OpenSSH RPMvConary
From rPath Wiki
Conary Recipe File
# # Copyright (c) 2004-2007 rPath, Inc. # This file is distributed under the terms of the MIT License. # A copy is available at http://www.rpath.com/permanent/mit-license.html # class OpenSSH(AutoPackageRecipe): name = 'openssh' version = '4.6p1' buildRequires = [ 'openssl:devel', 'atk:devel', 'glib:devel', 'gtk:devel', 'pango:devel', 'zlib:devel', 'xauth:runtime', 'pkgconfig:devel', 'cairo:devel', 'fontconfig:devel', 'freetype:devel', 'libpng:devel', 'groff:runtime', 'net-tools:runtime', 'passwd:runtime', 'procps:runtime', 'shadow:runtime', 'sysstat:runtime', 'sysvinit:runtime', 'util-linux:runtime', 'e2fsprogs:devel', 'krb5:devel', 'tcp_wrappers:devel', 'pam:devel', 'krb5:runtime', 'libgssapi:devel', ] def unpack(r): r.addArchive('ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/',keyid='86FF9C48') r.addPatch('config.patch') r.addAction("sed -i '/# chkconfig:/s/ 55/ 20/g' contrib/redhat/sshd.init") def configure(r): # For kerberos r.macros.ldflags += ' -lgssapi_krb5' r.Replace(r'initlog -c "\$SSHD \$OPTIONS" && success \|\| failure', '$SSHD $OPTIONS && success || failure', 'contrib/redhat/sshd.init') r.Replace('HAVE_GSSAPI_GSSAPI_KRB5', 'HAVE_GSSAPI_GSSAPI_KRB5_H', 'gss-serv-krb5.c') r.Configure('--sysconfdir=%(sysconfdir)s/ssh' ' --libexecdir=%(libexecdir)s/openssh' ' --datadir=%(datadir)s/openssh' ' --with-rsh=%(bindir)s/rsh' ' --with-default-path=/usr/local/bin:/bin:/usr/bin' ' --with-superuser-path=/usr/local/sbin:/usr/local/bin' ':/sbin:/bin:/usr/sbin:/usr/bin' ' --with-privsep-path=%(localstatedir)s/empty/sshd' ' --with-tcp-wrappers --with-pam' ' --with-kerberos5') def makeinstall(r): r.MakeInstall() r.Install('contrib/redhat/sshd.init', '%(initdir)s/sshd') r.MakeDirs('%(localstatedir)s/empty/sshd', mode=0111) r.SetModes('%(libexecdir)s/openssh/ssh-keysign', 04711) r.SetModes('%(sysconfdir)s/ssh/{sshd_config,moduli}', 0600) r.UtilizeUser('sshd', '%(sbindir)s/sshd') r.Install('contrib/ssh-copy-id', '%(bindir)s/ssh-copy-id') r.Install('contrib/ssh-copy-id.1', '%(mandir)s/man1/ssh-copy-id.1') # fixing install modes r.SetModes('%(bindir)s/*', 0755) r.SetModes('%(mandir)s/*/*', 0644) r.Install('contrib/redhat/sshd.pam', '%(sysconfdir)s/pam.d/sshd', mode=0600) def policy(r): r.AutoDoc('OVERVIEW', 'RFC.nroff', 'WARNING.RNG') r.PackageSpec('openssh-server', '%(localstatedir)s/empty/sshd', '%(libexecdir)s/openssh/sftp-server', '%(mandir)s/man5/sshd_config\.5.*', '%(mandir)s/man8/sshd\.8.*', '%(mandir)s/man8/sftp-server\.8.*', '%(sysconfdir)s/ssh/sshd_config', '%(sbindir)s/sshd', '%(initdir)s/sshd') r.PackageSpec('openssh-server', '%(sysconfdir)s/pam.d/sshd') r.PackageSpec('openssh-client', '%(sysconfdir)s/ssh/ssh_config', '%(bindir)s/ssh', '%(bindir)s/scp', '%(bindir)s/slogin', '%(bindir)s/ssh-agent', '%(bindir)s/ssh-add', '%(bindir)s/sftp', '%(bindir)s/ssh-keyscan', '%(mandir)s/man1/scp.*', '%(mandir)s/man1/slogin.*', '%(mandir)s/man1/ssh\.1.*', '%(mandir)s/man1/ssh-agent.*', '%(mandir)s/man1/ssh-add.*', '%(mandir)s/man1/ssh-keyscan.*', '%(mandir)s/man5/ssh_config.*', '%(mandir)s/man1/sftp.*') # Init script requires ssh-keygen r.Requires('openssh:runtime', '%(initdir)s/sshd') # Tag init scripts in case the initscript tag desc. is not installed r.TagSpec('initscript', '%(initdir)s/')
RPM Spec File
%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} %define WITH_SELINUX 1 %endif # OpenSSH privilege separation requires a user & group ID %define sshd_uid 74 %define sshd_gid 74 # Version of ssh-askpass %define aversion 1.2.4.1 # Do we want to disable building of x11-askpass? (1=yes 0=no) %define no_x11_askpass 0 # Do we want to disable building of gnome-askpass? (1=yes 0=no) %define no_gnome_askpass 0 # Do we want to link against a static libcrypto? (1=yes 0=no) %define static_libcrypto 0 # Do we want smartcard support (1=yes 0=no) %define scard 0 # Use GTK2 instead of GNOME in gnome-ssh-askpass %define gtk2 1 # Is this build for RHL 6.x? %define build6x 0 # Build position-independent executables (requires toolchain support)? %define pie 1 # Do we want kerberos5 support (1=yes 0=no) %define kerberos5 1 # Whether or not /sbin/nologin exists. %define nologin 1 # Reserve options to override askpass settings with: # rpm -ba|--rebuild --define 'skip_xxx 1' %{?skip_x11_askpass:%define no_x11_askpass 1} %{?skip_gnome_askpass:%define no_gnome_askpass 1} # Add option to build without GTK2 for older platforms with only GTK+. # Red Hat Linux <= 7.2 and Red Hat Advanced Server 2.1 are examples. # rpm -ba|--rebuild --define 'no_gtk2 1' %{?no_gtk2:%define gtk2 0} # Is this a build for RHL 6.x or earlier? %{?build_6x:%define build6x 1} # If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc. %if %{build6x} %define _sysconfdir /etc %endif # Options for static OpenSSL link: # rpm -ba|--rebuild --define "static_openssl 1" %{?static_openssl:%define static_libcrypto 1} # Options for Smartcard support: (needs libsectok and openssl-engine) # rpm -ba|--rebuild --define "smartcard 1" %{?smartcard:%define scard 1} # Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) %define rescue 0 %{?build_rescue:%define rescue 1} # Turn off some stuff for resuce builds %if %{rescue} %define kerberos5 0 %endif Summary: The OpenSSH implementation of SSH protocol versions 1 and 2. Name: openssh Version: 4.2p1 %define rel fc4.10 %if %{rescue} Release: %{rel}rescue %else Release: %{rel} %endif URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig # This package differs from the upstream OpenSSH tarball in that it # removes the ACSS cipher. Source0: openssh-%{version}-noacss.tar.bz2 Source1: openssh-nukeacss.sh Source2: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz Patch0: openssh-4.0p1-redhat.patch Patch2: openssh-3.8.1p1-skip-initial.patch Patch3: openssh-3.8.1p1-krb5-config.patch Patch4: openssh-4.0p1-vendor.patch Patch5: openssh-3.9p1-noinitlog.patch Patch12: openssh-selinux.patch Patch20: openssh-3.9p1-gssapimitm.patch Patch21: openssh-3.9p1-safe-stop.patch Patch22: openssh-3.9p1-askpass-keep-above.patch Patch23: openssh-3.9p1-no-log-signal.patch Patch24: openssh-3.9p1-fromto-remote.patch Patch26: openssh-4.0p1-krb5-valid.patch Patch27: openssh-4.1p1-pam-loginuid.patch Patch28: openssh-4.1p1-nologin.patch Patch30: openssh-4.0p1-exit-deadlock.patch Patch31: openssh-3.9p1-skip-used.patch Patch32: openssh-4.2p1-pam-auth-fail-info.patch Patch33: openssh-4.2p1-scp-no-system.patch Patch34: openssh-4.2p1-gnu-source.patch Patch36: openssh-4.2p1-session-x11-detach.patch License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot Obsoletes: ssh %if %{nologin} Requires: /sbin/nologin %endif %if %{build6x} PreReq: initscripts >= 5.00 %else PreReq: initscripts >= 5.20 %endif %if ! %{no_gnome_askpass} %if %{gtk2} BuildPreReq: gtk2-devel, xauth %else BuildPreReq: gnome-libs-devel %endif %endif %if %{scard} BuildPreReq: sharutils %endif BuildPreReq: autoconf, openssl-devel, perl, tcp_wrappers, zlib-devel BuildPreReq: util-linux, groff, man %if %{build6x} BuildPreReq: glibc-devel, pam-devel %else BuildPreReq: pam-devel %endif %if ! %{no_x11_askpass} BuildPreReq: XFree86-devel %endif %if %{kerberos5} BuildPreReq: krb5-devel %endif %if %{WITH_SELINUX} Requires: libselinux >= 1.17.9 BuildRequires: libselinux-devel >= 1.17.9 %endif %package clients Summary: OpenSSH clients. Requires: openssh = %{version}-%{release} Group: Applications/Internet Obsoletes: ssh-clients %package server Summary: The OpenSSH server daemon. Group: System Environment/Daemons Obsoletes: ssh-server PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9, /usr/sbin/useradd %if ! %{build6x} Requires: /etc/pam.d/system-auth, /%{_lib}/security/pam_loginuid.so %endif %package askpass Summary: A passphrase dialog for OpenSSH and X. Group: Applications/Internet Requires: openssh = %{version}-%{release} Obsoletes: ssh-extras %package askpass-gnome Summary: A passphrase dialog for OpenSSH, X, and GNOME. Group: Applications/Internet Requires: openssh = %{version}-%{release} Obsoletes: ssh-extras %description SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. %description clients OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package includes the clients necessary to make encrypted connections to SSH servers. You'll also need to install the openssh package on