diff --git a/.cvsignore b/.cvsignore index d87fff6..3808edc 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,2 @@ -openssh-2.3.0p1.tar.gz -x11-ssh-askpass-1.1.0.tar.gz +openssh-2.5.2p2.tar.gz +x11-ssh-askpass-1.2.0.tar.gz diff --git a/openssh.spec b/openssh.spec index 901e9d8..3c29745 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,5 +1,5 @@ # Version of ssh-askpass -%define aversion 1.1.0 +%define aversion 1.2.0 # Do we want to disable building of x11-askpass? (1=yes 0=no) %define no_x11_askpass 0 @@ -7,38 +7,59 @@ # Do we want to disable building of gnome-askpass? (1=yes 0=no) %define no_gnome_askpass 0 +# Reserve options to override askpass settings with: +# rpm -ba|--rebuild --define 'skip_xxx 1' +%{?skip_x11_askpass:%define no_x11_askpass 1} +%{?skip_gnome_askpass:%define no_gnome_askpass 1} + +# Is this a build for the rescue CD (without PAM)? (1=yes 0=no) +%define rescue 0 +%{?build_rescue:%define rescue 1} + +# Is this a build for 6.x or earlier? +%define build6x 0 +%{?build_6x:%define build6x 1} + +# If this is 6.x, the default configuration has sysconfdir in /usr/etc. +%if %{build6x} +%define _sysconfdir /etc +%endif + Summary: OpenSSH free Secure Shell (SSH) implementation Name: openssh -Version: 2.3.0p1 -Release: 4 +Version: 2.5.2p2 +Release: 1.7.2 URL: http://www.openssh.com/portable.html Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz %if ! %{no_x11_askpass} -Source1: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +Source1: http://www.jmknoble.cx/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz %endif Source2: openssh.init Source3: gnome-ssh-askpass.sh Source4: gnome-ssh-askpass.csh -Source5: openssh.primes -Patch0: openssh-2.3.0p1-redhat.patch -Patch1: openssh-2.2.0p1-agent.patch -Patch2: openssh-2.2.0p1-keygen-dsa.patch -Patch3: openssh-2.2.0p1-authpriv.patch -Patch4: openssh-2.3.0p1-path.patch +Source5: openssh-closing.txt +Patch0: openssh-2.5.2p2-redhat.patch +Patch1: openssh-2.3.0p1-path.patch +Patch2: openssh-2.5.1p1-crypt.patch +Patch3: openssh-2.5.1p1-all.patch +Patch4: openssh-2.5.2p2-setcred.patch +Patch5: reinit.patch +Patch6: aes-compat.diff +Patch7: sftp-globfix.diff Copyright: BSD Group: Applications/Internet -BuildRoot: %{_tmppath}/openssh-%{version}-buildroot +BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot Obsoletes: ssh -PreReq: dev, openssl >= 0.9.5a, initscripts >= 5.20 -Requires: openssl >= 0.9.5a +PreReq: initscripts >= 5.20 BuildPreReq: perl, openssl-devel, tcp_wrappers -BuildPreReq: /bin/login, /usr/bin/rsh, /usr/include/security/pam_appl.h +BuildPreReq: /bin/login, /usr/include/security/pam_appl.h %if ! %{no_x11_askpass} BuildPreReq: XFree86-devel %endif %if ! %{no_gnome_askpass} BuildPreReq: gnome-libs-devel %endif +Requires: openssl %package clients Summary: OpenSSH Secure Shell protocol clients @@ -51,7 +72,9 @@ Summary: OpenSSH Secure Shell protocol server (sshd) Group: System Environment/Daemons Obsoletes: ssh-server PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9 +%if ! %{build6x} Requires: /etc/pam.d/system-auth +%endif %package askpass Summary: OpenSSH X11 passphrase dialog @@ -120,7 +143,7 @@ OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL). -This package contains Jim Knoble's X11 passphrase +This package contains Jim Knoble's X11 passphrase dialog. %description askpass-gnome @@ -136,7 +159,303 @@ patented algorithms to separate libraries (OpenSSL). This package contains the GNOME passphrase dialog. +%prep + +%if ! %{no_x11_askpass} +%setup -q -a 1 +%else +%setup -q +%endif +%patch0 -p1 -b .redhat +%patch1 -p1 -b .path +%patch2 -p1 -b .crypt +%patch3 -p1 -b .all +%patch4 -p1 -b .setcred +%patch5 -p0 -b .reinit +%patch6 -p0 -b .aes-compat +%patch7 -p0 -b .sftp-globfix +autoheader +autoconf + +%build +%configure \ + --sysconfdir=%{_sysconfdir}/ssh \ + --libexecdir=%{_libexecdir}/openssh \ + --with-tcp-wrappers \ + --with-ipv4-default \ + --with-rsh=/usr/bin/rsh \ +%if %{rescue} + --without-pam --with-md5-passwords +%else + --with-pam +%endif + +make + +%if ! %{no_x11_askpass} +pushd x11-ssh-askpass-%{aversion} +xmkmf -a +make +popd +%endif + +%if ! %{no_gnome_askpass} +pushd contrib +gcc $RPM_OPT_FLAGS `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass.c -o gnome-ssh-askpass \ + `gnome-config --libs gnome gnomeui` +popd +%endif + +%install +rm -rf $RPM_BUILD_ROOT +mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh +mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh +make install DESTDIR=$RPM_BUILD_ROOT + +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/etc/rc.d/init.d +install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh +%if ! %{build6x} +install -m644 contrib/redhat/sshd.pam-7.x $RPM_BUILD_ROOT/etc/pam.d/sshd +%else +install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +%endif +install -m755 $RPM_SOURCE_DIR/openssh.