%define groupid 65002 %define userid 65002 %define with_opensc 0 %define with_chroot 1 %define with_selinux 0 Name: openssh Version: 9.7p1 Release: 1mamba Summary: OpenSSH free Secure Shell (SSH) implementation Group: Network/Security Vendor: openmamba Distribution: openmamba Packager: Silvan Calarco URL: https://www.openssh.com/ Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source1: openssh-pamdconf Source2: openssh-sshd-makecerts Source3: openssh-sshd.service Source4: openssh-sshd@.service Source5: openssh-sshd.socket Source6: openssh-sshd.conf Patch0: openssh-8.4p1-ssh_config.patch Patch1: openssh-8.2p1-arm-glibc-2.31.patch Patch2: openssh-8.4p1-sandbox-seccomp.patch License: BSD ## AUTOBUILDREQ-BEGIN BuildRequires: glibc-devel BuildRequires: libX11-devel BuildRequires: libat-spi2-core-devel BuildRequires: libcairo-devel BuildRequires: libedit-devel BuildRequires: libfontconfig-devel BuildRequires: libfreetype-devel BuildRequires: libgdk-pixbuf-devel BuildRequires: libglib-devel BuildRequires: libgtk2-devel BuildRequires: libharfbuzz-devel BuildRequires: libmd-devel BuildRequires: libopenssl-devel BuildRequires: libpam-devel BuildRequires: libpango-devel BuildRequires: libxcrypt-devel BuildRequires: libz-devel ## AUTOBUILDREQ-END %if "%{stage1}" != "1" BuildRequires: %{_bindir}/xauth %endif %if %with_opensc BuildRequires: libopensc-devel BuildRequires: coreutils %endif BuildRequires: libwrap-devel BuildRequires: libopenssl >= 3.1.0 BuildRequires: glibc-devel >= 2.31 # NOTE: # see http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html %description SSH (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL). %package common Summary: OpenSSH free Secure Shell (SSH) implementation Group: Network/Security Requires: libopenssl >= 1.0.1 %description common SSH (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL). This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. %package clients Summary: OpenSSH Secure Shell protocol clients Group: Network/Security Provides: openssh-client Obsoletes: openssh-client < 8.5p1 Requires: openssh-common = %{?epoch:%epoch:}%{version}-%{release} Provides: openssh Obsoletes: openssh < 8.5p1 %description clients SSH (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL). This package includes the clients necessary to make encrypted connections to SSH servers. %package server Summary: OpenSSH Secure Shell protocol server (sshd) Group: System/Servers Requires(post): openssh-common = %{?epoch:%epoch:}%{version}-%{release} %description server SSH (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL). This package contains the secure shell daemon. The sshd is the server part of the secure shell protocol and allows ssh clients to connect to your host. %package askpass Summary: A Gtk2 SSH passphrase requester Group: Graphical Desktop/Applications/Security %description askpass A Gtk2 SSH passphrase requester. %debug_package %prep %setup -q #-D -T #:<< _EOF %patch 0 -p1 %ifarch arm %patch 1 -p1 %endif #%patch2 -p1 %build # note: --with-rand-helper unneeded for Linux # (openSSH uses the Linux kernel random source) %if %with_chroot export CFLAGS="%{optflags} -DUSE_CHROOT" %endif %configure \ --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/openssh \ --with-pid-dir=/run/sshd \ --with-md5-passwords \ --with-mantype=man \ %if %with_opensc --with-opensc \ %endif --with-pam \ --with-xauth=%{_bindir}/xauth \ %if %with_selinux --with-selinux \ %endif --with-libedit \ --without-zlib-version-check \ --disable-etc-default-login \ --with-default-path=/usr/local/bin:/bin:/usr/bin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ --disable-strip %make make -C contrib gnome-ssh-askpass2 %install [ "%{buildroot}" != / ] && rm -rf %{buildroot} install -d %{buildroot}%{_var}/empty install -d %{buildroot}%{_sysconfdir}/{ssh,pam.d} # note: 'make check-config' fails but it's an harmless error %makeinstall install -D -m 600 %{S:1} %{buildroot}%{_sysconfdir}/pam.d/sshd install -D -m 755 %{SOURCE2} %{buildroot}%{_bindir}/ssh-makecerts install -D -m 644 %{SOURCE3} %{buildroot}/lib/systemd/system/sshd.service install -D -m 644 %{SOURCE4} %{buildroot}/lib/systemd/system/sshd@.service install -D -m 644 %{SOURCE5} %{buildroot}/lib/systemd/system/sshd.socket install -D -m 644 %{SOURCE6} %{buildroot}%{_prefix}/lib/tmpfiles.d/sshd.conf rm -f %{buildroot}%{_datadir}/Ssh.bin # customize the configuration files of ssh server sed -i 's/#Protocol 2,1/Protocol 2/ s/#\(UsePAM\).*/\1 yes/ s/#X11Forwarding no/X11Forwarding yes/ s/#\(UsePrivilegeSeparation yes\)/\1/' \ %{buildroot}%{_sysconfdir}/ssh/sshd_config echo "AcceptEnv LANG LC_*" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config install -m0755 contrib/ssh-copy-id %{buildroot}%{_bindir}/ssh-copy-id install -m0644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1/ssh-copy-id.1 install -m0755 contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/openssh/ssh-askpass %clean [ "%{buildroot}" != / ] && rm -rf %{buildroot} %post clients if [ $1 -gt 1 ]; then grep "SendEnv" %{_sysconfdir}/ssh/ssh_config >/dev/null || \ echo " SendEnv LANG LC_*" >> %{_sysconfdir}/ssh/ssh_config grep "ServerAliveInterval" %{_sysconfdir}/ssh/ssh_config >/dev/null || \ echo " ServerAliveInterval 60" >> %{_sysconfdir}/ssh/ssh_config fi : %pre server /usr/sbin/groupadd sshd -g %{groupid} 2>/dev/null || : /usr/sbin/useradd -u %{userid} -g sshd -c 'ssh daemon' -d /var/empty \ -s /bin/false sshd 2>/dev/null exit 0 %post server if [ $1 -eq 1 ]; then # new install %{_bindir}/ssh-makecerts # /sbin/chkconfig --add sshd # service sshd start fi if [ $1 -gt 1 ]; then # update sed -i 's/#X11Forwarding no/X11Forwarding yes/' \ %{_sysconfdir}/ssh/sshd_config grep "AcceptEnv" %{_sysconfdir}/ssh/sshd_config >/dev/null || \ echo " AcceptEnv LANG LC_*" >> %{_sysconfdir}/ssh/sshd_config fi exit 0 %posttrans server systemctl -q daemon-reload systemctl -q enable sshd.socket systemctl -q start sshd.socket exit 0 %preun server if [ $1 -eq 0 ]; then # erase systemctl -q stop sshd.socket systemctl -q disable sshd.socket fi exit 0 %postun server systemctl -q daemon-reload exit 0 %files common %defattr(-,root,root) %{_bindir}/ssh-copy-id %{_bindir}/ssh-keygen %{_bindir}/ssh-keyscan %{_bindir}/ssh-makecerts %{_libexecdir}/openssh/ssh-keysign %{_libexecdir}/openssh/ssh-pkcs11-helper %{_libexecdir}/openssh/ssh-sk-helper %{_mandir}/man1/ssh-copy-id.1* %{_mandir}/man1/ssh-keygen.1* %{_mandir}/man1/ssh-keyscan.1* %{_mandir}/man8/ssh-keysign.8* %{_mandir}/man8/ssh-pkcs11-helper.8* %{_mandir}/man8/ssh-sk-helper.8* %files clients %defattr(-,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config %{_bindir}/scp %{_bindir}/sftp #%{_bindir}/slogin %{_bindir}/ssh %{_bindir}/ssh-add %{_bindir}/ssh-agent %{_mandir}/man1/scp.* %{_mandir}/man1/sftp.* %{_mandir}/man1/ssh-add.* %{_mandir}/man1/ssh-agent.* %{_mandir}/man1/ssh.* #%{_mandir}/man1/slogin.* %{_mandir}/man5/ssh_config.