endif --disable-strip \ --with-audit=linux \ --with-ldap \ --with-xauth=%{_bindir}/xauth \ %if %{needs_libedit} --with-libedit \ %endif --with-ssh1 \ --target=%{_target_cpu}-suse-linux \ ### configure end make %{?_smp_mflags} #make %{?_smp_mflags} -C converter %install make install DESTDIR=%{buildroot} #make install DESTDIR=%{buildroot} -C converter install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d install -d -m 755 %{buildroot}/var/lib/sshd install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/ install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/ install -d -m 755 %{buildroot}%{_initddir} %if %{uses_systemd} install -m 0755 %{SOURCE1} . install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service ln -s /sbin/service %{buildroot}%{_sbindir}/rcsshd %else install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd install -m 0644 %{SOURCE10} . ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd %endif install -d -m 755 %{buildroot}%{_fillupdir} install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir} # install shell script to automate the process of adding your public key to a remote machine install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir} install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 sed -i -e s@/usr/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config %if %{has_fw_dir} #install firewall definitions format is described here: #%{_datadir}/SuSEfirewall2/services/TEMPLATE mkdir -p %{buildroot}%{_fwdefdir} install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd %endif # askpass wrapper sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl rm -f %{buildroot}%{_datadir}/Ssh.bin # sshd keys generator wrapper install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start # the hmac hashes - taken from openssl # # re-define the __os_install_post macro: the macro strips # the binaries and thereby invalidates any hashes created earlier. # # this shows up earlier because otherwise the %expand of # the macro is too late. %{expand:%%global __os_install_post {%__os_install_post for b in \ %{_bindir}/ssh \ %{_sbindir}/sshd \ %{_libexecdir}/ssh/sftp-server \ ; do openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX} done }} %pre getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd %if %{uses_systemd} %service_add_pre sshd.service %endif %post %if %{uses_systemd} %{fillup_only -n ssh sshd} %service_add_post sshd.service %else %{fillup_and_insserv -n ssh sshd} %endif %set_permissions /etc/ssh/sshd_config %preun %if %{uses_systemd} %service_del_preun sshd.service %else %stop_on_removal sshd %endif %postun # The openssh-fips trigger script for openssh will normally restart sshd once # it gets installed, so only restart the service here is openssh-fips is not # present rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes %if %{uses_systemd} %service_del_postun sshd.service %else %restart_on_update sshd %{insserv_cleanup} %endif %triggerin -n openssh-fips -- %{name} = %{version}-%{release} %restart_on_update sshd %verifyscript %verify_permissions -e /etc/ssh/sshd_config %files %defattr(-,root,root) %exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX} %exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX} %exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX} %exclude %{_libexecdir}/ssh/cavs* %dir %attr(755,root,root) /var/lib/sshd %license LICENCE %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config %verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd %if %{uses_systemd} %doc sshd.init %attr(0644,root,root) %config %{_unitdir}/sshd.service %else %attr(0755,root,root) %config %{_initddir}/sshd %doc sshd.service %endif %attr(0755,root,root) %{_bindir}/* %attr(0755,root,root) %{_sbindir}/* %attr(0755,root,root) %dir %{_libexecdir}/ssh %exclude %{_libexecdir}/ssh/ssh-ldap* %attr(0755,root,root) %{_libexecdir}/ssh/* %attr(0444,root,root) %doc %{_mandir}/man1/* %attr(0444,root,root) %doc %{_mandir}/man5/* %attr(0444,root,root) %doc %{_mandir}/man8/* %dir %{_sysconfdir}/slp.reg.d %config %{_sysconfdir}/slp.reg.d/ssh.reg %{_fillupdir}/sysconfig.ssh %if %{has_fw_dir} %if %{needs_all_dirs} %dir %{_fwdir} %dir %{_fwdefdir} %endif %config %{_fwdefdir}/sshd %endif %files helpers %defattr(-,root,root) %attr(0755,root,root) %dir %{_sysconfdir}/ssh %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf %attr(0755,root,root) %dir %{_libexecdir}/ssh %attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap* %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema %files fips %defattr(-,root,root) %attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX} %attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX} %attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX} %files cavs %defattr(-,root,root) %attr(0755,root,root) %{_libexecdir}/ssh/cavs* %changelog
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor