rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

add -fips subpackages that contains the FIPS module files

Browse Source
This commit is contained in:
Petr Lautrbach 2013-08-28 19:37:08 +02:00
parent 631ffb2c5b
commit 227f4f7628
3 changed files with 54 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
openssh-clients-fips.conf Normal file
View File

@ -0,0 +1 @@
-b /usr/bin/ssh

1
openssh-server-fips.conf Normal file
View File

@ -0,0 +1 @@
-b /usr/sbin/sshd

55
openssh.spec
View File

@ -87,6 +87,8 @@ Source10: sshd.socket
Source11: sshd.service Source11: sshd.service
Source12: sshd-keygen.service Source12: sshd-keygen.service
Source13: sshd-keygen Source13: sshd-keygen
Source14: openssh-clients-fips.conf
Source15: openssh-server-fips.conf
# Internal debug # Internal debug
Patch0: openssh-5.9p1-wIm.patch Patch0: openssh-5.9p1-wIm.patch
@ -235,6 +237,11 @@ BuildRequires: xauth
Summary: An open source SSH client applications Summary: An open source SSH client applications
Group: Applications/Internet Group: Applications/Internet
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
%package clients-fips
Summary: The FIPS module package for SSH client
Group: Applications/Internet
Requires: openssh-clients = %{version}-%{release}
Requires: fipscheck-lib%{_isa} >= 1.3.0 Requires: fipscheck-lib%{_isa} >= 1.3.0
%package server %package server
@ -243,11 +250,16 @@ Group: System Environment/Daemons
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
Requires(pre): /usr/sbin/useradd Requires(pre): /usr/sbin/useradd
Requires: pam >= 1.0.1-3 Requires: pam >= 1.0.1-3
Requires: fipscheck-lib%{_isa} >= 1.3.0
Requires(post): systemd-units Requires(post): systemd-units
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
%package server-fips
Summary: The FIPS module package for SSH server daemon
Group: System Environment/Daemons
Requires: openssh-server = %{version}-%{release}
Requires: fipscheck-lib%{_isa} >= 1.3.0
# Not yet ready # Not yet ready
# %package server-ondemand # %package server-ondemand
# Summary: Systemd unit file to run an ondemand OpenSSH server # Summary: Systemd unit file to run an ondemand OpenSSH server
@ -304,12 +316,24 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers. the clients necessary to make encrypted connections to SSH servers.
%description clients-fips
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the files that complete the installation of the OpenSSH client FIPS
module.
%description server %description server
OpenSSH is a free version of SSH (Secure SHell), a program for logging OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server. securely connect to your SSH server.
%description server-fips
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the files that complete the installation of the OpenSSH server FIPS
module.
%description server-sysvinit %description server-sysvinit
OpenSSH is a free version of SSH (Secure SHell), a program for logging OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains into and executing commands on a remote machine. This package contains
@ -591,6 +615,13 @@ pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
make install DESTDIR=$RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT
popd popd
%endif %endif
#install prelink blacklists
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d
install -m644 %{SOURCE14} %{SOURCE15} \
$RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@ -603,9 +634,15 @@ getent passwd sshd >/dev/null || \
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \ useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || : -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
%post clients-fips
prelink -u %{_bindir}/ssh 2>/dev/null || :
%post server %post server
%systemd_post sshd.service sshd.socket %systemd_post sshd.service sshd.socket
%post server-fips
prelink -u %{_sbindir}/sshd 2>/dev/null || :
%preun server %preun server
%systemd_preun sshd.service sshd.socket %systemd_preun sshd.service sshd.socket
@ -641,7 +678,6 @@ getent passwd sshd >/dev/null || \
%files clients %files clients
%defattr(-,root,root) %defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/ssh %attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
%attr(0644,root,root) %{_mandir}/man1/ssh.1* %attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0755,root,root) %{_bindir}/scp %attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %{_mandir}/man1/scp.1*
@ -664,13 +700,19 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%endif %endif
%files clients-fips
%defattr(-,root,root)
%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
# We don't want to depend on prelink for this directory
%dir %{_sysconfdir}/prelink.conf.d
%{_sysconfdir}/prelink.conf.d/openssh-clients-fips.conf
%if ! %{rescue} %if ! %{rescue}
%files server %files server
%defattr(-,root,root) %defattr(-,root,root)
%dir %attr(0711,root,root) %{_var}/empty/sshd %dir %attr(0711,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_sbindir}/sshd-keygen %attr(0755,root,root) %{_sbindir}/sshd-keygen
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man5/moduli.5* %attr(0644,root,root) %{_mandir}/man5/moduli.5*
@ -684,6 +726,13 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service %attr(0644,root,root) %{_unitdir}/sshd-keygen.service
%files server-fips
%defattr(-,root,root)
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
# We don't want to depend on prelink for this directory
%dir %{_sysconfdir}/prelink.conf.d
%{_sysconfdir}/prelink.conf.d/openssh-server-fips.conf
%files server-sysvinit %files server-sysvinit
%defattr(-,root,root) %defattr(-,root,root)
%attr(0755,root,root) /etc/rc.d/init.d/sshd %attr(0755,root,root) /etc/rc.d/init.d/sshd