* %files server %defattr(-,root,root) %attr(0600,root,root) %{_sysconfdir}/pam.d/sshd %config(noreplace) %{_sysconfdir}/ssh/moduli %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/ssh/sshd_config %{_sbindir}/sshd /lib/systemd/system/sshd.service /lib/systemd/system/sshd.socket /lib/systemd/system/sshd@.service %{_prefix}/lib/tmpfiles.d/sshd.conf %{_libexecdir}/openssh/sftp-server %attr(0755,root,sys) %dir /var/empty %{_mandir}/man5/sshd_config.* %{_mandir}/man8/sftp-server.* %{_mandir}/man8/sshd.* %{_mandir}/man5/moduli.* %files askpass %defattr(-,root,root) %{_libexecdir}/openssh/ssh-askpass %changelog * Mon Mar 11 2024 Automatic Build System 9.7p1-1mamba - automatic version update by autodist * Tue Dec 19 2023 Automatic Build System 9.6p1-1mamba - automatic version update by autodist * Wed Oct 04 2023 Automatic Build System 9.5p1-1mamba - automatic version update by autodist * Sat Aug 19 2023 Automatic Build System 9.4p1-1mamba - automatic version update by autodist * Thu Jul 20 2023 Automatic Build System 9.3p2-1mamba - automatic version update by autodist * Thu Mar 16 2023 Automatic Build System 9.3p1-1mamba - automatic version update by autodist * Wed Mar 15 2023 Silvan Calarco 9.2p1-2mamba - rebuilt with openssl 3.1.0 * Fri Feb 03 2023 Automatic Build System 9.2p1-1mamba - automatic version update by autodist * Wed Oct 05 2022 Automatic Build System 9.1p1-1mamba - automatic version update by autodist * Sat Apr 09 2022 Automatic Build System 9.0p1-1mamba - automatic version update by autodist * Fri Feb 25 2022 Automatic Build System 8.9p1-1mamba - automatic version update by autodist * Mon Dec 13 2021 Silvan Calarco 8.8p1-2mamba - sshd.socket: set MaxConnectionsPerSource=16 to limit max-limit-hits deactivation for dos attempts * Mon Sep 27 2021 Automatic Build System 8.8p1-1mamba - automatic version update by autodist * Sat Aug 21 2021 Automatic Build System 8.7p1-1mamba - automatic version update by autodist * Mon Apr 19 2021 Automatic Build System 8.6p1-1mamba - automatic version update by autodist * Mon Mar 22 2021 Automatic Build System 8.5p1-1mamba - automatic version update by autodist * Sat Feb 06 2021 Silvan Calarco 8.4p1-2mamba - added seccomp-sandbox patch to fix crash seen on x86 (see https://bugzilla.redhat.com/show_bug.cgi?id=1897712 ) * Mon Oct 05 2020 Silvan Calarco 8.4p1-1mamba - update to 8.4p1 * Thu May 28 2020 Automatic Build System 8.3p1-1mamba - automatic version update by autodist * Fri Apr 03 2020 Silvan Calarco 8.2p1-4mamba - correct the previous patch into a arm target one * Fri Apr 03 2020 Silvan Calarco 8.2p1-3mamba - arm: added patch for glibc 2.31 (from Arch) to fix problem as seen on x86 * Fri Mar 06 2020 Silvan Calarco 8.2p1-2mamba - rebuilt to fix server problem on x86 probably following glibc 2.31 * Mon Feb 17 2020 Automatic Build System 8.2p1-1mamba - automatic version update by autodist * Wed Oct 09 2019 Automatic Build System 8.1p1-1mamba - automatic version update by autodist * Wed Sep 25 2019 Silvan Calarco 8.0p1-2mamba - rebuilt with --with-libedit for sftp * Thu Apr 18 2019 Automatic Build System 8.0p1-1mamba - automatic version update by autodist * Sat Mar 02 2019 Silvan Calarco 7.9p1-2mamba - rebuilt with openssl 1.1.1b * Sat Oct 20 2018 Automatic Build System 7.9p1-1mamba - automatic version update by autodist * Fri Aug 24 2018 Automatic Build System 7.8p1-1mamba - automatic version update by autodist * Tue Apr 03 2018 Automatic Build System 7.7p1-1mamba - automatic version update by autodist * Thu Dec 07 2017 Automatic Build System 7.6p1-1mamba - automatic update by autodist * Mon Aug 07 2017 Automatic Build System 7.5p1-1mamba - automatic version update by autodist * Wed Dec 21 