OpenSSH clients. %description server OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package contains the secure shell daemon (sshd). The sshd daemon allows SSH clients to securely connect to your SSH server. You also need to have the openssh package installed. %description askpass OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package contains an X11 passphrase dialog for OpenSSH. %description askpass-gnome OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package contains an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop environment. %prep %if ! %{no_x11_askpass} %setup -q -a 2 %else %setup -q %endif %patch0 -p1 -b .redhat %patch2 -p1 -b .skip-initial %patch3 -p1 -b .krb5-config %patch4 -p1 -b .vendor %patch5 -p1 -b .noinitlog %if %{WITH_SELINUX} #SELinux %patch12 -p1 -b .selinux %endif #%patch20 -p0 -b .gssapimitm %patch21 -p1 -b .safe-stop %patch22 -p1 -b .keep-above %patch23 -p1 -b .signal %patch24 -p1 -b .fromto-remote %patch26 -p0 -b .krb5-valid %patch27 -p1 -b .loginuid %patch28 -p1 -b .nologin %patch30 -p1 -b .exit-deadlock %patch31 -p1 -b .skip-used %patch32 -p0 -b .auth-fail-info %patch33 -p1 -b .no-system %patch34 -p1 -b .gnu-source %patch36 -p0 -b .session-detach autoreconf %build CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS %if %{rescue} CFLAGS="$CFLAGS -Os" %endif %if %{pie} %ifarch s390 s390x CFLAGS="$CFLAGS -fPIE" %else CFLAGS="$CFLAGS -fpie" %endif export CFLAGS LDFLAGS="$LDFLAGS -pie"; export LDFLAGS %endif %if %{build6x} export CFLAGS="$CFLAGS -D__func__=__FUNCTION__" %endif %if %{kerberos5} krb5_prefix=`krb5-config --prefix` if test "$krb5_prefix" != "%{_prefix}" ; then CPPFLAGS="$CPPFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"; export CPPFLAGS CFLAGS="$CFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi" LDFLAGS="$LDFLAGS -L${krb5_prefix}/%{_lib}"; export LDFLAGS else krb5_prefix= CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS CFLAGS="$CFLAGS -I%{_includedir}/gssapi" fi %endif %configure \ --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/openssh \ --datadir=%{_datadir}/openssh \ --with-tcp-wrappers \ --with-rsh=%{_bindir}/rsh \ --with-default-path=/usr/local/bin:/bin:/usr/bin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ --with-privsep-path=%{_var}/empty/sshd \ --enable-vendor-patchlevel="FC-%{version}-%{release}" \ --disable-strip \ --without-zlib-version-check \ %if %{scard} --with-smartcard \ %endif %if %{build6x} --with-ipv4-default \ %endif %if %{rescue} --without-pam \ %else --with-pam \ %endif %if %{WITH_SELINUX} --with-selinux \ %else --without-selinux \ %endif %if %{kerberos5} --with-kerberos5${krb5_prefix:+=${krb5_prefix}} %else --without-kerberos5 %endif %if %{static_libcrypto} perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile %endif make %if ! %{no_x11_askpass} pushd x11-ssh-askpass-%{aversion} # This configure can't handle platform strings. ./configure --prefix=%{_prefix} --libdir=%{_libdir} --libexecdir=%{_libexecdir}/openssh xmkmf -a make popd %endif # Define a variable to toggle gnome1/gtk2 building. This is necessary # because RPM doesn't handle nested %if statements. %if %{gtk2} gtk2=yes %else gtk2=no %endif %if ! %{no_gnome_askpass} pushd contrib if [ $gtk2 = yes ] ; then make gnome-ssh-askpass2 mv gnome-ssh-askpass2 gnome-ssh-askpass else make gnome-ssh-askpass1 mv gnome-ssh-askpass1 gnome-ssh-askpass fi popd %endif %install rm -rf $RPM_BUILD_ROOT mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd make install DESTDIR=$RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/rc.d/init.d install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh %if %{build6x} install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd install -m755 contrib/redhat/sshd.init.old $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd %else install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd %endif %if ! %{no_x11_askpass} install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass %endif install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ %if ! %{no_gnome_askpass} install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass %endif %if ! %{scard} rm -f $RPM_BUILD_ROOT%{_datadir}/openssh/Ssh.bin %endif %if ! %{no_gnome_askpass} install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ %endif %if %{no_gnome_askpass} rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.