1 files changed, 226 insertions, 0 deletions
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 000000000..ce56fdea4
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,226 @@
+#!/usr/bin/make -f
+# Uncomment this to turn on verbose mode.
+# export DH_VERBOSE=1
+include /usr/share/hardening-includes/hardening.make
+# This has to be exported to make some magic below work.
+export DH_OPTIONS
+ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
+OPTFLAGS := -O2
+else
+OPTFLAGS := -O0
+endif
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
+  RUN_TESTS := yes
+else
+  RUN_TESTS :=
+endif
+DEB_HOST_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+  CC := gcc
+else
+  CC := $(DEB_HOST_GNU_TYPE)-gcc
+  RUN_TESTS :=
+endif
+DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null)
+DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null)
+# Take account of old dpkg-architecture output.
+ifeq ($(DEB_HOST_ARCH_OS),)
+  DEB_HOST_ARCH_OS := $(subst -gnu,,$(shell dpkg-architecture -qDEB_HOST_GNU_SYSTEM))
+  ifeq ($(DEB_HOST_ARCH_OS),gnu)
+    DEB_HOST_ARCH_OS := hurd
+  endif
+endif
+ifeq ($(DEB_HOST_ARCH_CPU),)
+  DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_GNU_CPU)
+  ifeq ($(DEB_HOST_ARCH_CPU),x86_64)
+    DEB_HOST_ARCH_CPU := amd64
+  endif
+endif
+ifneq (,$(findstring :$(DEB_HOST_ARCH_OS):,:linux:knetbsd:))
+  ifneq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:mips:mipsel:))
+    # Apparently this is not implied by -fPIE, at least on the mipsen.
+    PIC_CFLAGS := -fPIC
+    PIC_LDFLAGS := -fPIC
+  endif
+endif
+# Change the version string to include the Debian version
+SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//')
+DISTRIBUTOR := $(shell dpkg-vendor --derives-from Ubuntu 2>/dev/null && echo Ubuntu)
+ifeq ($(DISTRIBUTOR),Ubuntu)
+DEFAULT_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games
+else
+DEFAULT_PATH := /usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
+endif
+SUPERUSER_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
+ifeq ($(DISTRIBUTOR),Ubuntu)
+server_recommends := ssh-import-id
+else
+server_recommends :=
+endif
+# Common path configuration.
+confflags += --sysconfdir=/etc/ssh
+# Common build options.
+confflags += --disable-strip
+confflags += --with-mantype=doc
+confflags += --with-4in6
+confflags += --with-privsep-path=/var/run/sshd
+# The Hurd needs libcrypt for res_query et al.
+ifeq ($(DEB_HOST_ARCH_OS),hurd)
+confflags += --with-libs=-lcrypt
+endif
+# Everything above here is common to the deb and udeb builds.
+confflags_udeb := $(confflags)
+# Options specific to the deb build.
+confflags += --with-tcp-wrappers
+confflags += --with-pam
+confflags += --with-libedit
+confflags += --with-kerberos5=/usr
+confflags += --with-ssl-engine
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+confflags += --with-selinux
+endif
+# The deb build wants xauth; the udeb build doesn't.
+confflags += --with-xauth=/usr/bin/xauth
+confflags_udeb += --without-xauth
+# Default paths. The udeb build has /usr/bin/X11 and /usr/games removed.
+confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUSER_PATH)
+confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# Compiler flags.
+cflags := $(OPTFLAGS) $(PIC_CFLAGS) $(HARDENING_CFLAGS)
+cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
+cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
+cflags_udeb := -Os
+cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
+confflags += --with-cflags='$(cflags)'
+confflags_udeb += --with-cflags='$(cflags_udeb)'
+# Linker flags.
+confflags += --with-ldflags='$(strip -Wl,--as-needed $(PIC_LDFLAGS) $(HARDENING_LDFLAGS))'
+confflags_udeb += --with-ldflags='-Wl,--as-needed'
+%:
+        dh $@
+override_dh_auto_configure:
+        dh_auto_configure -Bbuild-deb -- $(confflags)
+        dh_auto_configure -Bbuild-udeb -- $(confflags_udeb)
+override_dh_auto_build:
+        # Debian's /var/log/btmp has inappropriate permissions.
+        perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-deb/config.h
+        perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-udeb/config.h
+        # Avoid libnsl linkage. Ugh.