2016 Automatic Build System 7.4p1-1mamba - automatic version update by autodist * Fri Sep 16 2016 Silvan Calarco 7.3p1-1mamba - update to 7.3p1 * Fri Apr 08 2016 Silvan Calarco 7.2p2-2mamba - don't disable AllowTcpForwarding anymore, leave default (=yes, for x2goserver) * Thu Mar 10 2016 Automatic Build System 7.2p2-1mamba - automatic version update by autodist * Tue Mar 01 2016 Automatic Build System 7.2p1-1mamba - automatic version update by autodist * Thu Jan 14 2016 Automatic Build System 7.1p2-1mamba - automatic version update by autodist * Sat Oct 10 2015 Silvan Calarco 7.1p1-2mamba - sshd-makecerts: RSA1 (ssh 1) is no longer supported causing sshd startup error * Fri Aug 21 2015 Automatic Build System 7.1p1-1mamba - automatic version update by autodist * Tue Aug 11 2015 Automatic Build System 7.0p1-1mamba - automatic version update by autodist * Wed Jul 01 2015 Automatic Build System 6.9p1-1mamba - automatic version update by autodist * Thu Mar 19 2015 Automatic Build System 6.8p1-1mamba - automatic version update by autodist * Thu Dec 11 2014 Silvan Calarco 6.7p1-2mamba - install ssh-askpass tool in path required by virt-manager * Tue Oct 07 2014 Automatic Build System 6.7p1-1mamba - automatic version update by autodist * Tue Apr 29 2014 Silvan Calarco 6.6p1-3mamba - openssh-sshd-makecerts: support ed25519 host key generation * Wed Apr 09 2014 Silvan Calarco 6.6p1-2mamba - patch ssh_config with default configuration; set 'ServerAliveInterval 60' * Sun Mar 16 2014 Automatic Build System 6.6p1-1mamba - automatic version update by autodist * Thu Jan 30 2014 Automatic Build System 6.5p1-1mamba - automatic version update by autodist * Tue Nov 12 2013 Silvan Calarco 6.4p1-2mamba - install ssh-copy-id from contrib/ * Fri Nov 08 2013 Automatic Build System 6.4p1-1mamba - automatic version update by autodist * Mon Oct 14 2013 Silvan Calarco 6.3p1-3mamba - ssh-makecerts: remove usage of success and failure functions from obsoleted initscripts functions * Thu Sep 26 2013 Silvan Calarco 6.3p1-2mamba - switched to systemd * Fri Sep 13 2013 Automatic Build System 6.3p1-1mamba - automatic version update by autodist * Thu May 16 2013 Automatic Build System 6.2p2-1mamba - automatic version update by autodist * Tue Mar 26 2013 Automatic Build System 6.2p1-1mamba - automatic version update by autodist * Wed Aug 29 2012 Automatic Build System 6.1p1-1mamba - automatic version update by autodist * Tue Jul 03 2012 Silvan Calarco 6.0p1-2mamba - rebuilt with openssl 1.0.1c * Sun Apr 22 2012 Automatic Build System 6.0p1-1mamba - automatic version update by autodist * Thu Apr 12 2012 Silvan Calarco 5.9p1-6mamba - Add SendEnv/AcceptEnv configuration entries to pass LANG and LC_* variables * Thu Mar 15 2012 Silvan Calarco 5.9p1-5mamba - rebuilt with openssl 1.0.1 * Sat Jan 07 2012 Davide Madrisan 5.9p1-4mamba - make the initscript dash compliant * Tue Dec 06 2011 Silvan Calarco 5.9p1-3mamba - added post code to generate host keys at rpm installation * Thu Sep 15 2011 Silvan Calarco 5.9p1-2mamba - openssh-common: don't obsolete openssh; move obsolete to openssh-clients * Tue Sep 06 2011 Automatic Build System 5.9p1-1mamba - automatic version update by autodist * Tue May 03 2011 Automatic Build System 5.8p2-1mamba - automatic update by autodist * Wed Mar 02 2011 Davide Madrisan 5.8p1-2mamba - initscript: remove bashisms - initscript: also create /etc/ssh/ssh_host_ecdsa_key when not found * Fri Feb 04 2011 Automatic Build System 5.8p1-1mamba - automatic update by autodist * Tue Jan 25 2011 Automatic