* %endif perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* %clean rm -rf $RPM_BUILD_ROOT %triggerun server -- ssh-server if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then touch /var/run/sshd.restart fi %triggerun server -- openssh-server < 2.5.0p1 # Count the number of HostKey and HostDsaKey statements we have. gawk 'BEGIN {IGNORECASE=1} /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1} END {exit sawhostkey}' /etc/ssh/sshd_config # And if we only found one, we know the client was relying on the old default # behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't # specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying # one nullifies the default, which would have loaded both. if [ $? -eq 1 ] ; then echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config fi %triggerpostun server -- ssh-server if [ "$1" != 0 ] ; then /sbin/chkconfig --add sshd if test -f /var/run/sshd.restart ; then rm -f /var/run/sshd.restart /sbin/service sshd start > /dev/null 2>&1 || : fi fi %pre server %if %{nologin} /usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \ -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || : %else /usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \ -s /dev/null -r -d /var/empty/sshd sshd 2> /dev/null || : %endif %post server /sbin/chkconfig --add sshd %postun server /sbin/service sshd condrestart > /dev/null 2>&1 || : %preun server if [ "$1" = 0 ] then /sbin/service sshd stop > /dev/null 2>&1 || : /sbin/chkconfig --del sshd fi %files %defattr(-,root,root) %doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli %if ! %{rescue} %attr(0755,root,root) %{_bindir}/ssh-keygen %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0755,root,root) %dir %{_libexecdir}/openssh %attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* %endif %if %{scard} %attr(0755,root,root) %dir %{_datadir}/openssh %attr(0644,root,root) %{_datadir}/openssh/Ssh.bin %endif %files clients %defattr(-,root,root) %attr(0755,root,root) %{_bindir}/ssh %attr(0644,root,root) %{_mandir}/man1/ssh.1* %attr(0755,root,root) %{_bindir}/scp %attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config %attr(-,root,root) %{_bindir}/slogin %attr(0644,root,root) %{_mandir}/man1/slogin.1* %attr(0644,root,root) %{_mandir}/man5/ssh_config.5* %if ! %{rescue} %attr(2755,root,nobody) %{_bindir}/ssh-agent %attr(0755,root,root) %{_bindir}/ssh-add %attr(0755,root,root) %{_bindir}/ssh-keyscan %attr(0755,root,root) %{_bindir}/sftp %attr(0755,root,root) %{_bindir}/ssh-copy-id %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* %attr(0644,root,root) %{_mandir}/man1/ssh-add.1* %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* %attr(0644,root,root) %{_mandir}/man1/sftp.1* %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1* %endif %if ! %{rescue} %files server %defattr(-,root,root) %dir %attr(0111,root,root) %{_var}/empty/sshd %attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* %attr(0644,root,root) %{_mandir}/man8/sshd.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0755,root,root) %config /etc/rc.d/init.d/sshd %endif %if ! %{no_x11_askpass} %files askpass %defattr(-,root,root) %doc x11-ssh-askpass-%{aversion}/README %doc x11-ssh-askpass-%{aversion}/ChangeLog %doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass %attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass %endif %if ! %{no_gnome_askpass} %files askpass-gnome %defattr(-,root,root) %attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.* %attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass %endif %changelog * Mon Jan 23 2006 Tomas Mraz <tmraz@redhat.com> 4.2p1-fc4.10 - upstream patch for regression in X11 forwarding (#168703) - _GNU_SOURCE should be used instead of __USE_GNU - use fork+exec instead of system in scp - CVE-2006-0225 (#168167) - upstream patch for displaying authentication errors - install ssh-copy-id from contrib (#88707) ...