summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog7
-rw-r--r--contrib/redhat/gnome-ssh-askpass.csh1
-rw-r--r--contrib/redhat/gnome-ssh-askpass.sh2
-rw-r--r--contrib/redhat/openssh.spec613
-rwxr-xr-xcontrib/redhat/sshd.init161
-rwxr-xr-xcontrib/redhat/sshd.init.old172
-rw-r--r--contrib/redhat/sshd.pam10
-rw-r--r--contrib/redhat/sshd.pam-7.x8
-rw-r--r--contrib/redhat/sshd.pam.old8
9 files changed, 779 insertions, 203 deletions
diff --git a/ChangeLog b/ChangeLog
index 2fafd3ec7..7b4385e5e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
120020510
2 - (djm) Rework RedHat RPM files. Based on spec from Nalin
3 Dahyabhai <nalin@redhat.com> and patches from
4 Pekka Savola <pekkas@netcore.fi>
5
120020509 620020509
2 - (tim) [Makefile.in] Unbreak make -f Makefile.in distprep 7 - (tim) [Makefile.in] Unbreak make -f Makefile.in distprep
3 8
@@ -548,4 +553,4 @@
548 - (stevesk) entropy.c: typo in debug message 553 - (stevesk) entropy.c: typo in debug message
549 - (djm) ssh-keygen -i needs seeded RNG; report from markus@ 554 - (djm) ssh-keygen -i needs seeded RNG; report from markus@
550 555
551$Id: ChangeLog,v 1.2100 2002/05/09 14:05:59 tim Exp $ 556$Id: ChangeLog,v 1.2101 2002/05/10 02:19:23 djm Exp $
diff --git a/contrib/redhat/gnome-ssh-askpass.csh b/contrib/redhat/gnome-ssh-askpass.csh
new file mode 100644
index 000000000..dd77712cd
--- /dev/null
+++ b/contrib/redhat/gnome-ssh-askpass.csh
@@ -0,0 +1 @@
setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass
diff --git a/contrib/redhat/gnome-ssh-askpass.sh b/contrib/redhat/gnome-ssh-askpass.sh
new file mode 100644
index 000000000..355189f45
--- /dev/null
+++ b/contrib/redhat/gnome-ssh-askpass.sh
@@ -0,0 +1,2 @@
1SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
2export SSH_ASKPASS
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 25acf0569..e70f43893 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,5 +1,9 @@
1# Version of OpenSSH 1%define ver 3.2.1p1
2%define oversion 3.2p1 2%define rel 1
3
4# OpenSSH privilege separation requires a user & group ID
5%define sshd_uid 74
6%define sshd_gid 74
3 7
4# Version of ssh-askpass 8# Version of ssh-askpass
5%define aversion 1.2.4.1 9%define aversion 1.2.4.1
@@ -16,8 +20,8 @@
16# Do we want smartcard support (1=yes 0=no) 20# Do we want smartcard support (1=yes 0=no)
17%define scard 0 21%define scard 0
18 22
19# Use Redhat 7.0 pam control file 23# Is this build for RHL 6.x?
20%define redhat7 0 24%define build6x 0
21 25
22# Disable IPv6 (avoids DNS hangs on some glibc versions) 26# Disable IPv6 (avoids DNS hangs on some glibc versions)
23%define noip6 0 27%define noip6 0
@@ -27,9 +31,14 @@
27%{?skip_x11_askpass:%define no_x11_askpass 1} 31%{?skip_x11_askpass:%define no_x11_askpass 1}
28%{?skip_gnome_askpass:%define no_gnome_askpass 1} 32%{?skip_gnome_askpass:%define no_gnome_askpass 1}
29 33
30# Options for Redhat version: 34# Is this a build for RHL 6.x or earlier?
31# rpm -ba|--rebuild --define "rh7 1" 35%{?build_6x:%define build6x 1}
32%{?rh7:%define redhat7 1} 36
37# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
38%if %{build6x}
39%define _sysconfdir /etc
40%define noip6 1
41%endif
33 42
34# Options for static OpenSSL link: 43# Options for static OpenSSL link:
35# rpm -ba|--rebuild --define "static_openssl 1" 44# rpm -ba|--rebuild --define "static_openssl 1"
@@ -43,37 +52,43 @@
43# rpm -ba|--rebuild --define "noipv6 1" 52# rpm -ba|--rebuild --define "noipv6 1"
44%{?noipv6:%define noip6 1} 53%{?noipv6:%define noip6 1}
45 54
46%define exact_openssl_version %(rpm -q openssl | cut -d - -f 2) 55# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
56%define rescue 0
57%{?build_rescue:%define rescue 1}
47 58
48Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 59Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
49Name: openssh 60Name: openssh
50Version: %{oversion} 61Version: %{ver}
51Release: 1 62%if %{rescue}
52Packager: Damien Miller <djm@mindrot.org> 63Release: %{rel}rescue
64%else
65Release: %{rel}
66%endif
53URL: http://www.openssh.com/portable.html 67URL: http://www.openssh.com/portable.html
54Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{oversion}.tar.gz 68Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
55%if ! %{no_x11_askpass}
56Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz 69Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
57%endif
58License: BSD 70License: BSD
59Group: Applications/Internet 71Group: Applications/Internet
60BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot 72BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
61Obsoletes: ssh 73Obsoletes: ssh
62BuildPreReq: perl, openssl-devel, tcp_wrappers 74%if %{build6x}
63BuildPreReq: /bin/login, /usr/include/security/pam_appl.h 75PreReq: initscripts >= 5.00
64BuildPreReq: rpm >= 3.0.5 76%else
77PreReq: initscripts >= 5.20
78%endif
79BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers
80BuildPreReq: /bin/login
81%if %{build6x}
82BuildPreReq: glibc-devel, pam
83%else
84BuildPreReq: db1-devel, /usr/include/security/pam_appl.h
85%endif
65%if ! %{no_x11_askpass} 86%if ! %{no_x11_askpass}
66BuildPreReq: XFree86-devel 87BuildPreReq: XFree86-devel
67%endif 88%endif
68%if ! %{no_gnome_askpass} 89%if ! %{no_gnome_askpass}
69BuildPreReq: gnome-libs-devel 90BuildPreReq: gnome-libs-devel
70%endif 91%endif
71%if ! %{static_libcrypto}
72PreReq: openssl >= 0.9.5a
73PreReq: openssl = %{exact_openssl_version}
74Requires: openssl >= 0.9.5a
75%endif
76Requires: rpm >= 3.0.5
77 92
78%package clients 93%package clients
79Summary: OpenSSH clients. 94Summary: OpenSSH clients.
