%global gtk2 1 %global pie 1 # Add option to build without GTK2 for older platforms with only GTK+. # rpm -ba|--rebuild --define 'no_gtk2 1' %{?no_gtk2:%global gtk2 0} %global pam_ssh_agent_rel 5 %global sshd_uid 74 Name: openssh Version: 7.8p1 Release: 4 URL: https://www.openssh.com/portable.html License: BSD Summary: An open source implementation of SSH protocol version 2 Source0: https://ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source1: https://ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source2: sshd.pam Source3: DJM-GPG-KEY.gpg Source4: https://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.tar.bz2 Source5: pam_ssh_agent-rmheaders Source6: ssh-keycat.pam Source7: sshd.sysconfig Source9: sshd@.service Source10: sshd.socket Source11: sshd.service Source12: sshd-keygen@.service Source13: sshd-keygen Source14: sshd.tmpfiles Source15: sshd-keygen.target Patch100: openssh-6.7p1-coverity.patch #https://bugzilla.redhat.com/show_bug.cgi?id=735889 Patch104: openssh-7.3p1-openssl-1.1.0.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1171248 Patch200: openssh-7.6p1-audit.patch Patch201: openssh-7.1p2-audit-race-condition.patch Patch300: pam_ssh_agent_auth-0.9.3-build.patch Patch301: pam_ssh_agent_auth-0.10.3-seteuid.patch Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch Patch305: pam_ssh_agent_auth-0.9.3-agent_structure.patch Patch306: pam_ssh_agent_auth-0.10.2-compat.patch Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch Patch400: openssh-7.8p1-role-mls.patch #https://bugzilla.redhat.com/show_bug.cgi?id=781634 Patch404: openssh-6.6p1-privsep-selinux.patch Patch501: openssh-6.7p1-ldap.patch Patch502: openssh-6.6p1-keycat.patch Patch601: openssh-6.6p1-allow-ip-opts.patch Patch604: openssh-6.6p1-keyperm.patch Patch606: openssh-5.9p1-ipv6man.patch Patch607: openssh-5.8p2-sigpipe.patch Patch609: openssh-7.2p2-x11.patch Patch700: openssh-7.7p1-fips.patch Patch702: openssh-5.1p1-askpass-progress.patch #https://bugzilla.redhat.com/show_bug.cgi?id=198332 Patch703: openssh-4.3p2-askpass-grab-info.patch #patch from redhat Patch707: openssh-7.7p1-redhat.patch Patch709: openssh-6.2p1-vendor.patch Patch711: openssh-7.8p1-UsePAM-warning.patch Patch712: openssh-6.3p1-ctr-evp-fast.patch Patch713: openssh-6.6p1-ctr-cavstest.patch Patch714: openssh-6.7p1-kdf-cavs.patch Patch800: openssh-7.8p1-gsskex.patch Patch801: openssh-6.6p1-force_krb.patch Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch # from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655 Patch803: openssh-7.1p1-gssapi-documentation.patch Patch804: openssh-7.7p1-gssapi-new-unique.patch Patch805: openssh-7.2p2-k5login_directory.patch Patch807: openssh-7.5p1-gssapi-kex-with-ec.patch Patch900: openssh-6.1p1-gssapi-canohost.patch Patch901: openssh-6.6p1-kuserok.patch Patch906: openssh-6.4p1-fromto-remote.patch Patch916: openssh-6.6.1p1-selinux-contexts.patch Patch918: openssh-6.6.1p1-log-in-chroot.patch Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch Patch920: openssh-7.8p1-ip-port-config-parser.patch Patch922: openssh-6.8p1-sshdT-output.patch Patch926: openssh-6.7p1-sftp-force-permission.patch Patch929: openssh-6.9p1-permit-root-login.patch Patch932: openssh-7.0p1-gssKexAlgorithms.patch Patch939: openssh-7.2p2-s390-closefrom.patch Patch944: openssh-7.3p1-x11-max-displays.patch Patch948: openssh-7.4p1-systemd.patch Patch949: openssh-7.6p1-cleanup-selinux.patch Patch950: openssh-7.5p1-sandbox.patch Patch951: openssh-7.6p1-pkcs11-uri.patch Patch952: openssh-7.6p1-pkcs11-ecdsa.patch Patch953: openssh-7.8p1-scp-ipv6.patch Patch6000: Initial-len-for-the-fmt-NULL-case.patch Patch6001: upstream-fix-build-with-DEBUG_PK-enabled.patch Patch6002: upstream-fix-misplaced-parenthesis-inside-if-clause..patch Patch6003: delete-the-correct-thing-kexfuzz-binary.patch Patch6004: upstream-When-choosing-a-prime-from-the-moduli-file-.patch Patch6005: upstream-fix-ssh-Q-sig-to-show-correct-signature-alg.patch Patch6006: in-pick_salt-avoid-dereference-of-NULL-passwords.patch Patch6007: check-for-NULL-return-from-shadow_pw.patch Patch6008: check-pw_passwd-NULL-here-too.patch Patch6009: upstream-typo-in-plain-RSA-algorithm-counterpart-nam.patch Patch6010: upstream-correct-local-variable-name-from-yawang-AT-.patch Patch6011: upstream-typo-in-error-message-caught-by-Debian-lint.patch Patch6012: upstream-fix-bug-in-HostbasedAcceptedKeyTypes-and.patch Patch6013: upstream-fix-bug-in-client-that-was-keeping-a-redund.patch Patch6014: upstream-disallow-empty-incoming-filename-or-ones-th.patch Patch6015: upstream-make-grandparent-parent-child-sshbuf-chains.patch Patch6016: Move-RANDOM_SEED_SIZE-outside-ifdef.patch Patch6017: upstream-don-t-truncate-user-or-host-name-in-user-ho.patch Patch6018: upstream-don-t-attempt-to-connect-to-empty-SSH_AUTH_.patch Patch6019: upstream-only-consider-the-ext-info-c-extension-duri.patch Patch6020: upstream-fix-memory-leak-of-ciphercontext-when-rekey.patch Patch6021: upstream-Fix-BN_is_prime_-calls-in-SSH-the-API-retur.patch Patch6022: upstream-Always-initialize-2nd-arg-to-hpdelim2.-It-p.patch Patch6023: Cygwin-Change-service-name-to-cygsshd.patch Patch6024: openssh-fix-typo-that-prevented-detection-of-Linux-V.patch Patch9004: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch Patch9005: bugfix-openssh-6.6p1-log-usepam-no.patch Patch9006: bugfix-openssh-add-option-check-username-splash.patch Requires: /sbin/nologin libselinux >= 2.3-5 audit-libs >= 1.0.8 Requires: fipscheck-lib >= 1.3.0 Requires(pre): /usr/sbin/useradd Requires(pre): shadow-utils Requires: pam >= 1.0.1-3 Requires: fipscheck-lib >= 1.3.0 Requires: crypto-policies >= 20180306-1 Obsoletes: openssh-clients-fips openssh-server-fips openssh-server-sysvinit openssh-cavs openssh-askpass-gnome Obsoletes: openssh-clients openssh-server openssh-ldap openssh-keycat openssh-askpass Provides: openssh-clients openssh-server openssh-ldap openssh-keycat openssh-askpass openssh-cavs openssh-askpass-gnome BuildRequires: gtk2-devel libX11-devel openldap-devel autoconf automake perl-interpreter perl-generators BuildRequires: zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel fipscheck-devel >= 1.3.0 BuildRequires: openssl-devel >= 0.9.8j perl-podlators systemd-devel gcc p11-kit-devel krb5-devel BuildRequires: libedit-devel ncurses-devel libselinux-devel >= 2.3-5 audit-libs >= 1.0.8 xauth gnupg2 %{?systemd_requires} Recommends: p11-kit %description penSSH is the premier connectivity tool for remote login with the SSH protocol. \ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \ capabilities, several authentication methods, and sophisticated configuration options. %package -n pam_ssh_agent_auth Summary: PAM module for the use of authentication with ssh-agent Version: 0.10.3 Release: %{pam_ssh_agent_rel}.4 License: BSD %description -n pam_ssh_agent_auth Provides PAM module for the use of authentication with ssh-agent. Through the use of the\ forwarding of ssh-agent connection it also allows to authenticate with remote ssh-agent \ instance. The module is