From 1ab54b85929a7c0fe91d0934238057f47a78afc7 Mon Sep 17 00:00:00 2001 From: Pavel Roskin Date: Tue, 27 Dec 2016 00:22:59 -0800 Subject: [PATCH] Move key generation to the post-install stage Don't package any keys. Generate the keys only if they are missing. Keep the keys on uninstall. For TLS keys, increase validity to 10 years. No need to have xrdp stop working in one year. --- xrdp.spec | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/xrdp.spec b/xrdp.spec index 1b605c3..d93bf8d 100644 --- a/xrdp.spec +++ b/xrdp.spec @@ -29,6 +29,7 @@ Requires: tigervnc-server-minimal Requires(post): systemd Requires(post): systemd-sysv +Requires(post): openssl Requires(preun): systemd Requires(postun): systemd @@ -60,6 +61,9 @@ echo '#!/bin/bash -l #install logrotate /etc/logrotate.d/xrdp %{__install} -Dp -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/xrdp +#install openssl.conf /etc/xrdp +%{__install} -Dp -m 644 keygen/openssl.conf %{buildroot}%{_sysconfdir}/xrdp/openssl.conf + #install log file /var/log/xrdp-sesman.log %{__mkdir} -p %{buildroot}%{_localstatedir}/log/ touch %{buildroot}%{_localstatedir}/log/xrdp-sesman.log @@ -75,8 +79,18 @@ touch %{buildroot}%{_sysconfdir}/xrdp/rsakeys.ini %post %systemd_post xrdp.service -xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini > /dev/null -%{__chmod} 0600 %{_sysconfdir}/xrdp/rsakeys.ini +if [ ! -f %{_sysconfdir}/xrdp/rsakeys.ini ]; then + xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini > /dev/null + %{__chmod} 0600 %{_sysconfdir}/xrdp/rsakeys.ini +fi + +if [ ! -f %{_sysconfdir}/xrdp/cert.pem ]; then + openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \ + -keyout %{_sysconfdir}/xrdp/key.pem \ + -out %{_sysconfdir}/xrdp/cert.pem \ + -subj /C=US/ST=CA/L=Sunnyvale/O=xrdp/CN=www.xrdp.org \ + -config %{_sysconfdir}/xrdp/openssl.conf +fi %preun %systemd_preun xrdp.service @@ -110,8 +124,12 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/xrdp %config(noreplace) %{_sysconfdir}/xrdp/sesman.ini %{_sysconfdir}/xrdp/*.sh -%{_sysconfdir}/xrdp/*.pem +%exclude %ghost %{_sysconfdir}/xrdp/*.pem +%exclude %ghost %{_sysconfdir}/xrdp/rsakeys.ini %{_sysconfdir}/xrdp/km*.ini +%{_sysconfdir}/xrdp/openssl.conf +%{_sysconfdir}/xrdp/sesman.ini +%{_sysconfdir}/xrdp/xrdp.ini %{_sysconfdir}/xrdp/xrdp_keyboard.ini %{_bindir}/xrdp-genkeymap %{_bindir}/xrdp-sesadmin