@@ -86,7 +101,7 @@ Summary: The OpenSSH server daemon.
86Group: System Environment/Daemons 101Group: System Environment/Daemons
87Obsoletes: ssh-server 102Obsoletes: ssh-server
88PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9 103PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
89%if %{redhat7} 104%if ! %{build6x}
90Requires: /etc/pam.d/system-auth 105Requires: /etc/pam.d/system-auth
91%endif 106%endif
92 107
@@ -103,41 +118,43 @@ Requires: openssh = %{version}-%{release}
103Obsoletes: ssh-extras 118Obsoletes: ssh-extras
104 119
105%description 120%description
106OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH 121SSH (Secure SHell) is a program for logging into and executing
107replaces rlogin and rsh, to provide secure encrypted communications 122commands on a remote machine. SSH is intended to replace rlogin and
108between two untrusted hosts over an insecure network. X11 connections 123rsh, and to provide secure encrypted communications between two
109and arbitrary TCP/IP ports can also be forwarded over the secure 124untrusted hosts over an insecure network. X11 connections and
110channel. Public key authentication may be used for "passwordless" 125arbitrary TCP/IP ports can also be forwarded over the secure channel.
111access to servers. 126
127OpenSSH is OpenBSD's version of the last free version of SSH, bringing
128it up to date in terms of security and features, as well as removing
129all patented algorithms to separate libraries.
112 130
113This package includes the core files necessary for both the OpenSSH 131This package includes the core files necessary for both the OpenSSH
114client and server. To make this package useful, you should also 132client and server. To make this package useful, you should also
115install openssh-clients, openssh-server, or both. 133install openssh-clients, openssh-server, or both.
116 134
117%description clients 135%description clients
118OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. 136OpenSSH is a free version of SSH (Secure SHell), a program for logging
119 137into and executing commands on a remote machine. This package includes
120This package includes the clients necessary to make encrypted 138the clients necessary to make encrypted connections to SSH servers.
121connections to SSH protocol servers. You'll also need to install the 139You'll also need to install the openssh package on OpenSSH clients.
122openssh package on OpenSSH clients.
123 140
124%description server 141%description server
125OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. 142OpenSSH is a free version of SSH (Secure SHell), a program for logging
126 143into and executing commands on a remote machine. This package contains
127This package contains the secure shell daemon (sshd). The sshd daemon 144the secure shell daemon (sshd). The sshd daemon allows SSH clients to
128allows SSH clients to securely connect to your SSH server. You also 145securely connect to your SSH server. You also need to have the openssh
129need to have the openssh package installed. 146package installed.
130 147
131%description askpass 148%description askpass
132OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. 149OpenSSH is a free version of SSH (Secure SHell), a program for logging
133 150into and executing commands on a remote machine. This package contains
134This package contains an X11 passphrase dialog for OpenSSH. 151an X11 passphrase dialog for OpenSSH.
135 152
136%description askpass-gnome 153%description askpass-gnome
137OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. 154OpenSSH is a free version of SSH (Secure SHell), a program for logging
138 155into and executing commands on a remote machine. This package contains
139This package contains an X11 passphrase dialog for OpenSSH and the 156an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
140GNOME GUI desktop environment. 157environment.
141 158
142%prep 159%prep
143 160
@@ -148,39 +165,37 @@ GNOME GUI desktop environment.
148%endif 165%endif
149 166
150%build 167%build
151 168%if %{rescue}
152%define _sysconfdir /etc/ssh 169CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
153
154EXTRA_OPTS=""
155
156%if %{scard}
157 EXTRA_OPTS="$EXTRA_OPTS --with-smartcard"
158%endif
159
160%if %{noip6}
161 EXTRA_OPTS="$EXTRA_OPTS --with-ipv4-default "
162%endif 170%endif
163 171
164%configure \ 172%configure \
173 --sysconfdir=%{_sysconfdir}/ssh \
165 --libexecdir=%{_libexecdir}/openssh \ 174 --libexecdir=%{_libexecdir}/openssh \
166 --datadir=%{_datadir}/openssh \ 175 --datadir=%{_datadir}/openssh \
167 --with-pam \
168 --with-tcp-wrappers \ 176 --with-tcp-wrappers \
169 --with-rsh=/usr/bin/rsh \ 177 --with-rsh=%{_bindir}/rsh \
170 --with-kerberos5=/usr/kerberos \ 178%if %{scard}
171 --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin \ 179 --with-smartcard \
172 $EXTRA_OPTS 180%endif
181%if %{noip6}
182 --with-ipv4-default \
183%endif
184%if %{rescue}
185 --without-pam --with-md5-passwords
186%else
187 --with-pam --with-kerberos5=/usr/kerberos
188%endif
173 189
174%if %{static_libcrypto} 190%if %{static_libcrypto}
175perl -pi -e "s|-lcrypto|/usr/lib/libcrypto.a|g" Makefile 191perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
176%endif 192%endif
177 193
178make 194make
179 195
180%if ! %{no_x11_askpass} 196%if ! %{no_x11_askpass}
181pushd x11-ssh-askpass-%{aversion} 197pushd x11-ssh-askpass-%{aversion}
182%configure \ 198%configure --libexecdir=%{_libexecdir}/openssh
183 --libexecdir=%{_libexecdir}/openssh
184xmkmf -a 199xmkmf -a
185make 200make
186popd 201popd
@@ -188,7 +203,7 @@ popd
188 203
189%if ! %{no_gnome_askpass} 204%if ! %{no_gnome_askpass}
190pushd contrib 205pushd contrib
191gcc -O -g `gnome-config --cflags gnome gnomeui` \ 206gcc $RPM_OPT_FLAGS `gnome-config --cflags gnome gnomeui` \
192 gnome-ssh-askpass.c -o gnome-ssh-askpass \ 207 gnome-ssh-askpass.c -o gnome-ssh-askpass \
