Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org>

Split out the host keygen into their own command, to ease future migration
to systemd. Compatitbility with the init script was kept.
Migrate the package to full native systemd unit files, according to the Fedora
packaging guidelines.
Prepate the unit files for running an ondemand server. (do not add it actually)
This commit is contained in:
Jan F 2011-06-28 10:35:28 +02:00
parent 29b683c1d2
commit 5c8b5cb538
7 changed files with 85 additions and 196 deletions

View File

@ -48,9 +48,6 @@
%define pam_ssh_agent 0 %define pam_ssh_agent 0
%endif %endif
# Whether add systemd units
%define systemd 0
# Reserve options to override askpass settings with: # Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1' # rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_gnome_askpass:%global no_gnome_askpass 1} %{?skip_gnome_askpass:%global no_gnome_askpass 1}
@ -82,7 +79,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.8p2 %define openssh_ver 5.8p2
%define openssh_rel 10 %define openssh_rel 13
%define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 31 %define pam_ssh_agent_rel 31
@ -105,11 +102,11 @@ Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/p
Source5: pam_ssh_agent-rmheaders Source5: pam_ssh_agent-rmheaders
Source6: ssh-keycat.pam Source6: ssh-keycat.pam
Source7: sshd.sysconfig Source7: sshd.sysconfig
Source8: ssh-keygen-dsa.service Source8: sshd-keygen.service
Source9: ssh-keygen-rsa.service Source9: sshd@.service
Source10: ssh-keygen-rsa1.service Source10: sshd.socket
Source11: sshd.service Source11: sshd.service
Source12: sshd.socket Source13: sshd-keygen
Patch99: openssh-5.8p1-wIm.patch Patch99: openssh-5.8p1-wIm.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
@ -263,10 +260,27 @@ Requires: fipscheck-lib%{_isa} >= 1.3.0
Summary: An open source SSH server daemon Summary: An open source SSH server daemon
Group: System Environment/Daemons Group: System Environment/Daemons
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
Requires(post): chkconfig >= 0.9, /sbin/service
Requires(pre): /usr/sbin/useradd Requires(pre): /usr/sbin/useradd
Requires: pam >= 1.0.1-3 Requires: pam >= 1.0.1-3
Requires: fipscheck-lib%{_isa} >= 1.3.0 Requires: fipscheck-lib%{_isa} >= 1.3.0
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
# This is actually needed for the %triggerun script but Requires(triggerun)
# is not valid. We can use %post because this particular %triggerun script
# should fire just after this package is installed.
Requires(post): systemd-sysv
# Not yet ready
# %package server-ondemand
# Summary: Systemd unit file to run an ondemand OpenSSH server
# Group: System Environment/Daemons
# Requires: %{name}-server%{?_isa} = %{version}-%{release}
%package server-sysvinit
Summary: The SysV initscript to manage the OpenSSH server.
Group: System Environment/Daemons
Requires: %{name}-server%{?_isa} = %{version}-%{release}
%if %{ldap} %if %{ldap}
%package ldap %package ldap
@ -319,6 +333,19 @@ into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server. securely connect to your SSH server.
# %description server-ondemand
# OpenSSH is a free version of SSH (Secure SHell), a program for logging
# into and executing commands on a remote machine. This package contains
# the systemd unit files to run an ondemand (socket activated) SSH server.
%description server-sysvinit
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the SysV init script to manage the OpenSSH server when running a legacy
SysV-compatible init system.
It is not required when the init system used is systemd.
%if %{ldap} %if %{ldap}
%description ldap %description ldap
OpenSSH LDAP backend is a way how to distribute the authorized tokens OpenSSH LDAP backend is a way how to distribute the authorized tokens
@ -541,14 +568,12 @@ install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
%if %{systemd} install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-dsa.service install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-rsa.service install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-rsa1.service install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
%endif
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
@ -602,56 +627,39 @@ getent passwd sshd >/dev/null || \
%endif %endif
%post server %post server
%if %{systemd} if [ $1 -eq 1 ] ; then
if [ -x /bin/systemctl ]; then
if [ $1 -eq 1 ]; then