+        perl -pi -e 's/ +-lnsl//' build-udeb/config.status
+        cd build-udeb && ./config.status
+        $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass'
+        $(MAKE) -C build-udeb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen
+        $(MAKE) -C contrib gnome-ssh-askpass2 CC='$(CC) $(OPTFLAGS) -g -Wall -Wl,--as-needed'
+override_dh_auto_test:
+ifeq ($(RUN_TESTS),yes)
+        $(MAKE) -C debian/tests
+endif
+override_dh_auto_clean:
+        rm -rf build-deb build-udeb
+ifeq ($(RUN_TESTS),yes)
+        $(MAKE) -C debian/tests clean
+endif
+        $(MAKE) -C contrib clean
+        (cat debian/copyright.head; iconv -f ISO-8859-1 -t UTF-8 LICENCE) \
+                > debian/copyright
+override_dh_auto_install:
+        $(MAKE) -C build-deb DESTDIR=`pwd`/debian/tmp install-nokeys
+override_dh_install:
+        rm -f debian/tmp/etc/ssh/sshd_config
+        dh_install -Nopenssh-client-udeb -Nopenssh-server-udeb --fail-missing
+        dh_install -popenssh-client-udeb -popenssh-server-udeb \
+                --sourcedir=build-udeb
+        install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/openssh/gnome-ssh-askpass
+        install -o root -g root debian/openssh-server.if-up debian/openssh-server/etc/network/if-up.d/openssh-server
+        install -o root -g root -m 644 debian/openssh-server.ufw.profile debian/openssh-server/etc/ufw/applications.d/openssh-server
+        # Remove version control tags to avoid unnecessary conffile
+        # resolution steps for administrators.
+        sed -i '/\$$OpenBSD:/d' \
+                debian/openssh-client/etc/ssh/moduli \
+                debian/openssh-client/etc/ssh/ssh_config
+override_dh_installdocs:
+        dh_installdocs -Nopenssh-server -Nssh
+        dh_installdocs -popenssh-server -pssh --link-doc=openssh-client
+        # Avoid breaking dh_installexamples later.
+        mkdir -p debian/openssh-server/usr/share/doc/openssh-client
+override_dh_installinit:
+        dh_installinit -n --name ssh
+override_dh_installpam:
+        dh_installpam --name sshd
+override_dh_fixperms:
+        dh_fixperms
+        chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign
+override_dh_installdeb:
+        dh_installdeb
+        perl -i debian/substitute-conffile.pl \
+                ETC_SSH_MODULI debian/openssh-client/etc/ssh/moduli \
+                ETC_SSH_SSH_CONFIG debian/openssh-client/etc/ssh/ssh_config \
+                debian/openssh-client/DEBIAN/preinst
+        # Yes, ETC_PAM_D_SSH is meant to be spelled that way, to match the
+        # old configuration file name we need to transfer.
+        perl -i debian/substitute-conffile.pl \
+                ETC_DEFAULT_SSH debian/openssh-server/etc/default/ssh \
+                ETC_INIT_D_SSH debian/openssh-server/etc/init.d/ssh \
+                ETC_PAM_D_SSH debian/openssh-server/etc/pam.d/sshd \
+                debian/openssh-server/DEBIAN/preinst
+override_dh_gencontrol:
+        dh_gencontrol -- -V'openssh-server:Recommends=$(server_recommends)'
+debian/faq.html:
+        wget -O - http://www.openssh.org/faq.html | \
+                sed 's,\(href="\)\(txt/\|[^":]*\.html\),\1http://www.openssh.org/\2,g' \
+                > debian/faq.html
+# You only need to run this immediately after checking out the package from
+# revision control.
+quilt-setup:
+        [ ! -d .pc ]
+        set -e; for patch in $$(quilt series | tac); do \
+                patch -p1 -R --no-backup-if-mismatch <"debian/patches/$$patch"; \
+        done
+        quilt push -a
+.PHONY: quilt-setup

diff --git a/debian/rules b/debian/rules new file mode 100755 index 000000000..ce56fdea4 --- /dev/null +++ b/debian/rules
@@ -0,0 +1,226 @@
	1	#!/usr/bin/make -f
	2
	3	# Uncomment this to turn on verbose mode.
	4	# export DH_VERBOSE=1
	5
	6	include /usr/share/hardening-includes/hardening.make
	7
	8	# This has to be exported to make some magic below work.