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd + +%if ! %{no_x11_askpass} +install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass +ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass +%endif + +%if ! %{no_gnome_askpass} +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass +%endif + +install -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +install -m 755 %{SOURCE3} %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ + +perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* + +%clean +rm -rf $RPM_BUILD_ROOT + +%triggerun server -- ssh-server +if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then + touch /var/run/sshd.restart +fi + +%triggerun server -- openssh-server < 2.5.0p1 +# Count the number of HostKey and HostDsaKey statements we have. +gawk 'BEGIN {IGNORECASE=1} + /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1} + END {exit sawhostkey}' /etc/ssh/sshd_config +# And if we only found one, we know the client was relying on the old default +# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't +# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying +# one nullifies the default, which would have loaded both. +if [ $? -eq 1 ] ; then + echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config + echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config +fi + +%triggerpostun server -- ssh-server +if [ "$1" != 0 ] ; then + /sbin/chkconfig --add sshd + if test -f /var/run/sshd.restart ; then + rm -f /var/run/sshd.restart + /sbin/service sshd start > /dev/null 2>&1 || : + fi +fi + +%post server +/sbin/chkconfig --add sshd + +%postun server +/sbin/service sshd condrestart > /dev/null 2>&1 || : + +%preun server +if [ "$1" = 0 ] +then + /sbin/service sshd stop > /dev/null 2>&1 || : + /sbin/chkconfig --del sshd +fi + +%files +%defattr(-,root,root) +%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* +%attr(0755,root,root) %{_bindir}/scp +%attr(0644,root,root) %{_mandir}/man1/scp.1* +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/primes +%if ! %{rescue} +%attr(0755,root,root) %{_bindir}/ssh-keygen +%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* +%attr(0755,root,root) %dir %{_libexecdir}/openssh +%endif + +%files clients +%defattr(-,root,root) +%attr(4755,root,root) %{_bindir}/ssh +%attr(0644,root,root) %{_mandir}/man1/ssh.1* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(-,root,root) %{_bindir}/slogin +%attr(-,root,root) %{_mandir}/man1/slogin.1* +%if ! %{rescue} +%attr(0755,root,root) %{_bindir}/ssh-agent +%attr(0755,root,root) %{_bindir}/ssh-add +%attr(0755,root,root) %{_bindir}/ssh-keyscan +%attr(0755,root,root) %{_bindir}/sftp +%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* +%attr(0644,root,root) %{_mandir}/man1/sftp.1* +%endif + +%if ! %{rescue} +%files server +%defattr(-,root,root) +%attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server +%attr(0644,root,root) %{_mandir}/man8/sshd.8* +%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/rc.d/init.d/sshd +%endif + +%if ! %{no_x11_askpass} +%files askpass +%defattr(-,root,root) +%doc x11-ssh-askpass-%{aversion}/README +%doc x11-ssh-askpass-%{aversion}/ChangeLog +%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad +%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass +%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass +%endif + +%if ! %{no_gnome_askpass} +%files askpass-gnome +%defattr(-,root,root) +%attr(0755,root,root) %{_sysconfdir}/profile.d/gnome-ssh-askpass.