登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 7

冯玮耀/openssh

forked from OpenCloudOS Stream/openssh 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
openssh.spec 14.24 KB
一键复制 编辑 原始数据 按行查看 历史
冯玮耀 提交于 2023-08-28 16:59 . upgrade to 9.3p2 and Fix CVE-2023-38408
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389
%global _hardened_build 1



%global sshd_uid    74

%global sshd_gid    74

%global pam_ssh_agent_ver 0.10.4



Summary:       Complete SSH protocol 2.0 implementation

Name:          openssh

Version:       9.3p2

Release:       1%{?dist}

License:       BSD

URL:           http://www.openssh.com/portable.html

Source0:       https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz

Source1:       https://github.com/jbeverly/pam_ssh_agent_auth/archive/refs/tags/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz

Source2:       sshd.pam

Source3:       ssh-keycat.pam

Source4:       sshd.sysconfig

Source5:       sshd@.service

Source6:       sshd.socket

Source7:       sshd.service

Source8:       sshd-keygen@.service

Source9:       sshd-keygen

Source10:      sshd-keygen.target

Source11:      ssh-agent.service

Source12:      pam_ssh_agent-rmheaders





Patch3000:     openssh-7.8p1-role-mls.patch

Patch3001:     openssh-6.6p1-privsep-selinux.patch

Patch3002:     openssh-6.6p1-keycat.patch 

Patch3003:     openssh-6.6p1-keyperm.patch

Patch3004:     openssh-7.7p1-redhat.patch

Patch3005:     openssh-8.0p1-gssapi-keyex.patch

Patch3006:     openssh-6.6p1-force_krb.patch

Patch3007:     openssh-7.7p1-gssapi-new-unique.patch

Patch3008:     openssh-7.2p2-k5login_directory.patch

Patch3009:     openssh-6.6p1-kuserok.patch

Patch3010:     openssh-6.4p1-fromto-remote.patch

Patch3011:     openssh-6.6.1p1-selinux-contexts.patch

Patch3012:     openssh-6.6.1p1-log-in-chroot.patch

Patch3013:     openssh-6.6.1p1-scp-non-existing-directory.patch

Patch3014:     openssh-6.6p1-GSSAPIEnablek5users.patch

Patch3015:     openssh-6.8p1-sshdT-output.patch

Patch3016:     openssh-6.7p1-sftp-force-permission.patch

Patch3017:     openssh-7.3p1-x11-max-displays.patch

Patch3018:     openssh-7.4p1-systemd.patch

Patch3019:     openssh-7.6p1-cleanup-selinux.patch

Patch3020:     openssh-7.5p1-sandbox.patch

Patch3021:     openssh-7.8p1-scp-ipv6.patch

Patch3022:     openssh-8.0p1-crypto-policies.patch

Patch3023:     openssh-9.3p1-merged-openssl-evp.patch

Patch3024:     openssh-8.0p1-openssl-kdf.patch

Patch3025:     openssh-8.2p1-visibility.patch

Patch3026:     openssh-8.2p1-x11-without-ipv6.patch

Patch3027:     openssh-8.0p1-keygen-strip-doseol.patch

Patch3028:     openssh-8.0p1-preserve-pam-errors.patch

Patch3029:     openssh-8.7p1-scp-kill-switch.patch

Patch3030:     openssh-7.6p1-audit.patch

Patch3031:     openssh-8.7p1-ssh-manpage.patch

Patch3032:     openssh-9.0p1-audit-log.patch

Patch3033:     openssh-7.7p1-fips.patch

Patch3034:     openssh-9.0p1-evp-fips-dh.patch

Patch3035:     openssh-9.0p1-evp-fips-ecdh.patch

Patch3036:     openssh-9.3p1-SMx-support.patch

# --- pam_ssh-agent ---

Patch4001:     pam_ssh_agent_auth-0.9.3-build.patch

Patch4002:     pam_ssh_agent_auth-0.10.3-seteuid.patch

Patch4003:     pam_ssh_agent_auth-0.9.2-visibility.patch

Patch4004:     pam_ssh_agent_auth-0.10.2-compat.patch

Patch4005:     pam_ssh_agent_auth-0.9.3-agent_structure.patch

Patch4006:     pam_ssh_agent_auth-0.10.2-dereference.patch



BuildRequires: gcc make autoconf automake perl-interpreter perl-generators

BuildRequires: zlib-devel util-linux groff pam-devel perl-podlators

BuildRequires: systemd-devel systemd-rpm-macros

BuildRequires: p11-kit-devel libfido2-devel krb5-devel xauth

BuildRequires: libedit-devel ncurses-devel

BuildRequires: audit-libs-devel >= 2.0.5

BuildRequires: audit-libs >= 1.0.8

BuildRequires: openssl-devel >= 0.9.8j

BuildRequires: libselinux-devel >= 2.3-5

# for gnome-askpass

BuildRequires: libX11-devel gtk3-devel

# make check needs Privilege separation user sshd, who is created by openssh-server.

# regress/percent.sh needs openssl command.

BuildRequires: openssh-server openssl



Requires:      libselinux >= 2.3-5

Requires:      audit-libs >= 1.0.8

Requires:      /sbin/nologin

Recommends:    p11-kit





%description

OpenSSH is the premier connectivity tool for remote login with the SSH protocol.

