Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org>

Split out the host keygen into their own command, to ease future migration
to systemd. Compatitbility with the init script was kept.
Migrate the package to full native systemd unit files, according to the Fedora
packaging guidelines.
Prepate the unit files for running an ondemand server. (do not add it actually)
This commit is contained in:
Jan F 2011-06-28 10:35:28 +02:00
parent 29b683c1d2
commit 5c8b5cb538
7 changed files with 85 additions and 196 deletions

View File

@ -48,9 +48,6 @@
%define pam_ssh_agent 0
%endif
# Whether add systemd units
%define systemd 0
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_gnome_askpass:%global no_gnome_askpass 1}
@ -82,7 +79,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.8p2
%define openssh_rel 10
%define openssh_rel 13
%define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 31
@ -105,11 +102,11 @@ Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/p
Source5: pam_ssh_agent-rmheaders
Source6: ssh-keycat.pam
Source7: sshd.sysconfig
Source8: ssh-keygen-dsa.service
Source9: ssh-keygen-rsa.service
Source10: ssh-keygen-rsa1.service
Source8: sshd-keygen.service
Source9: sshd@.service
Source10: sshd.socket
Source11: sshd.service
Source12: sshd.socket
Source13: sshd-keygen
Patch99: openssh-5.8p1-wIm.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
@ -263,10 +260,27 @@ Requires: fipscheck-lib%{_isa} >= 1.3.0
Summary: An open source SSH server daemon
Group: System Environment/Daemons
Requires: openssh = %{version}-%{release}
Requires(post): chkconfig >= 0.9, /sbin/service
Requires(pre): /usr/sbin/useradd
Requires: pam >= 1.0.1-3
Requires: fipscheck-lib%{_isa} >= 1.3.0
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
# This is actually needed for the %triggerun script but Requires(triggerun)
# is not valid. We can use %post because this particular %triggerun script
# should fire just after this package is installed.
Requires(post): systemd-sysv
# Not yet ready
# %package server-ondemand
# Summary: Systemd unit file to run an ondemand OpenSSH server
# Group: System Environment/Daemons
# Requires: %{name}-server%{?_isa} = %{version}-%{release}
%package server-sysvinit
Summary: The SysV initscript to manage the OpenSSH server.
Group: System Environment/Daemons
Requires: %{name}-server%{?_isa} = %{version}-%{release}
%if %{ldap}
%package ldap
@ -319,6 +333,19 @@ into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server.
# %description server-ondemand
# OpenSSH is a free version of SSH (Secure SHell), a program for logging
# into and executing commands on a remote machine. This package contains
# the systemd unit files to run an ondemand (socket activated) SSH server.
%description server-sysvinit
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the SysV init script to manage the OpenSSH server when running a legacy
SysV-compatible init system.
It is not required when the init system used is systemd.
%if %{ldap}
%description ldap
OpenSSH LDAP backend is a way how to distribute the authorized tokens
@ -541,14 +568,12 @@ install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
%if %{systemd}
install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-dsa.service
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-rsa.service
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-rsa1.service
install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
%endif
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
@ -602,56 +627,39 @@ getent passwd sshd >/dev/null || \
%endif
%post server
%if %{systemd}
if [ -x /bin/systemctl ]; then
if [ $1 -eq 1 ]; then
if [ $1 -eq 1 ] ; then
/bin/systemctl enable sshd.service >/dev/null 2>&1 || :
/bin/systemctl enable ssh-keygen-dsa.service >/dev/null 2>&1 || :
/bin/systemctl enable ssh-keygen-rsa.service >/dev/null 2>&1 || :
/bin/systemctl enable ssh-keygen-rsa1.service >/dev/null 2>&1 || :
fi
/bin/systemctl enable sshd-keygen.service >/dev/null 2>&1 || :
fi
%endif
if [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --add sshd
fi
exit 0
%postun server
%if %{systemd}
if [ -x /bin/systemctl ]; then
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ $1 -ge 1 ]; then
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ $1 -ge 1 ] ; then
# Package upgrade, not uninstall
/bin/systemctl try-restart sshd.service >/dev/null 2>&1 || :
fi
/bin/systemctl try-restart sshd-keygen.service >/dev/null 2>&1 || :
fi
%endif
if [ -x /sbin/service ]; then
if [ $1 -ne 0 ]; then
/sbin/service sshd condrestart > /dev/null 2>&1 || :
fi
fi
exit 0
%preun server
if [ $1 -eq 0 ]; then
%if %{systemd}
if [ -x /bin/systemctl ]; then
/bin/systemctl disable sshd.service > /dev/null 2>&1 || :
/bin/systemctl disable ssh-keygen-dsa.service > /dev/null 2>&1 || :
/bin/systemctl disable ssh-keygen-rsa.service > /dev/null 2>&1 || :
/bin/systemctl disable ssh-keygen-rsa1.service > /dev/null 2>&1 || :
if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
/bin/systemctl --no-reload disable sshd.service > /dev/null 2>&1 || :
/bin/systemctl --no-reload disable sshd-keygen.service > /dev/null 2>&1 || :
/bin/systemctl stop sshd.service > /dev/null 2>&1 || :
fi
%endif
if [ -x /sbin/service ]; then
/sbin/service sshd stop > /dev/null 2>&1 || :
fi
if [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --del sshd
fi
/bin/systemctl stop sshd-keygen.service > /dev/null 2>&1 || :
fi
exit 0
%triggerun -n openssh-server -- openssh-server < 5.8p2-12
/usr/bin/systemd-sysv-convert --save sshd >/dev/null 2>&1 || :
/bin/systemctl enable sshd.service >/dev/null 2>&1
/bin/systemctl enable sshd-keygen.service >/dev/null 2>&1
/sbin/chkconfig --del sshd >/dev/null 2>&1 || :
/bin/systemctl try-restart sshd.service >/dev/null 2>&1 || :
# This one was never a service, so we don't simply restart it
/bin/systemctl is-active -q sshd.service && /bin/systemctl start sshd-keygen.service >/dev/null 2>&1 || :
%triggerpostun -n openssh-server-sysvinit -- openssh-server < 5.8p2-12
/sbin/chkconfig --add sshd >/dev/null 2>&1 || :
%files
%defattr(-,root,root)
@ -701,6 +709,7 @@ exit 0
%defattr(-,root,root)
%dir %attr(0711,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_sbindir}/sshd-keygen
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
@ -710,14 +719,17 @@ exit 0
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
%attr(0755,root,root) /etc/rc.d/init.d/sshd
%if %{systemd}
%attr(0644,root,root) %{_unitdir}/ssh-keygen-dsa.service
%attr(0644,root,root) %{_unitdir}/ssh-keygen-rsa.service
%attr(0644,root,root) %{_unitdir}/ssh-keygen-rsa1.service
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
%attr(0644,root,root) %{_unitdir}/sshd.service
%attr(0644,root,root) %{_unitdir}/sshd.socket
%endif
# %files server-ondemand
# %defattr(-,root,root)
# %attr(0644,root,root) %{_unitdir}/sshd@.service
# %attr(0644,root,root) %{_unitdir}/sshd.socket
%files server-sysvinit
%defattr(-,root,root)
%attr(0755,root,root) /etc/rc.d/init.d/sshd
%endif
%if %{ldap}
@ -753,6 +765,14 @@ exit 0
%endif
%changelog
* Tue Jun 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-11 + 0.9.2-31
- Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org>
- Split out the host keygen into their own command, to ease future migration
to systemd. Compatitbility with the init script was kept.
- Migrate the package to full native systemd unit files, according to the Fedora
packaging guidelines.
- Prepate the unit files for running an ondemand server. (do not add it actually)
* Tue Jun 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-10 + 0.9.2-31
- Mention IPv6 usage in man pages

View File

@ -1,18 +0,0 @@
[Unit]
Description=SSH DSA Keygeneration.
After=syslog.target
Before=sshd.service
ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/bin/ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N ''
ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_dsa_key
ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_dsa_key
ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_dsa_key.pub
ExecStartPost=/sbin/restorecon /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

View File

@ -1,18 +0,0 @@
[Unit]
Description=SSH RSA Keygeneration.
After=syslog.target
Before=sshd.service
ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_rsa_key
ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_rsa_key
ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_rsa_key.pub
ExecStartPost=/sbin/restorecon /ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

View File

@ -1,18 +0,0 @@
[Unit]
Description=SSH RSA1 Keygeneration.
After=syslog.target
Before=sshd.service
ConditionPathExists=!/etc/ssh/ssh_host_key
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/bin/ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -C '' -N ''
ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_key
ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_key
ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_key.pub
ExecStartPost=/sbin/restorecon /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

View File

@ -37,79 +37,12 @@ prog="sshd"
lockfile=/var/lock/subsys/$prog
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
XPID_FILE=/var/run/sshd.pid
PID_FILE=/var/run/sshd-s.pid
runlevel=$(set -- $(runlevel); eval "echo \$$#" )
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
rm -f $RSA1_KEY
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $RSA1_KEY
chmod 640 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA1_KEY.pub
fi
success $"RSA1 key generation"
echo
else
failure $"RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
rm -f $RSA_KEY
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $RSA_KEY
chmod 640 $RSA_KEY
chmod 644 $RSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA_KEY.pub
fi
success $"RSA key generation"
echo
else
failure $"RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $"Generating SSH2 DSA host key: "
rm -f $DSA_KEY
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $DSA_KEY
chmod 640 $DSA_KEY
chmod 644 $DSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $DSA_KEY.pub
fi
success $"DSA key generation"
echo
else
failure $"DSA key generation"
echo
exit 1
fi
fi
}
do_restart_sanity_check()
{
$SSHD -t
@ -125,13 +58,7 @@ start()
[ -x $SSHD ] || exit 5
[ -f /etc/ssh/sshd_config ] || exit 6
# Create keys if necessary
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
do_rsa_keygen
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
do_rsa1_keygen
do_dsa_keygen
fi
fi
/usr/sbin/sshd-keygen
echo -n $"Starting $prog: "
$SSHD $OPTIONS && success || failure

View File

@ -3,11 +3,8 @@ Description=OpenSSH server daemon.
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/var/run/sshd.pid
EnvironmentFile=/etc/sysconfig/sshd
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd $OPTIONS
ExecStart=/usr/sbin/sshd -D
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target

View File

@ -1,5 +1,4 @@
[Unit]
Description=OpenSSH Server Socket.
Conflicts=sshd.service
[Socket]