* +%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass +%endif + %changelog +* Fri Mar 30 2001 Nalin Dahyabhai +- add pam_limits back to the PAM configuration + +* Wed Mar 28 2001 Nalin Dahyabhai +- tweak the init script because 7.0's initscripts daemon() function + isn't as smart as it should be + +* Mon Mar 26 2001 Nalin Dahyabhai +- build for a 7.0 errata + +* Fri Mar 23 2001 Nalin Dahyabhai +- make do_pam_setcred() smart enough to know when to establish creds and + when to reinitialize them +- add in a couple of other fixes from Damien for inclusion in the errata + +* Thu Mar 22 2001 Nalin Dahyabhai +- update to 2.5.2p2 +- call setcred() again after initgroups, because the "creds" could actually + be group memberships + +* Tue Mar 20 2001 Nalin Dahyabhai +- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation) +- don't enable challenge-response by default until we find a way to not + have too many userauth requests (we may make up to six pubkey and up to + three password attempts as it is) +- remove build dependency on rsh to match openssh.com's packages more closely + +* Sat Mar 3 2001 Nalin Dahyabhai +- remove dependency on openssl -- would need to be too precise + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Mon Feb 26 2001 Nalin Dahyabhai +- Revert the patch to move pam_open_session. +- Init script and spec file changes from Pekka Savola. (#28750) +- Patch sftp to recognize '-o protocol' arguments. (#29540) + +* Thu Feb 22 2001 Nalin Dahyabhai +- Chuck the closing patch. +- Add a trigger to add host keys for protocol 2 to the config file, now that + configuration file syntax requires us to specify it with HostKey if we + specify any other HostKey values, which we do. + +* Tue Feb 20 2001 Nalin Dahyabhai +- Redo patch to move pam_open_session after the server setuid()s to the user. +- Rework the nopam patch to use be picked up by autoconf. + +* Mon Feb 19 2001 Nalin Dahyabhai +- Update for 2.5.1p1. +- Add init script mods from Pekka Savola. +- Tweak the init script to match the CVS contrib script more closely. +- Redo patch to ssh-add to try to adding both identity and id_dsa to also try + adding id_rsa. + +* Fri Feb 16 2001 Nalin Dahyabhai +- Update for 2.5.0p1. +- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass +- Resync with parts of Damien Miller's openssh.spec from CVS, including + update of x11 askpass to 1.2.0. +- Only require openssl (don't prereq) because we generate keys in the init + script now. + +* Tue Feb 13 2001 Nalin Dahyabhai +- Don't open a PAM session until we've forked and become the user (#25690). +- Apply Andrew Bartlett's patch for letting pam_authenticate() know which + host the user is attempting a login from. +- Resync with parts of Damien Miller's openssh.spec from CVS. +- Don't expose KbdInt responses in debug messages (from CVS). +- Detect and handle errors in rsa_{public,private}_decrypt (from CVS). + +* Wed Feb 7 2001 Trond Eivind Glomsr)Bød +- i18n-tweak to initscript. + +* Tue Jan 23 2001 Nalin Dahyabhai +- More gettextizing. +- Close all files after going into daemon mode (needs more testing). +- Extract patch from CVS to handle auth banners (in the client). +- Extract patch from CVS to handle compat weirdness. + +* Fri Jan 19 2001 Nalin Dahyabhai +- Finish with the gettextizing. + +* Thu Jan 18 2001 Nalin Dahyabhai +- Fix a bug in auth2-pam.c (#23877) +- Gettextize the init script. + +* Wed Dec 20 2000 Nalin Dahyabhai +- Incorporate a switch for using PAM configs for 6.x, just in case. + +* Tue Dec 5 2000 Nalin Dahyabhai +- Incorporate Bero's changes for a build specifically for rescue CDs. + +* Wed Nov 29 2000 Nalin Dahyabhai +- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has + succeeded, to allow public-key authentication after a failure with "none" + authentication. (#21268) + +* Tue Nov 28 2000 Nalin Dahyabhai +- Update to x11-askpass 1.1.1. (#21301) +- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290) + +* Mon Nov 27 2000 Nalin Dahyabhai +- Merge multiple PAM text messages into subsequent prompts when possible when + doing keyboard-interactive authentication. + +* Sun Nov 26 2000 Nalin Dahyabhai +- Disable the built-in MD5 password support. We're using PAM. +- Take a crack at doing keyboard-interactive authentication with PAM, and + enable use of it in the default client configuration so that the client + will try it when the server disallows password authentication. +- Build with debugging flags. Build root policies strip all binaries anyway. + * Tue Nov 21 2000 Nalin Dahyabhai - Use DESTDIR instead of %%makeinstall. - Remove /usr/X11R6/bin from the path-fixing patch. @@ -262,150 +581,3 @@ This package contains the GNOME passphrase dialog. * Wed Oct 27 1999 Damien Miller - Initial RPMification, based on Jan "Yenya" Kasprzak's spec. - -%prep -%if ! %{no_x11_askpass} -%setup -q -a 1 -%else -%setup -q -%endif -%patch0 -p1 -b .redhat -%patch1 -p1 -b .agent -%patch2 -p1 -b .keygen-dsa -%patch3 -p1 -b .authpriv -%patch4 -p1 -b .path -autoconf - -%build - -%configure \ - --sysconfdir=%{_sysconfdir}/ssh \ - --libexecdir=%{_libexecdir}/openssh \ - --with-tcp-wrappers \ - --with-ipv4-default \ - --with-md5-passwords \ - --with-rsh=/usr/bin/rsh -make - -%if ! %{no_x11_askpass} -pushd x11-ssh-askpass-%{aversion} -xmkmf -a -make -popd -%endif - -%if ! %{no_gnome_askpass} -pushd contrib -gcc -O -g `gnome-config --cflags gnome gnomeui` \ - gnome-ssh-askpass.c -o gnome-ssh-askpass \ - `gnome-config --libs gnome gnomeui` -popd -%endif - -%install -rm -rf $RPM_BUILD_ROOT -mkdir -p -m755 sysconfdir=$RPM_BUILD_ROOT%{_sysconfdir}/ssh -mkdir -p -m755 sysconfdir=$RPM_BUILD_ROOT%{_libexecdir}/openssh -make install DESTDIR=$RPM_BUILD_ROOT - -install -d $RPM_BUILD_ROOT/etc/pam.d/ -install -d $RPM_BUILD_ROOT/etc/rc.d/init.d -install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh -install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd -install -m755 $RPM_SOURCE_DIR/openssh.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd -install -m600 $RPM_SOURCE_DIR/openssh.primes $RPM_BUILD_ROOT%{_sysconfdir}/ssh/primes - -%if ! %{no_x11_askpass} -install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass -ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass -%endif - -%if ! %{no_gnome_askpass} -install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass -%endif - -install -d $RPM_BUILD_ROOT/etc/profile.d/ -install -m 755 %{SOURCE3} %{SOURCE4} $RPM_BUILD_ROOT/etc/profile.d/ - -perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* - -%clean -rm -rf $RPM_BUILD_ROOT - -%triggerun server -- ssh-server -if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then - touch /var/run/sshd.restart -fi - -%triggerpostun server -- ssh-server -if [ "$1" != 0 ] ; then - /sbin/chkconfig --add sshd - if test -f /var/run/sshd.restart ; then - rm -f /var/run/sshd.restart - /sbin/service sshd start > /dev/null 2>&1 || : - fi -fi - -%post server -/sbin/chkconfig --add sshd - -%postun server -/sbin/service sshd condrestart > /dev/null 2>&1 || : - -%preun server -if [ "$1" = 0 ] -then - /sbin/service sshd stop > /dev/null 2>&1 || : - /sbin/chkconfig --del sshd -fi - -%files -%defattr(-,root,root) -%doc COPYING* CREDITS ChangeLog INSTALL LICENCE OVERVIEW RFC* TODO WARNING* - -%attr(0755,root,root) %{_bindir}/ssh-keygen -%attr(0755,root,root) %{_bindir}/scp -%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* -%attr(0644,root,root) %{_mandir}/man1/scp.1* -%attr(0755,root,root) %dir %{_sysconfdir}/ssh -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/primes -%attr(0755,root,root) %dir %{_libexecdir}/openssh - -%files clients -%defattr(-,root,root) -%attr(4755,root,root) %{_bindir}/ssh -%attr(0755,root,root) %{_bindir}/ssh-agent -%attr(0755,root,root) %{_bindir}/ssh-add -%attr(0644,root,root) %{_mandir}/man1/ssh.1* -%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* -%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config -%attr(-,root,root) %{_bindir}/slogin -%attr(-,root,root) %{_mandir}/man1/slogin.1* - -%files server -%defattr(-,root,root) -%attr(0755,root,root) %{_sbindir}/sshd -%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server -%attr(0644,root,root) %{_mandir}/man8/sshd.8* -%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config -%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd -%attr(0755,root,root) %config /etc/rc.d/init.d/sshd - -%if ! %{no_x11_askpass} -%files askpass -%defattr(-,root,root) -%doc x11-ssh-askpass-%{aversion}/README -%doc x11-ssh-askpass-%{aversion}/ChangeLog -%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass -%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass -%endif - -%if ! %{no_gnome_askpass} -%files askpass-gnome -%defattr(-,root,root) -%attr(0755,root,root) %{_sysconfdir}/profile.d/gnome-ssh-askpass.* -%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass -%endif diff --git a/sources b/sources index 18befff..479672b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -b3d53dfb45da6e7bf88aaaf65b528aac openssh-2.3.0p1.tar.gz -5066d38e5bdab45e8b40bff8bc3a9c60 x11-ssh-askpass-1.1.0.tar.gz +29a2d4d1a506d3adfe86f7a8483858f2 openssh-2.5.2p2.tar.gz +dec1d8947245f33e3d01b85e576ca5f5 x11-ssh-askpass-1.2.0.tar.gz