193 `gnome-config --libs gnome gnomeui` 208 `gnome-config --libs gnome gnomeui`
194popd 209popd
@@ -196,58 +211,98 @@ popd
196 211
197%install 212%install
198rm -rf $RPM_BUILD_ROOT 213rm -rf $RPM_BUILD_ROOT
199%{makeinstall} \ 214mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
200 libexecdir=$RPM_BUILD_ROOT%{_libexecdir}/openssh \ 215mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
201 datadir=$RPM_BUILD_ROOT%{_datadir}/openssh \ 216mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/run/empty-sshd
202 DESTDIR=/ # Hack to disable key generation
203 217
218make install DESTDIR=$RPM_BUILD_ROOT
204 219
205install -d $RPM_BUILD_ROOT/etc/pam.d/ 220install -d $RPM_BUILD_ROOT/etc/pam.d/
206install -d $RPM_BUILD_ROOT/etc/rc.d/init.d 221install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
207install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh 222install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
208%if %{redhat7} 223%if %{build6x}
209install -m644 contrib/redhat/sshd.pam-7.x $RPM_BUILD_ROOT/etc/pam.d/sshd 224install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
210%else 225%else
211install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd 226install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
212%endif 227%endif
213install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd 228install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
214 229
215%if ! %{no_x11_askpass} 230%if ! %{no_x11_askpass}
216install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass 231install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
217ln -s /usr/libexec/openssh/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass 232ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
218%endif 233%endif
219 234
220%if ! %{no_gnome_askpass} 235%if ! %{no_gnome_askpass}
221install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass 236install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
222%endif 237%endif
223 238
239install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
240install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
241install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
242
224perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* 243perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
225 244
226%clean 245%clean
227rm -rf $RPM_BUILD_ROOT 246rm -rf $RPM_BUILD_ROOT
228 247
248%triggerun server -- ssh-server
249if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
250 touch /var/run/sshd.restart
251fi
252
253%triggerun server -- openssh-server < 2.5.0p1
254# Count the number of HostKey and HostDsaKey statements we have.
255gawk 'BEGIN {IGNORECASE=1}
256 /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
257 END {exit sawhostkey}' /etc/ssh/sshd_config
258# And if we only found one, we know the client was relying on the old default
259# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
260# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
261# one nullifies the default, which would have loaded both.
262if [ $? -eq 1 ] ; then
263 echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
264 echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
265fi
266
267%triggerpostun server -- ssh-server
268if [ "$1" != 0 ] ; then
269 /sbin/chkconfig --add sshd
270 if test -f /var/run/sshd.restart ; then
271 rm -f /var/run/sshd.restart
272 /sbin/service sshd start > /dev/null 2>&1 || :
273 fi
274fi
275
276%pre server
277%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
278%{_sbindir}/useradd -d /var/run/empty-sshd -s /bin/false -u %{sshd_uid} \
279 -g sshd -M -r sshd 2>/dev/null || :
280
229%post server 281%post server
230/sbin/chkconfig --add sshd 282/sbin/chkconfig --add sshd
231if test -r /var/run/sshd.pid ; then 283
232 /etc/rc.d/init.d/sshd restart >&2 284%postun server
233fi 285/sbin/service sshd condrestart > /dev/null 2>&1 || :
234 286
235%preun server 287%preun server
236if [ "$1" = 0 ] ; then 288if [ "$1" = 0 ]
237 /etc/rc.d/init.d/sshd stop >&2 289then
290 /sbin/service sshd stop > /dev/null 2>&1 || :
238 /sbin/chkconfig --del sshd 291 /sbin/chkconfig --del sshd
239fi 292fi
240 293
241%files 294%files
242%defattr(-,root,root) 295%defattr(-,root,root)
243%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* 296%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING*
244%attr(0755,root,root) %{_bindir}/ssh-keygen
245%attr(0755,root,root) %{_bindir}/scp 297%attr(0755,root,root) %{_bindir}/scp
246%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
247%attr(0644,root,root) %{_mandir}/man1/scp.1* 298%attr(0644,root,root) %{_mandir}/man1/scp.1*
248%attr(0755,root,root) %dir %{_sysconfdir} 299%attr(0755,root,root) %dir %{_sysconfdir}/ssh
249%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/moduli 300%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
301%if ! %{rescue}
302%attr(0755,root,root) %{_bindir}/ssh-keygen
303%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
250%attr(0755,root,root) %dir %{_libexecdir}/openssh 304%attr(0755,root,root) %dir %{_libexecdir}/openssh
305%endif
251%if %{scard} 306%if %{scard}
252%attr(0755,root,root) %dir %{_datadir}/openssh 307%attr(0755,root,root) %dir %{_datadir}/openssh
253%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin 308%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
@@ -256,29 +311,34 @@ fi
256%files clients 311%files clients
257%defattr(-,root,root) 312%defattr(-,root,root)
258%attr(4755,root,root) %{_bindir}/ssh 313%attr(4755,root,root) %{_bindir}/ssh
314%attr(0644,root,root) %{_mandir}/man1/ssh.1*
315%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
316%attr(-,root,root) %{_bindir}/slogin
317%attr(-,root,root) %{_mandir}/man1/slogin.1*
318%if ! %{rescue}
259%attr(0755,root,root) %{_bindir}/ssh-agent 319%attr(0755,root,root) %{_bindir}/ssh-agent
260%attr(0755,root,root) %{_bindir}/ssh-add 320%attr(0755,root,root) %{_bindir}/ssh-add