It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks.

In addition, OpenSSH provides a large suite of secure tunneling capabilities,

several authentication methods, and sophisticated configuration options.



The OpenSSH suite consists of the following tools:

1.Remote operations are done using ssh, scp, and sftp.

2.Key management with ssh-add, ssh-keysign, ssh-keyscan, and ssh-keygen.

3.The service side consists of sshd, sftp-server, and ssh-agent.





%package clients

Summary:       SSH client applications

Requires:      openssh = %{version}-%{release}

Requires:      crypto-policies >= 20200610-1



%description clients

OpenSSH clients make encrypted connections to SSH servers.





%package       server

Summary:       SSH server daemon

Requires:      openssh = %{version}-%{release}

Requires(pre): /usr/sbin/useradd

Requires:      pam >= 1.0.1-3

Requires:      crypto-policies >= 20200610-1

%{?systemd_requires}



%description server

OpenSSH server contains the secure shell daemon (sshd).

The sshd daemon allows SSH clients to securely connect to SSH server.





%package askpass

Summary:       A passphrase dialog for OpenSSH and X

Requires:      openssh = %{version}-%{release}



%description askpass

OpenSSH askpass contains an X11 passphrase dialog for OpenSSH.





%package -n pam_ssh_agent_auth

Summary:       PAM module for authentication via your keyring in a forwarded ssh-agent

Version:       %{pam_ssh_agent_ver}

License:       BSD



%description -n pam_ssh_agent_auth

pam_ssh_agent_auth is a PAM module which permits PAM

authentication via your keyring in a forwarded ssh-agent.



This module can be used to provide authentication for anything run locally that

supports PAM. It was written specifically with the intention of permitting

authentication for sudo without password entry, and also has been proven useful

for use with su as an alternative to wheel.



It serves as middle ground between the two most common, and suboptimal

alternatives for large-scale system administration: allowing rootlogin via ssh,

or using NOPASSWD in sudoers. This module allows for ssh public-key

authentication, and it does this by leveraging an authentication mechanism you

are probably already using, ssh-agent.





%prep

%setup -q -a 1



pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}

%autopatch -m 4000 -p2

rm -f $(cat %{SOURCE12})

popd



%autopatch -M 4000 -p1





%build

autoreconf

pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}

autoreconf

popd



export CFLAGS="$CFLAGS -fvisibility=hidden -fpic"

SAVE_LDFLAGS="$LDFLAGS"

export LDFLAGS="$LDFLAGS -pie -z relro -z now"



# for krb5

export CPPFLAGS="-I%{_includedir}/gssapi"

CFLAGS="$CFLAGS -I%{_includedir}/gssapi"



%configure \

	--sysconfdir=%{_sysconfdir}/ssh \

	--libexecdir=%{_libexecdir}/openssh \

	--datadir=%{_datadir}/openssh \

	--with-privsep-path=%{_datadir}/empty.sshd \

	--without-zlib-version-check \

	--with-ssl-engine \

	--with-ipaddr-display \

	--with-systemd \

	--with-default-pkcs11-provider=yes \

	--with-security-key-builtin=yes \

	--with-selinux \

        --with-audit=linux \

	--with-sandbox=seccomp_filter \

	--with-kerberos5=%{_prefix} \

	--with-libedit \

	--with-pam \

	--disable-strip \

	--with-pie=no \

	--without-hardening \

        --with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \

	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

%make_build

pushd contrib

CFLAGS="$CFLAGS %{?__global_ldflags}"  make gnome-ssh-askpass3

mv gnome-ssh-askpass3 gnome-ssh-askpass

popd



pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}

LDFLAGS="$SAVE_LDFLAGS"