/bin/systemctl enable sshd.service >/dev/null 2>&1 || : /bin/systemctl enable sshd.service >/dev/null 2>&1 || :
/bin/systemctl enable ssh-keygen-dsa.service >/dev/null 2>&1 || : /bin/systemctl enable sshd-keygen.service >/dev/null 2>&1 || :
/bin/systemctl enable ssh-keygen-rsa.service >/dev/null 2>&1 || :
/bin/systemctl enable ssh-keygen-rsa1.service >/dev/null 2>&1 || :
fi
fi fi
%endif
if [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --add sshd
fi
exit 0
%postun server %postun server
%if %{systemd} /bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ -x /bin/systemctl ]; then if [ $1 -ge 1 ] ; then
/bin/systemctl daemon-reload >/dev/null 2>&1 || : # Package upgrade, not uninstall
if [ $1 -ge 1 ]; then
/bin/systemctl try-restart sshd.service >/dev/null 2>&1 || : /bin/systemctl try-restart sshd.service >/dev/null 2>&1 || :
fi /bin/systemctl try-restart sshd-keygen.service >/dev/null 2>&1 || :
fi fi
%endif
if [ -x /sbin/service ]; then
if [ $1 -ne 0 ]; then
/sbin/service sshd condrestart > /dev/null 2>&1 || :
fi
fi
exit 0
%preun server %preun server
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ] ; then
%if %{systemd} # Package removal, not upgrade
if [ -x /bin/systemctl ]; then /bin/systemctl --no-reload disable sshd.service > /dev/null 2>&1 || :
/bin/systemctl disable sshd.service > /dev/null 2>&1 || : /bin/systemctl --no-reload disable sshd-keygen.service > /dev/null 2>&1 || :
/bin/systemctl disable ssh-keygen-dsa.service > /dev/null 2>&1 || :
/bin/systemctl disable ssh-keygen-rsa.service > /dev/null 2>&1 || :
/bin/systemctl disable ssh-keygen-rsa1.service > /dev/null 2>&1 || :
/bin/systemctl stop sshd.service > /dev/null 2>&1 || : /bin/systemctl stop sshd.service > /dev/null 2>&1 || :
fi /bin/systemctl stop sshd-keygen.service > /dev/null 2>&1 || :
%endif
if [ -x /sbin/service ]; then
/sbin/service sshd stop > /dev/null 2>&1 || :
fi
if [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --del sshd
fi
fi fi
exit 0
%triggerun -n openssh-server -- openssh-server < 5.8p2-12
/usr/bin/systemd-sysv-convert --save sshd >/dev/null 2>&1 || :
/bin/systemctl enable sshd.service >/dev/null 2>&1
/bin/systemctl enable sshd-keygen.service >/dev/null 2>&1
/sbin/chkconfig --del sshd >/dev/null 2>&1 || :
/bin/systemctl try-restart sshd.service >/dev/null 2>&1 || :
# This one was never a service, so we don't simply restart it
/bin/systemctl is-active -q sshd.service && /bin/systemctl start sshd-keygen.service >/dev/null 2>&1 || :
%triggerpostun -n openssh-server-sysvinit -- openssh-server < 5.8p2-12
/sbin/chkconfig --add sshd >/dev/null 2>&1 || :
%files %files
%defattr(-,root,root) %defattr(-,root,root)
@ -701,6 +709,7 @@ exit 0
%defattr(-,root,root) %defattr(-,root,root)
%dir %attr(0711,root,root) %{_var}/empty/sshd %dir %attr(0711,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_sbindir}/sshd-keygen
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac %attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
@ -710,14 +719,17 @@ exit 0
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
%attr(0755,root,root) /etc/rc.d/init.d/sshd %attr(0644,root,root) %{_unitdir}/sshd-keygen.service
%if %{systemd}
%attr(0644,root,root) %{_unitdir}/ssh-keygen-dsa.service
%attr(0644,root,root) %{_unitdir}/ssh-keygen-rsa.service
%attr(0644,root,root) %{_unitdir}/ssh-keygen-rsa1.service
%attr(0644,root,root) %{_unitdir}/sshd.service %attr(0644,root,root) %{_unitdir}/sshd.service
%attr(0644,root,root) %{_unitdir}/sshd.socket
%endif # %files server-ondemand
# %defattr(-,root,root)
# %attr(0644,root,root) %{_unitdir}/sshd@.service
# %attr(0644,root,root) %{_unitdir}/sshd.socket
%files server-sysvinit
%defattr(-,root,root)
%attr(0755,root,root) /etc/rc.d/init.d/sshd
%endif %endif
%if %{ldap} %if %{ldap}
@ -753,6 +765,14 @@ exit 0
%endif %endif
%changelog %changelog
* Tue Jun 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-11 + 0.9.2-31
- Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org>
- Split out the host keygen into their own command, to ease future migration
to systemd. Compatitbility with the init script was kept.
- Migrate the package to full native systemd unit files, according to the Fedora
packaging guidelines.
- Prepate the unit files for running an ondemand server. (do not add it actually)
* Tue Jun 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-10 + 0.9.2-31 * Tue Jun 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-10 + 0.9.2-31
- Mention IPv6 usage in man pages - Mention IPv6 usage in man pages