261%attr(0755,root,root) %{_bindir}/ssh-keyscan 321%attr(0755,root,root) %{_bindir}/ssh-keyscan
262%attr(0755,root,root) %{_bindir}/sftp 322%attr(0755,root,root) %{_bindir}/sftp
263%attr(0644,root,root) %{_mandir}/man1/ssh.1*
264%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* 323%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
265%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* 324%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
266%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* 325%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
267%attr(0644,root,root) %{_mandir}/man1/sftp.1* 326%attr(0644,root,root) %{_mandir}/man1/sftp.1*
268%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh_config 327%endif
269%attr(-,root,root) %{_bindir}/slogin
270%attr(-,root,root) %{_mandir}/man1/slogin.1*
271 328
329%if ! %{rescue}
272%files server 330%files server
273%defattr(-,root,root) 331%defattr(-,root,root)
332%dir %attr(0111,root,root) %{_var}/run/empty-sshd
274%attr(0755,root,root) %{_sbindir}/sshd 333%attr(0755,root,root) %{_sbindir}/sshd
275%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server 334%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
276%attr(0644,root,root) %{_mandir}/man8/sshd.8* 335%attr(0644,root,root) %{_mandir}/man8/sshd.8*
277%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* 336%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
278#%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config 337%attr(0755,root,root) %dir %{_sysconfdir}/ssh
279%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config 338%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
280%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd 339%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
281%attr(0755,root,root) %config /etc/rc.d/init.d/sshd 340%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
341%endif
282 342
283%if ! %{no_x11_askpass} 343%if ! %{no_x11_askpass}
284%files askpass 344%files askpass
@@ -293,44 +353,389 @@ fi
293%if ! %{no_gnome_askpass} 353%if ! %{no_gnome_askpass}
294%files askpass-gnome 354%files askpass-gnome
295%defattr(-,root,root) 355%defattr(-,root,root)
356%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
296%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass 357%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
297%endif 358%endif
298 359
299%changelog 360%changelog
300* Mon Oct 18 2000 Damien Miller <djm@mindrot.org> 361* Fri May 10 2002 Damien Miller <djm@mindrot.org>
301- Merge some of Nalin Dahyabhai <nalin@redhat.com> changes from the 362- Merge in spec changes from RedHat, reorgansie a little
302 Redhat 7.0 spec file 363- Add Privsep user, group and directory
303* Tue Sep 05 2000 Damien Miller <djm@mindrot.org> 364
304- Use RPM configure macro 365* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2
305* Tue Aug 08 2000 Damien Miller <djm@mindrot.org> 366- bump and grind (through the build system)
306- Some surgery to sshd.init (generate keys at runtime) 367
307- Cleanup of groups and removal of keygen calls 368* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1
308* Wed Jul 12 2000 Damien Miller <djm@mindrot.org> 369- require sharutils for building (mindrot #137)
309- Make building of X11-askpass and gnome-askpass optional 370- require db1-devel only when building for 6.x (#55105), which probably won't
310* Mon Jun 12 2000 Damien Miller <djm@mindrot.org> 371 work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck
311- Glob manpages to catch compressed files 372- require pam-devel by file (not by package name) again
373- add Markus's patch to compile with OpenSSL 0.9.5a (from
374 http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're
375 building for 6.x
376
377* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0
378- update to 3.1p1
379
380* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305
381- update to SNAP-20020305
382- drop debug patch, fixed upstream
383
384* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220
385- update to SNAP-20020220 for testing purposes (you've been warned, if there's
386 anything to be warned about, gss patches won't apply, I don't mind)
387
388* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3
389- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key
390 exchange, authentication, and named key support
391
392* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2
393- remove dependency on db1-devel, which has just been swallowed up whole
394 by gnome-libs-devel
395
396* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
397- adjust build dependencies so that build6x actually works right (fix
398 from Hugo van der Kooij)
399
400* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1
401- update to 3.0.2p1
402
403* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1
404- update to 3.0.1p1
405
406* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com>
407- update to current CVS (not for use in distribution)
408
409* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1
410- merge some of Damien Miller <djm@mindrot.org> changes from the upstream
411 3.0p1 spec file and init script
412
413* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com>
414- update to 3.0p1
415- update to x11-ssh-askpass 1.2.4.1
416- change build dependency on a file from pam-devel to the pam-devel package
417- replace primes with moduli
418
419* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9
420- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs
421
422* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8
423- Merge changes to rescue build from current sysadmin survival cd
424
425* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7
426- fix scp's server's reporting of file sizes, and build with the proper
427 preprocessor define to get large-file capable open(), stat(), etc.