Build System 5.7p1-1mamba - automatic update by autodist * Mon Aug 23 2010 Automatic Build System 5.6p1-1mamba - automatic update to 5.6p1 by autodist * Fri Apr 16 2010 Automatic Build System 5.5p1-1mamba - automatic update to 5.5p1 by autodist * Fri Mar 12 2010 Automatic Build System 5.4p1-1mamba - automatic update to 5.4p1 by autodist * Thu Oct 01 2009 Automatic Build System 5.3p1-1mamba - automatic update to 5.3p1 by autodist * Mon Feb 23 2009 Silvan Calarco 5.2p1-1mamba - automatic update to 5.2p1 by autodist * Fri Aug 29 2008 Ercole 'ercolinux' Carpanetto 5.1p1-1mamba - update to 5.1p1 * Sun Dec 16 2007 Silvan Calarco 4.7p1-2mamba - make openssh-common obsolete openssh instead of openssh-clients * Thu Dec 13 2007 Silvan Calarco 4.7p1-1mamba - update to 4.7p1 - openssh-client renamed to openssh-clients - scp moved to openssh-clients - openssh renamed to openssh-common - openssh-clients obsoletes and provides openssh * Mon Jun 25 2007 Silvan Calarco 4.6p1-2mamba - changed pam file for pam 0.99.7 - don't restart the service on upgrade * Tue Apr 24 2007 Davide Madrisan 4.6p1-1mamba - update to 4.6p1 - enable support for tcp wrappers - restrict permissions for sshd_config and sshd (pam configuration) - initscript reworked * Tue Dec 26 2006 Silvan Calarco 4.5p1-2qilnx - fix xauth path for Xorg 7.1 * Fri Nov 10 2006 Silvan Calarco 4.5p1-1qilnx - update to version 4.5p1 by autospec * Fri Nov 03 2006 Silvan Calarco 4.4p1-1qilnx - update to version 4.4p1 by autospec - removed patch against CVE-2006-0225 (fixed upstream in version 4.3p1) * Tue Jun 20 2006 Davide Madrisan 3.9p1-6qilnx - security update: fixed CVE-2006-0225 - updated initscript - added a patch from OpenPKG to use ssh in a chroot environment not enabled by default * Fri Jan 27 2006 Silvan Calarco 3.9p1-5qilnx - use "service" script to start/stop initscript * Tue Oct 18 2005 Davide Madrisan 3.9p1-4qilnx - security fix QSA-2005-121 (CAN-2005-2798) * Fri Oct 14 2005 Davide Madrisan 3.9p1-3qilnx - rebuilt * Tue Mar 29 2005 Silvan Calarco 3.9p1-2qilnx - added pam_group support in sshd authentication - disabled Tcp Forwarding in default configuration for security reasons with nx * Thu Feb 10 2005 Davide Madrisan 3.9p1-1qilnx - update to version 3.9p1 by autospec * Fri Feb 27 2004 Davide Madrisan 3.7.1p2-1qilnx - specfile updated to permit a non root user to build the package * Sat Oct 04 2003 Silvan Calarco 3.7.1p2-2qilnx - fixed a pam error which caused the password being asked twice - sshd groupid and userid assignment as in QiLinux resources database * Wed Sep 24 2003 Davide Madrisan 3.7.1p2-1qilnx - rebuild with 3.7.1p2 - updated install block to activate PAM (disabled by defaut from this version on) - fixed bash commands in openssh-server -> %%pre * Wed Sep 17 2003 Davide Madrisan 3.7.1p1-1qilnx - first build of 3.7.1p1 - added some options to pass to the configure script * Tue Jun 17 2003 Silvan Calarco 3.6.1p2-1qilnx - first build of 3.6.1p2 - changed configuration scripts to enable X11 tunnelling * Wed May 21 2003 Silvan Calarco 3.6.1p1-5qilnx - changed pamd default authentication with ldap (from required to sufficient) * Mon May 05 2003 Alessandro Ramazzina 3.6.1p1-4qilnx - added sshd group and sshd user for openssh-server * Wed Apr 30 2003 Alessandro Ramazzina 3.6.1p1-3qilnx - fixed a configuration files location error * Wed Apr 30 2003 Alessandro Ramazzina 3.6.1p1-2qilnx - added -n openssh-server to the %%post and %%preun parameters * Fri Apr 18 2003 Alessandro Ramazzina 3.6.1p1-1qilnx - creation of openssh package