View File

@ -1,18 +0,0 @@
[Unit]
Description=SSH DSA Keygeneration.
After=syslog.target
Before=sshd.service
ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/bin/ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N ''
ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_dsa_key
ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_dsa_key
ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_dsa_key.pub
ExecStartPost=/sbin/restorecon /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

View File

@ -1,18 +0,0 @@
[Unit]
Description=SSH RSA Keygeneration.
After=syslog.target
Before=sshd.service
ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_rsa_key
ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_rsa_key
ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_rsa_key.pub
ExecStartPost=/sbin/restorecon /ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

View File

@ -1,18 +0,0 @@
[Unit]
Description=SSH RSA1 Keygeneration.
After=syslog.target
Before=sshd.service
ConditionPathExists=!/etc/ssh/ssh_host_key
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/bin/ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -C '' -N ''
ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_key
ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_key
ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_key.pub
ExecStartPost=/sbin/restorecon /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

View File

@ -37,79 +37,12 @@ prog="sshd"
lockfile=/var/lock/subsys/$prog lockfile=/var/lock/subsys/$prog
# Some functions to make the below more readable # Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
XPID_FILE=/var/run/sshd.pid XPID_FILE=/var/run/sshd.pid
PID_FILE=/var/run/sshd-s.pid PID_FILE=/var/run/sshd-s.pid
runlevel=$(set -- $(runlevel); eval "echo \$$#" ) runlevel=$(set -- $(runlevel); eval "echo \$$#" )
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
rm -f $RSA1_KEY
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $RSA1_KEY
chmod 640 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA1_KEY.pub
fi
success $"RSA1 key generation"
echo
else
failure $"RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
rm -f $RSA_KEY
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $RSA_KEY
chmod 640 $RSA_KEY
chmod 644 $RSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA_KEY.pub
fi
success $"RSA key generation"
echo
else
failure $"RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $"Generating SSH2 DSA host key: "
rm -f $DSA_KEY
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $DSA_KEY
chmod 640 $DSA_KEY
chmod 644 $DSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $DSA_KEY.pub
fi
success $"DSA key generation"
echo
else
failure $"DSA key generation"
echo
exit 1
fi
fi
}
do_restart_sanity_check() do_restart_sanity_check()
{ {
$SSHD -t $SSHD -t
@ -125,13 +58,7 @@ start()
[ -x $SSHD ] || exit 5 [ -x $SSHD ] || exit 5
[ -f /etc/ssh/sshd_config ] || exit 6 [ -f /etc/ssh/sshd_config ] || exit 6
# Create keys if necessary # Create keys if necessary
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then /usr/sbin/sshd-keygen
do_rsa_keygen
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
do_rsa1_keygen
do_dsa_keygen
fi
fi
echo -n $"Starting $prog: " echo -n $"Starting $prog: "
$SSHD $OPTIONS && success || failure $SSHD $OPTIONS && success || failure

View File

@ -3,11 +3,8 @@ Description=OpenSSH server daemon.
After=syslog.target network.target After=syslog.target network.target
[Service] [Service]
Type=forking ExecStart=/usr/sbin/sshd -D
PIDFile=/var/run/sshd.pid ExecReload=/bin/kill -HUP $MAINPID
EnvironmentFile=/etc/sysconfig/sshd
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd $OPTIONS
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View File

@ -1,5 +1,4 @@
[Unit] [Unit]
Description=OpenSSH Server Socket.
Conflicts=sshd.service Conflicts=sshd.service
[Socket] [Socket]