428 (sftp has been doing this correctly all along) (#51827)
429- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247)
430- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298)
431- mark profile.d scriptlets as config files (#42337)
432- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug
433- change a couple of log() statements to debug() statements (#50751)
434- pull cvs patch to add -t flag to sshd (#28611)
435- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221)
436
437* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6
438- add db1-devel as a BuildPrerequisite (noted by Hans Ecke)
439
440* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
441- pull cvs patch to fix remote port forwarding with protocol 2
442
443* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
444- pull cvs patch to add session initialization to no-pty sessions
445- pull cvs patch to not cut off challengeresponse auth needlessly
446- refuse to do X11 forwarding if xauth isn't there, handy if you enable
447 it by default on a system that doesn't have X installed (#49263)
448
449* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com>
450- don't apply patches to code we don't intend to build (spotted by Matt Galgoci)
451
452* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com>
453- pass OPTIONS correctly to initlog (#50151)
454
455* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
456- switch to x11-ssh-askpass 1.2.2
457
458* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
459- rebuild in new environment
460
461* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
462- disable the gssapi patch
463
464* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
465- update to 2.9p2
466- refresh to a new version of the gssapi patch
467
468* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com>
469- change Copyright: BSD to License: BSD
470- add Markus Friedl's unverified patch for the cookie file deletion problem
471 so that we can verify it
472- drop patch to check if xauth is present (was folded into cookie patch)
473- don't apply gssapi patches for the errata candidate
474- clear supplemental groups list at startup
475
476* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com>
477- fix an error parsing the new default sshd_config
478- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not
479 dealing with comments right
480
481* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
482- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house,
483 to be removed before the next beta cycle because it's a big departure
484 from the upstream version
485
486* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com>
487- finish marking strings in the init script for translation
488- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd
489 at startup (change merged from openssh.com init script, originally by
490 Pekka Savola)
491- refuse to do X11 forwarding if xauth isn't there, handy if you enable
492 it by default on a system that doesn't have X installed
493
494* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com>
495- update to 2.9
496- drop various patches that came from or went upstream or to or from CVS
497
498* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com>
499- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer)
500
501* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com>
502- remove explicit openssl requirement, fixes builddistro issue
503- make initscript stop() function wait until sshd really dead to avoid
504 races in condrestart
505
506* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com>
507- mention that challengereponse supports PAM, so disabling password doesn't
508 limit users to pubkey and rsa auth (#34378)
509- bypass the daemon() function in the init script and call initlog directly,
510 because daemon() won't start a daemon it detects is already running (like
511 open connections)
512- require the version of openssl we had when we were built
513
514* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
515- make do_pam_setcred() smart enough to know when to establish creds and
516 when to reinitialize them
517- add in a couple of other fixes from Damien for inclusion in the errata
518
519* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
520- update to 2.5.2p2
521- call setcred() again after initgroups, because the "creds" could actually
522 be group memberships
523
524* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
525- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation)
526- don't enable challenge-response by default until we find a way to not
527 have too many userauth requests (we may make up to six pubkey and up to
528 three password attempts as it is)
529- remove build dependency on rsh to match openssh.com's packages more closely
530
531* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com>
532- remove dependency on openssl -- would need to be too precise
533
534* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
535- rebuild in new environment
536
537* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
538- Revert the patch to move pam_open_session.
539- Init script and spec file changes from Pekka Savola. (#28750)
540- Patch sftp to recognize '-o protocol' arguments. (#29540)
541
542* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com>
543- Chuck the closing patch.
544- Add a trigger to add host keys for protocol 2 to the config file, now that
545 configuration file syntax requires us to specify it with HostKey if we
546 specify any other HostKey values, which we do.
547
548* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com>
549- Redo patch to move pam_open_session after the server setuid()s to the user.
550- Rework the nopam patch to use be picked up by autoconf.
551
552* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
553- Update for 2.5.1p1.
554- Add init script mods from Pekka Savola.
555- Tweak the init script to match the CVS contrib script more closely.
556- Redo patch to ssh-add to try to adding both identity and id_dsa to also try
557 adding id_rsa.
558
559* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
560- Update for 2.5.0p1.
561- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass
562- Resync with parts of Damien Miller's openssh.spec from CVS, including
563 update of x11 askpass to 1.2.0.
564- Only require openssl (don't prereq) because we generate keys in the init
565 script now.
566
567* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
568- Don't open a PAM session until we've forked and become the user (#25690).
569- Apply Andrew Bartlett's patch for letting pam_authenticate() know which
570 host the user is attempting a login from.
571- Resync with parts of Damien Miller's openssh.spec from CVS.
572- Don't expose KbdInt responses in debug messages (from CVS).
573- Detect and handle errors in rsa_{public,private}_decrypt (from CVS).
574
575* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com>
576- i18n-tweak to initscript.
577
578* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
579- More gettextizing.
580- Close all files after going into daemon mode (needs more testing).
581- Extract patch from CVS to handle auth banners (in the client).
582- Extract patch from CVS to handle compat weirdness.
583
584* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
585- Finish with the gettextizing.
586
587* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
588- Fix a bug in auth2-pam.c (#23877)
589- Gettextize the init script.
590
591* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
592- Incorporate a switch for using PAM configs for 6.x, just in case.
593
594* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com>
595- Incorporate Bero's changes for a build specifically for rescue CDs.
596
597* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
598- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has
599 succeeded, to allow public-key authentication after a failure with "none"
600 authentication. (#21268)
601
602* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
603- Update to x11-askpass 1.1.1. (#21301)
604- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290)
605
606* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
607- Merge multiple PAM text messages into subsequent prompts when possible when
608 doing keyboard-interactive authentication.
609
610* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com>
611- Disable the built-in MD5 password support. We're using PAM.
612- Take a crack at doing keyboard-interactive authentication with PAM, and
613 enable use of it in the default client configuration so that the client
614 will try it when the server disallows password authentication.
615- Build with debugging flags. Build root policies strip all binaries anyway.
616
617* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
618- Use DESTDIR instead of %%makeinstall.
619- Remove /usr/X11R6/bin from the path-fixing patch.
620
621* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
622- Add the primes file from the latest snapshot to the main package (#20884).
623- Add the dev package to the prereq list (#19984).
624- Remove the default path and mimic login's behavior in the server itself.
625
626* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com>
627- Resync with conditional options in Damien Miller's .spec file for an errata.
628- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh.
629
630* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com>
631- Update to OpenSSH 2.3.0p1.
632- Update to x11-askpass 1.1.0.
633- Enable keyboard-interactive authentication.
634
635* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
636- Update to ssh-askpass-x11 1.0.3.
637- Change authentication related messages to be private (#19966).
638
639* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
640- Patch ssh-keygen to be able to list signatures for DSA public key files
641 it generates.
642
643* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
644- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always
645 build PAM authentication in.
646- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
647- Clean out no-longer-used patches.