	9	export DH_OPTIONS
	10
	11	ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
	12	OPTFLAGS := -O2
	13	else
	14	OPTFLAGS := -O0
	15	endif
	16
	17	ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
	18	RUN_TESTS := yes
	19	else
	20	RUN_TESTS :=
	21	endif
	22
	23	DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
	24	DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
	25
	26	ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
	27	CC := gcc
	28	else
	29	CC := $(DEB_HOST_GNU_TYPE)-gcc
	30	RUN_TESTS :=
	31	endif
	32
	33	DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null)
	34	DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null)
	35
	36	# Take account of old dpkg-architecture output.
	37	ifeq ($(DEB_HOST_ARCH_OS),)
	38	DEB_HOST_ARCH_OS := $(subst -gnu,,$(shell dpkg-architecture -qDEB_HOST_GNU_SYSTEM))
	39	ifeq ($(DEB_HOST_ARCH_OS),gnu)
	40	DEB_HOST_ARCH_OS := hurd
	41	endif
	42	endif
	43	ifeq ($(DEB_HOST_ARCH_CPU),)
	44	DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_GNU_CPU)
	45	ifeq ($(DEB_HOST_ARCH_CPU),x86_64)
	46	DEB_HOST_ARCH_CPU := amd64
	47	endif
	48	endif
	49
	50	ifneq (,$(findstring :$(DEB_HOST_ARCH_OS):,:linux:knetbsd:))
	51	ifneq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:mips:mipsel:))
	52	# Apparently this is not implied by -fPIE, at least on the mipsen.
	53	PIC_CFLAGS := -fPIC
	54	PIC_LDFLAGS := -fPIC
	55	endif
	56	endif
	57
	58	# Change the version string to include the Debian version
	59	SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog \| sed -n -e '/^Version:/s/Version: //p' \| sed -e 's/[^-]*-//')
	60
	61	DISTRIBUTOR := $(shell dpkg-vendor --derives-from Ubuntu 2>/dev/null && echo Ubuntu)
	62	ifeq ($(DISTRIBUTOR),Ubuntu)
	63	DEFAULT_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games
	64	else
	65	DEFAULT_PATH := /usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
	66	endif
	67	SUPERUSER_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
	68
	69	ifeq ($(DISTRIBUTOR),Ubuntu)
	70	server_recommends := ssh-import-id
	71	else
	72	server_recommends :=
	73	endif
	74
	75	# Common path configuration.
	76	confflags += --sysconfdir=/etc/ssh
	77
	78	# Common build options.
	79	confflags += --disable-strip
	80	confflags += --with-mantype=doc
	81	confflags += --with-4in6
	82	confflags += --with-privsep-path=/var/run/sshd
	83
	84	# The Hurd needs libcrypt for res_query et al.
	85	ifeq ($(DEB_HOST_ARCH_OS),hurd)
	86	confflags += --with-libs=-lcrypt
	87	endif
	88
	89	# Everything above here is common to the deb and udeb builds.
	90	confflags_udeb := $(confflags)
	91
	92	# Options specific to the deb build.
	93	confflags += --with-tcp-wrappers
	94	confflags += --with-pam
	95	confflags += --with-libedit
	96	confflags += --with-kerberos5=/usr
	97	confflags += --with-ssl-engine
	98	ifeq ($(DEB_HOST_ARCH_OS),linux)
	99	confflags += --with-selinux
	100	endif
	101
	102	# The deb build wants xauth; the udeb build doesn't.
	103	confflags += --with-xauth=/usr/bin/xauth
	104	confflags_udeb += --without-xauth
	105
	106	# Default paths. The udeb build has /usr/bin/X11 and /usr/games removed.
	107	confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUSER_PATH)
	108	confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
	109
	110	# Compiler flags.
	111	cflags := $(OPTFLAGS) $(PIC_CFLAGS) $(HARDENING_CFLAGS)
	112	cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
	113	cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
	114	cflags_udeb := -Os
	115	cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
	116	confflags += --with-cflags='$(cflags)'
	117	confflags_udeb += --with-cflags='$(cflags_udeb)'
	118
	119	# Linker flags.
	120	confflags += --with-ldflags='$(strip -Wl,--as-needed $(PIC_LDFLAGS) $(HARDENING_LDFLAGS))'
	121	confflags_udeb += --with-ldflags='-Wl,--as-needed'
	122
	123	%:
	124	dh $@
	125
	126	override_dh_auto_configure:
	127	dh_auto_configure -Bbuild-deb -- $(confflags)
	128	dh_auto_configure -Bbuild-udeb -- $(confflags_udeb)
	129
	130	override_dh_auto_build:
	131	# Debian's /var/log/btmp has inappropriate permissions.