%configure --with-selinux \

           --without-openssl-header-check \

           --libexecdir=%{_libdir}/security \

           --with-mantype=man

%make_build

popd





%install

%make_install

install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh

install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d

install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d

install -m644 ssh_config_* $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d/50-ocs.conf

install -m644 sshd_config_* $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d/50-ocs.conf

install -d -m711 $RPM_BUILD_ROOT%{_datadir}/empty.sshd



install -d -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh

install -m744 %{SOURCE9} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen



install -d -m755 $RPM_BUILD_ROOT/etc/pam.d/

install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd

install -m644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat



install -d -m755 $RPM_BUILD_ROOT/etc/sysconfig/

install -m644 %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd



install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}

install -m644 %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service

install -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket

install -m644 %{SOURCE7} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service

install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service

install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target



install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}

install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service



install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/

install -m644 contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/



install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass

ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass

install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/

install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/

install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/



perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*



pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}

%make_install

popd





%check

TEST_SSH_UNSAFE_PERMISSIONS=1 SKIP_LTESTS="rekey" make tests || :





%pre

getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :



%pre server

getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :

getent passwd sshd >/dev/null || \

  useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \

  -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :



%post server

%systemd_post sshd.service sshd.socket



%preun server

%systemd_preun sshd.service sshd.socket



%postun server

%systemd_postun_with_restart sshd.service



%post clients

%systemd_user_post ssh-agent.service



%preun clients

%systemd_user_preun ssh-agent.service





%files

%license LICENCE

%doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO

%attr(0755,root,root) %dir %{_sysconfdir}/ssh

%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli

%attr(0755,root,root) %{_bindir}/ssh-keygen

%attr(0755,root,root) %dir %{_libexecdir}/openssh

%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign

%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*

%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*



%files clients

%attr(0644,root,root) %{_userunitdir}/ssh-agent.service

%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config

%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/

%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-ocs.conf

%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/ssh-keycat

%attr(0755,root,root) %{_bindir}/ssh

%attr(0755,root,root) %{_bindir}/scp

%attr(0755,root,root) %{_bindir}/ssh-agent

%attr(0755,root,root) %{_bindir}/ssh-add

%attr(0755,root,root) %{_bindir}/ssh-keyscan

%attr(0755,root,root) %{_bindir}/sftp

%attr(0755,root,root) %{_bindir}/ssh-copy-id

%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat

%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper

%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper

%attr(0644,root,root) %{_mandir}/man1/ssh.1*

%attr(0644,root,root) %{_mandir}/man1/scp.1*

%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*

%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*

%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*

%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*

%attr(0644,root,root) %{_mandir}/man1/sftp.1*

%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*

%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*

%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*



%files server

%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config

%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/

%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-ocs.conf

%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd

%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd

%attr(0644,root,root) %{_unitdir}/sshd.service

%attr(0644,root,root) %{_unitdir}/sshd@.service

%attr(0644,root,root) %{_unitdir}/sshd.socket

%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service

%attr(0644,root,root) %{_unitdir}/sshd-keygen.target

%attr(0755,root,root) %{_sbindir}/sshd

%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server

%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen

%dir %attr(0711,root,root) %{_datadir}/empty.sshd

%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*

%attr(0644,root,root) %{_mandir}/man5/moduli.5*

%attr(0644,root,root) %{_mandir}/man8/sshd.8*

%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*





%files askpass

%attr(0644,root,root) %{_sysconfdir}/profile.d/gnome-ssh-askpass.*

%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass

%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass





%files -n pam_ssh_agent_auth

%license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE

%doc pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/README

%{_libdir}/security/pam_ssh_agent_auth.so

%{_mandir}/man8/pam_ssh_agent_auth.8.gz





%changelog

* Tue Jul 25 2023 Feng Weiyao <wynnfeng@tencent.com> - 9.3p2-1

- upgrade to 9.3p2 and Fix CVE-2023-38408



* Tue Jul 25 2023 Feng Weiyao <wynnfeng@tencent.com> - 9.3p1-2

- add patch to support SMx



* Fri Jul 21 2023 kianli <kianli@tencent.com> - 9.3p1-1

- Upgrade to 9.3p1



* Thu Jun 29 2023 rockerzhu <rockerzhu@tencent.com> - 9.0p1-5

- Fix default PATH of ssh.



* Fri Apr 28 2023 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 9.0p1-4

- Rebuilt for OpenCloudOS Stream 23.05



* Mon Apr 03 2023 rockerzhu <rockerzhu@tencent.com> - 9.0p1-3

- Disable fips because openssl 3.0.8 disable fips



* Fri Mar 31 2023 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 9.0p1-2

- Rebuilt for OpenCloudOS Stream 23



* Tue Jun 28 2022 rockerzhu <rockerzhu@tencent.com> - 9.0p1-1

- Initial build
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/feng-weiyao/openssh.git
git@gitee.com:feng-weiyao/openssh.git
feng-weiyao
openssh
openssh
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部
23e8dbc6 1850385 7e0993f3 1850385