648- Patch ssh-add to try to add both identity and id_dsa, and to error only
649 when neither exists.
650
651* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com>
652- Update x11-askpass to 1.0.2. (#17835)
653- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will
654 always find them in the right place. (#17909)
655- Set the default path to be the same as the one supplied by /bin/login, but
656 add /usr/X11R6/bin. (#17909)
657- Try to handle obsoletion of ssh-server more cleanly. Package names
658 are different, but init script name isn't. (#17865)
659
660* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
661- Update to 2.2.0p1. (#17835)
662- Tweak the init script to allow proper restarting. (#18023)
663
664* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
665- Update to 20000823 snapshot.
666- Change subpackage requirements from %%{version} to %%{version}-%%{release}
667- Back out the pipe patch.
668
669* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
670- Update to 2.1.1p4, which includes fixes for config file parsing problems.
671- Move the init script back.
672- Add Damien's quick fix for wackiness.
673
674* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
675- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok().
676
677* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com>
678- Move condrestart to server postun.
679- Move key generation to init script.
680- Actually use the right patch for moving the key generation to the init script.
681- Clean up the init script a bit.
682
683* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com>
684- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard.
685
686* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com>
687- Update to 2.1.1p2.
688- Use of strtok() considered harmful.
689
690* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
691- Get the build root out of the man pages.
692
693* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
694- Add and use condrestart support in the init script.
695- Add newer initscripts as a prereq.
696
697* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
698- Build in new environment (release 2)
699- Move -clients subpackage to Applications/Internet group
700
701* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com>
702- Update to 2.2.1p1
703
704* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
705- Patch to build with neither RSA nor RSAref.
706- Miscellaneous FHS-compliance tweaks.
707- Fix for possibly-compressed man pages.
708
312* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au> 709* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
313- Updated for new location 710- Updated for new location
314- Updated for new gnome-ssh-askpass build 711- Updated for new gnome-ssh-askpass build
712
315* Sun Dec 26 1999 Damien Miller <djm@mindrot.org> 713* Sun Dec 26 1999 Damien Miller <djm@mindrot.org>
316- Added Jim Knoble's <jmknoble@pobox.com> askpass 714- Added Jim Knoble's <jmknoble@pobox.com> askpass
715
317* Mon Nov 15 1999 Damien Miller <djm@mindrot.org> 716* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
318- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com> 717- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
718
319* Sat Nov 13 1999 Damien Miller <djm@mindrot.org> 719* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
320- Added 'Obsoletes' directives 720- Added 'Obsoletes' directives
721
321* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au> 722* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
322- Use make install 723- Use make install
323- Subpackages 724- Subpackages
725
324* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au> 726* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
325- Added links for slogin 727- Added links for slogin
326- Fixed perms on manpages 728- Fixed perms on manpages
729
327* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au> 730* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
328- Renamed init script 731- Renamed init script
732
329* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au> 733* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
330- Back to old binary names 734- Back to old binary names
735
331* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au> 736* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
332- Use autoconf 737- Use autoconf
333- New binary names 738- New binary names
739
334* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au> 740* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
335- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec. 741- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
336
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init
index 86b040cda..4ee8630c3 100755
--- a/contrib/redhat/sshd.init
+++ b/contrib/redhat/sshd.init
@@ -1,5 +1,5 @@
1#!/bin/bash 1#!/bin/bash
2 2#
3# Init file for OpenSSH server daemon 3# Init file for OpenSSH server daemon
4# 4#
5# chkconfig: 2345 55 25 5# chkconfig: 2345 55 25
@@ -15,149 +15,140 @@
15# source function library 15# source function library
16. /etc/rc.d/init.d/functions 16. /etc/rc.d/init.d/functions
17 17
18# pull in sysconfig settings
18[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd 19[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
19 20
20RETVAL=0 21RETVAL=0
22prog="sshd"
21 23
22# Some functions to make the below more readable 24# Some functions to make the below more readable
23KEYGEN=/usr/bin/ssh-keygen 25KEYGEN=/usr/bin/ssh-keygen
26SSHD=/usr/sbin/sshd
24RSA1_KEY=/etc/ssh/ssh_host_key 27RSA1_KEY=/etc/ssh/ssh_host_key
25RSA_KEY=/etc/ssh/ssh_host_rsa_key 28RSA_KEY=/etc/ssh/ssh_host_rsa_key
26DSA_KEY=/etc/ssh/ssh_host_dsa_key 29DSA_KEY=/etc/ssh/ssh_host_dsa_key
27PID_FILE=/var/run/sshd.pid 30PID_FILE=/var/run/sshd.pid
28my_success() { 31
29 local msg
30 if [ $# -gt 1 ]; then
31 msg="$2"
32 else
33 msg="done"
34 fi
35 case "`type -type success`" in
36 function)
37 success "$1"
38 ;;
39 *)
40 echo -n "${msg}"
41 ;;
42 esac
43}
44my_failure() {
45 local msg
46 if [ $# -gt 1 ]; then
47 msg="$2"
48 else
49 msg="FAILED"
50 fi
51 case "`type -type failure`" in
52 function)
53 failure "$1"
54 ;;
55 *)
56 echo -n "${msg}"
57 ;;
58 esac
59}
60do_rsa1_keygen() { 32do_rsa1_keygen() {
61 if ! test -f $RSA1_KEY ; then 33 if [ ! -s $RSA1_KEY ]; then
62 echo -n "Generating SSH1 RSA host key: " 34 echo -n $"Generating SSH1 RSA host key: "
63 if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then 35 if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
64 my_success "RSA1 key generation" 36 chmod 600 $RSA1_KEY
37 chmod 644 $RSA1_KEY.pub
38 success $"RSA1 key generation"
65 echo 39 echo
66 else 40 else
67 my_failure "RSA1 key generation" 41 failure $"RSA1 key generation"
68 echo 42 echo
69 exit 1 43 exit 1
70 fi 44 fi
71 fi 45 fi
72} 46}
47
73do_rsa_keygen() { 48do_rsa_keygen() {
74 if ! test -f $RSA_KEY ; then 49 if [ ! -s $RSA_KEY ]; then
75 echo -n "Generating SSH2 RSA host key: " 50 echo -n $"Generating SSH2 RSA host key: "
76 if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then 51 if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
77 my_success "RSA key generation" 52 chmod 600 $RSA_KEY
53 chmod 644 $RSA_KEY.pub
54 success $"RSA key generation"
78 echo 55 echo
79 else 56 else
80 my_failure "RSA key generation" 57 failure $"RSA key generation"
81 echo 58 echo
82 exit 1 59 exit 1
83 fi 60 fi
84 fi 61 fi
85} 62}
63
86do_dsa_keygen() { 64do_dsa_keygen() {
87 if ! test -f $DSA_KEY ; then 65 if [ ! -s $DSA_KEY ]; then
88 echo -n "Generating SSH2 DSA host key: " 66 echo -n $"Generating SSH2 DSA host key: "
89 if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then 67 if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
90 my_success "DSA key generation" 68 chmod 600 $DSA_KEY
69 chmod 644 $DSA_KEY.pub
70 success $"DSA key generation"
91 echo 71 echo
92 else 72 else
93 my_failure "DSA key generation" 73 failure $"DSA key generation"
94 echo 74 echo
95 exit 1 75 exit 1
96 fi 76 fi
97 fi 77 fi
98} 78}
99do_restart_sanity_check() { 79
100 sshd -t 80do_restart_sanity_check()