	132	perl -pi -e 's,.#define USE_BTMP .,/* #undef USE_BTMP */,' build-deb/config.h
	133	perl -pi -e 's,.#define USE_BTMP .,/* #undef USE_BTMP */,' build-udeb/config.h
	134
	135	# Avoid libnsl linkage. Ugh.
	136	perl -pi -e 's/ +-lnsl//' build-udeb/config.status
	137	cd build-udeb && ./config.status
	138
	139	$(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass'
	140	$(MAKE) -C build-udeb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen
	141
	142	$(MAKE) -C contrib gnome-ssh-askpass2 CC='$(CC) $(OPTFLAGS) -g -Wall -Wl,--as-needed'
	143
	144	override_dh_auto_test:
	145	ifeq ($(RUN_TESTS),yes)
	146	$(MAKE) -C debian/tests
	147	endif
	148
	149	override_dh_auto_clean:
	150	rm -rf build-deb build-udeb
	151	ifeq ($(RUN_TESTS),yes)
	152	$(MAKE) -C debian/tests clean
	153	endif
	154	$(MAKE) -C contrib clean
	155	(cat debian/copyright.head; iconv -f ISO-8859-1 -t UTF-8 LICENCE) \
	156	> debian/copyright
	157
	158	override_dh_auto_install:
	159	$(MAKE) -C build-deb DESTDIR=`pwd`/debian/tmp install-nokeys
	160
	161	override_dh_install:
	162	rm -f debian/tmp/etc/ssh/sshd_config
	163
	164	dh_install -Nopenssh-client-udeb -Nopenssh-server-udeb --fail-missing
	165	dh_install -popenssh-client-udeb -popenssh-server-udeb \
	166	--sourcedir=build-udeb
	167
	168	install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/openssh/gnome-ssh-askpass
	169
	170	install -o root -g root debian/openssh-server.if-up debian/openssh-server/etc/network/if-up.d/openssh-server
	171	install -o root -g root -m 644 debian/openssh-server.ufw.profile debian/openssh-server/etc/ufw/applications.d/openssh-server
	172
	173	# Remove version control tags to avoid unnecessary conffile
	174	# resolution steps for administrators.
	175	sed -i '/\$$OpenBSD:/d' \
	176	debian/openssh-client/etc/ssh/moduli \
	177	debian/openssh-client/etc/ssh/ssh_config
	178
	179	override_dh_installdocs:
	180	dh_installdocs -Nopenssh-server -Nssh
	181	dh_installdocs -popenssh-server -pssh --link-doc=openssh-client
	182	# Avoid breaking dh_installexamples later.
	183	mkdir -p debian/openssh-server/usr/share/doc/openssh-client
	184
	185	override_dh_installinit:
	186	dh_installinit -n --name ssh
	187
	188	override_dh_installpam:
	189	dh_installpam --name sshd
	190
	191	override_dh_fixperms:
	192	dh_fixperms
	193	chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign
	194
	195	override_dh_installdeb:
	196	dh_installdeb
	197	perl -i debian/substitute-conffile.pl \
	198	ETC_SSH_MODULI debian/openssh-client/etc/ssh/moduli \
	199	ETC_SSH_SSH_CONFIG debian/openssh-client/etc/ssh/ssh_config \
	200	debian/openssh-client/DEBIAN/preinst
	201	# Yes, ETC_PAM_D_SSH is meant to be spelled that way, to match the
	202	# old configuration file name we need to transfer.
	203	perl -i debian/substitute-conffile.pl \
	204	ETC_DEFAULT_SSH debian/openssh-server/etc/default/ssh \
	205	ETC_INIT_D_SSH debian/openssh-server/etc/init.d/ssh \
	206	ETC_PAM_D_SSH debian/openssh-server/etc/pam.d/sshd \
	207	debian/openssh-server/DEBIAN/preinst
	208
	209	override_dh_gencontrol:
	210	dh_gencontrol -- -V'openssh-server:Recommends=$(server_recommends)'
	211
	212	debian/faq.html:
	213	wget -O - http://www.openssh.org/faq.html \| \
	214	sed 's,\(href="\)\(txt/\\|[^":]*\.html\),\1http://www.openssh.org/\2,g' \
	215	> debian/faq.html
	216
	217	# You only need to run this immediately after checking out the package from
	218	# revision control.
	219	quilt-setup:
	220	[ ! -d .pc ]
	221	set -e; for patch in $$(quilt series \| tac); do \
	222	patch -p1 -R --no-backup-if-mismatch <"debian/patches/$$patch"; \
	223	done
	224	quilt push -a
	225
	226	.PHONY: quilt-setup