most useful for su and sudo service stacks. %package_help %prep gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %setup -q -a 4 pushd pam_ssh_agent_auth-0.10.3 %patch300 -p2 -b .psaa-build %patch301 -p2 -b .psaa-seteuid %patch302 -p2 -b .psaa-visibility %patch306 -p2 -b .psaa-compat %patch305 -p2 -b .psaa-agent %patch307 -p2 -b .psaa-deref # Remove duplicate headers and library files rm -f $(cat %{SOURCE5}) popd %patch400 -p1 -b .role-mls %patch404 -p1 -b .privsep-selinux %patch501 -p1 -b .ldap %patch502 -p1 -b .keycat %patch601 -p1 -b .ip-opts %patch604 -p1 -b .keyperm %patch606 -p1 -b .ipv6man %patch607 -p1 -b .sigpipe %patch609 -p1 -b .x11 %patch702 -p1 -b .progress %patch703 -p1 -b .grab-info %patch707 -p1 -b .redhat %patch709 -p1 -b .vendor %patch711 -p1 -b .log-usepam-no %patch712 -p1 -b .evp-ctr %patch713 -p1 -b .ctr-cavs %patch714 -p1 -b .kdf-cavs %patch800 -p1 -b .gsskex %patch801 -p1 -b .force_krb %patch803 -p1 -b .gss-docs %patch804 -p1 -b .ccache_name %patch805 -p1 -b .k5login %patch900 -p1 -b .canohost %patch901 -p1 -b .kuserok %patch906 -p1 -b .fromto-remote %patch916 -p1 -b .contexts %patch918 -p1 -b .log-in-chroot %patch919 -p1 -b .scp %patch920 -p1 -b .config %patch802 -p1 -b .GSSAPIEnablek5users %patch922 -p1 -b .sshdt %patch926 -p1 -b .sftp-force-mode %patch929 -p1 -b .root-login %patch932 -p1 -b .gsskexalg %patch939 -p1 -b .s390-dev %patch944 -p1 -b .x11max %patch948 -p1 -b .systemd %patch807 -p1 -b .gsskex-ec %patch949 -p1 -b .refactor %patch950 -p1 -b .sandbox %patch951 -p1 -b .pkcs11-uri %patch952 -p1 -b .pkcs11-ecdsa %patch953 -p1 -b .scp-ipv6 %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race %patch700 -p1 -b .fips %patch100 -p1 -b .coverity %patch104 -p1 -b .openssl %patch6000 -p1 %patch6001 -p1 %patch6002 -p1 %patch6003 -p1 %patch6004 -p1 %patch6005 -p1 %patch6006 -p1 %patch6007 -p1 %patch6008 -p1 %patch6009 -p1 %patch6010 -p1 %patch6011 -p1 %patch6012 -p1 %patch6013 -p1 %patch6014 -p1 %patch6015 -p1 %patch6016 -p1 %patch6017 -p1 %patch6018 -p1 %patch6019 -p1 %patch6020 -p1 %patch6021 -p1 %patch6022 -p1 %patch6023 -p1 %patch6024 -p1 %patch9004 -p1 %patch9005 -p1 %patch9006 -p1 autoreconf pushd pam_ssh_agent_auth-0.10.3 autoreconf popd %build CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS %ifarch s390 s390x sparc sparcv9 sparc64 CFLAGS="$CFLAGS -fPIC" %else CFLAGS="$CFLAGS -fpic" %endif SAVE_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -pie -z relro -z now" export CFLAGS export LDFLAGS if test -r /etc/profile.d/krb5-devel.sh ; then source /etc/profile.d/krb5-devel.sh fi krb5_prefix=`krb5-config --prefix` if test "$krb5_prefix" != "%{_prefix}" ; then CPPFLAGS="$CPPFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"; export CPPFLAGS CFLAGS="$CFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi" LDFLAGS="$LDFLAGS -L${krb5_prefix}/%{_lib}"; export LDFLAGS else krb5_prefix= CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS CFLAGS="$CFLAGS -I%{_includedir}/gssapi" fi %configure \ --sysconfdir=%{_sysconfdir}/ssh --libexecdir=%{_libexecdir}/openssh \ --datadir=%{_datadir}/openssh --with-default-path=/usr/local/bin:/usr/bin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ --with-privsep-path=%{_var}/empty/sshd -disable-strip \ --enable-vendor-patchlevel="FC-7.8p1-3" \ --without-zlib-version-check --with-ssl-engine --with-ipaddr-display \ --with-pie=no --without-hardening --with-systemd --with-default-pkcs11-provider=yes \ --with-ldap --with-pam --with-selinux --with-audit=linux --with-sandbox=seccomp_filter \ --with-kerberos5${krb5_prefix:+=${krb5_prefix}} --with-libedit make gtk2=yes pushd contrib if [ $gtk2 = yes ] ; then CFLAGS="$CFLAGS %{?