81{
82 $SSHD -t
101 RETVAL=$? 83 RETVAL=$?
102 if [ ! "$RETVAL" = 0 ]; then 84 if [ ! "$RETVAL" = 0 ]; then
103 my_failure "Configuration file or keys" 85 failure $"Configuration file or keys are invalid"
104 echo 86 echo
105 exit $RETVAL
106 fi 87 fi
107} 88}
108 89
90start()
91{
92 # Create keys if necessary
93 do_rsa1_keygen
94 do_rsa_keygen
95 do_dsa_keygen
96
97 echo -n $"Starting $prog:"
98 initlog -c "$SSHD $OPTIONS" && success || failure
99 RETVAL=$?
100 [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
101 echo
102}
103
104stop()
105{
106 echo -n $"Stopping $prog:"
107 killproc $SSHD -TERM
108 RETVAL=$?
109 [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
110 echo
111}
112
113reload()
114{
115 echo -n $"Reloading $prog:"
116 killproc $SSHD -HUP
117 RETVAL=$?
118 echo
119}
109 120
110case "$1" in 121case "$1" in
111 start) 122 start)
112 # Create keys if necessary 123 start
113 do_rsa1_keygen;
114 do_rsa_keygen;
115 do_dsa_keygen;
116
117 echo -n "Starting sshd: "
118 if [ ! -f $PID_FILE ] ; then
119 sshd $OPTIONS
120 RETVAL=$?
121 if [ "$RETVAL" = "0" ] ; then
122 my_success "sshd startup" "sshd"
123 touch /var/lock/subsys/sshd
124 else
125 my_failure "sshd startup" ""
126 fi
127 fi
128 echo
129 ;; 124 ;;
130 stop) 125 stop)
131 echo -n "Shutting down sshd: " 126 stop
132 if [ -f $PID_FILE ] ; then
133 killproc sshd
134 RETVAL=$?
135 [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
136 fi
137 echo
138 ;; 127 ;;
139 restart) 128 restart)
140 do_restart_sanity_check 129 stop
141 $0 stop 130 start
142 $0 start 131 ;;
143 RETVAL=$? 132 reload)
133 reload
144 ;; 134 ;;
145 condrestart) 135 condrestart)
146 if [ -f /var/lock/subsys/sshd ] ; then 136 if [ -f /var/lock/subsys/sshd ] ; then
147 do_restart_sanity_check 137 do_restart_sanity_check
148 $0 stop 138 if [ "$RETVAL" = 0 ] ; then
149 $0 start 139 stop
150 RETVAL=$? 140 # avoid race
141 sleep 3
142 start
143 fi
151 fi 144 fi
152 ;; 145 ;;
153 status) 146 status)
154 status sshd 147 status $SSHD
155 RETVAL=$? 148 RETVAL=$?
156 ;; 149 ;;
157 *) 150 *)
158 echo "Usage: sshd {start|stop|restart|status|condrestart}" 151 echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
159 exit 1 152 RETVAL=1
160 ;;
161esac 153esac
162
163exit $RETVAL 154exit $RETVAL
diff --git a/contrib/redhat/sshd.init.old b/contrib/redhat/sshd.init.old
new file mode 100755
index 000000000..0deb6080e
--- /dev/null
+++ b/contrib/redhat/sshd.init.old
@@ -0,0 +1,172 @@
1#!/bin/bash
2#
3# Init file for OpenSSH server daemon
4#
5# chkconfig: 2345 55 25
6# description: OpenSSH server daemon
7#
8# processname: sshd
9# config: /etc/ssh/ssh_host_key
10# config: /etc/ssh/ssh_host_key.pub
11# config: /etc/ssh/ssh_random_seed
12# config: /etc/ssh/sshd_config
13# pidfile: /var/run/sshd.pid
14
15# source function library
16. /etc/rc.d/init.d/functions
17
18# pull in sysconfig settings
19[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
20
21RETVAL=0
22prog="sshd"
23
24# Some functions to make the below more readable
25KEYGEN=/usr/bin/ssh-keygen
26SSHD=/usr/sbin/sshd
27RSA1_KEY=/etc/ssh/ssh_host_key
28RSA_KEY=/etc/ssh/ssh_host_rsa_key
29DSA_KEY=/etc/ssh/ssh_host_dsa_key
30PID_FILE=/var/run/sshd.pid
31
32my_success() {
33 local msg
34 if [ $# -gt 1 ]; then
35 msg="$2"
36 else
37 msg="done"
38 fi
39 case "`type -type success`" in
40 function)
41 success "$1"
42 ;;
43 *)
44 echo -n "${msg}"
45 ;;
46 esac
47}
48my_failure() {
49 local msg
50 if [ $# -gt 1 ]; then
51 msg="$2"
52 else
53 msg="FAILED"
54 fi
55 case "`type -type failure`" in
56 function)
57 failure "$1"
58 ;;
59 *)
60 echo -n "${msg}"
61 ;;
62 esac
63}
64do_rsa1_keygen() {
65 if [ ! -s $RSA1_KEY ]; then
66 echo -n "Generating SSH1 RSA host key: "
67 if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
68 chmod 600 $RSA1_KEY
69 chmod 644 $RSA1_KEY.pub
70 my_success "RSA1 key generation"
71 echo
72 else
73 my_failure "RSA1 key generation"
74 echo
75 exit 1
76 fi
77 fi
78}
79do_rsa_keygen() {
80 if [ ! -s $RSA_KEY ]; then
81 echo -n "Generating SSH2 RSA host key: "
82 if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
83 chmod 600 $RSA_KEY
84 chmod 644 $RSA_KEY.pub
85 my_success "RSA key generation"
86 echo
87 else
88 my_failure "RSA key generation"
89 echo
90 exit 1
91 fi
92 fi
93}
94do_dsa_keygen() {
95 if [ ! -s $DSA_KEY ]; then
96 echo -n "Generating SSH2 DSA host key: "
97 if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
98 chmod 600 $DSA_KEY
99 chmod 644 $DSA_KEY.pub
100 my_success "DSA key generation"
101 echo
102 else
103 my_failure "DSA key generation"
104 echo
105 exit 1
106 fi
107 fi
108}
109do_restart_sanity_check() {
110 $SSHD -t
111 RETVAL=$?
112 if [ ! "$RETVAL" = 0 ]; then
113 my_failure "Configuration file or keys"
114 echo
115 fi
116}
117
118
119case "$1" in
120 start)
121 # Create keys if necessary
122 do_rsa1_keygen;
123 do_rsa_keygen;
124 do_dsa_keygen;
125
126 echo -n "Starting sshd: "
127 if [ ! -f $PID_FILE ] ; then
128 sshd $OPTIONS
129 RETVAL=$?
130 if [ "$RETVAL" = "0" ] ; then
131 my_success "sshd startup" "sshd"
132 touch /var/lock/subsys/sshd
133 else
134 my_failure "sshd startup" ""
135 fi
136 fi
137 echo
138 ;;
139 stop)
140 echo -n "Shutting down sshd: "
141 if [ -f $PID_FILE ] ; then
142 killproc sshd
143 RETVAL=$?
144 [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
145 fi
146 echo
147 ;;
148 restart)
149 do_restart_sanity_check
150 $0 stop
151 $0 start
152 RETVAL=$?
153 ;;
154 condrestart)
155 if [ -f /var/lock/subsys/sshd ] ; then
156 do_restart_sanity_check
157 $0 stop
158 $0 start
159 RETVAL=$?
160 fi
161 ;;
162 status)
163 status sshd
164 RETVAL=$?
165 ;;
166 *)
167 echo "Usage: sshd {start|stop|restart|status|condrestart}"
168 exit 1
169 ;;
170esac
171
172exit $RETVAL
diff --git a/contrib/redhat/sshd.pam b/contrib/redhat/sshd.pam
index 26dcb34d9..d2ab073fc 100644
--- a/contrib/redhat/sshd.pam
+++ b/contrib/redhat/sshd.pam
@@ -1,8 +1,8 @@
1#%PAM-1.0 1#%PAM-1.0
2auth required /lib/security/pam_pwdb.so shadow nodelay 2auth required /lib/security/pam_stack.so service=system-auth
3auth required /lib/security/pam_nologin.so 3auth required /lib/security/pam_nologin.so
4account required /lib/security/pam_pwdb.so 4account required /lib/security/pam_stack.so service=system-auth
5password required /lib/security/pam_cracklib.so 5password required /lib/security/pam_stack.so service=system-auth
6password required /lib/security/pam_pwdb.so shadow nullok use_authtok 6session required /lib/security/pam_stack.so service=system-auth
7session required /lib/security/pam_pwdb.so
8session required /lib/security/pam_limits.so 7session required /lib/security/pam_limits.so
8session optional /lib/security/pam_console.so
diff --git a/contrib/redhat/sshd.pam-7.x b/contrib/redhat/sshd.pam-7.x
deleted file mode 100644
index d2ab073fc..000000000
--- a/contrib/redhat/sshd.pam-7.x
+++ /dev/null
@@ -1,8 +0,0 @@
1#%PAM-1.0
2auth required /lib/security/pam_stack.so service=system-auth
3auth required /lib/security/pam_nologin.so
4account required /lib/security/pam_stack.so service=system-auth
5password required /lib/security/pam_stack.so service=system-auth
6session required /lib/security/pam_stack.so service=system-auth
7session required /lib/security/pam_limits.so
8session optional /lib/security/pam_console.so
diff --git a/contrib/redhat/sshd.pam.old b/contrib/redhat/sshd.pam.old
new file mode 100644
index 000000000..26dcb34d9
--- /dev/null
+++ b/contrib/redhat/sshd.pam.old
@@ -0,0 +1,8 @@
1#%PAM-1.0
2auth required /lib/security/pam_pwdb.so shadow nodelay
3auth required /lib/security/pam_nologin.so
4account required /lib/security/pam_pwdb.so
5password required /lib/security/pam_cracklib.so
6password required /lib/security/pam_pwdb.so shadow nullok use_authtok
7session required /lib/security/pam_pwdb.so
8session required /lib/security/pam_limits.so