__global_ldflags}" \ make gnome-ssh-askpass2 mv gnome-ssh-askpass2 gnome-ssh-askpass else CFLAGS="$CFLAGS %{?__global_ldflags}" make gnome-ssh-askpass1 mv gnome-ssh-askpass1 gnome-ssh-askpass fi popd pushd pam_ssh_agent_auth-0.10.3 LDFLAGS="$SAVE_LDFLAGS" %configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man make popd %global __spec_install_post \ %%{?__debug_package:%%{__debug_install_post}} %%{__arch_install_post} %%{__os_install_post} \ fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \ %{nil} %check #to run tests use "--with check" %if %{?_with_check:1}%{!?_with_check:0} make tests %endif %install mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd %make_install rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf mkdir -p $RPM_BUILD_ROOT/etc/pam.d/ mkdir -p $RPM_BUILD_ROOT/etc/sysconfig/ mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p $RPM_BUILD_ROOT%{_libdir}/fipscheck install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* pushd pam_ssh_agent_auth-0.10.3 make install DESTDIR=$RPM_BUILD_ROOT popd %pre getent group ssh_keys >/dev/null || groupadd -r ssh_keys || : getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || : getent passwd sshd >/dev/null || \ useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \ -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || : %post %systemd_post sshd.service sshd.socket %preun %systemd_preun sshd.service sshd.socket %postun %systemd_postun_with_restart sshd.service %files %defattr(-,root,root) %doc CREDITS INSTALL README.platform %license LICENCE %dir %attr(0711,root,root) %{_var}/empty/sshd %attr(0644,root,root) %{_tmpfilesdir}/openssh.conf %attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh* %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/ %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/05-redhat.conf %attr(0644,root,root) %{_sysconfdir}/profile.d/gnome-ssh-askpass.* %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_bindir}/ssh* %attr(0755,root,root) %{_bindir}/scp %attr(0755,root,root) %{_bindir}/sftp %attr(0644,root,root) %{_libdir}/fipscheck/ssh*.hmac %attr(0755,root,root) %dir %{_libexecdir}/openssh %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign %attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest %attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs* %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-* %attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen %attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass %attr(0644,root,root) %{_unitdir}/sshd* %files -n pam_ssh_agent_auth %defattr(-,root,root) %license pam_ssh_agent_auth-0.10.3/OPENSSH_LICENSE %attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so %files help %defattr(-,root,root) %doc ChangeLog OVERVIEW PROTOCOL* README README.privsep README.tun README.dns TODO openssh-lpk-openldap.schema %doc openssh-lpk-sun.schema ldap.conf openssh-lpk-openldap.ldif openssh-lpk-sun.ldif HOWTO.ssh-keycat HOWTO.ldap-keys %attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %{_mandir}/man1/ssh*.1* %attr(0644,root,root) %{_mandir}/man1/sftp.1* %attr(0644,root,root) %{_mandir}/man5/ssh*.5* %attr(0644,root,root) %{_mandir}/man5/moduli.5* %attr(0644,root,root) %{_mandir}/man8/ssh*.8* %attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog * Fri Sep 20 2019 openEuler Buildteam - 7.8p1-4 - Package init