From 88edf6255bbc6c0ba87239608bb9b80656391330 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 30 Oct 2005 11:55:45 +1100 Subject: - (djm) [contrib/suse/openssh.spec contrib/suse/rc. sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init files from imorgan AT nas.nasa.gov --- ChangeLog | 7 +- contrib/suse/openssh.spec | 244 +++++++++++++++++++++++++++------------------ contrib/suse/rc.sshd | 133 ++++++++++++++++-------- contrib/suse/sysconfig.ssh | 9 ++ 4 files changed, 255 insertions(+), 138 deletions(-) create mode 100644 contrib/suse/sysconfig.ssh diff --git a/ChangeLog b/ChangeLog index d786b1d5b..3571cb2dc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20051030 + - (djm) [contrib/suse/openssh.spec contrib/suse/rc. + sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init + files from imorgan AT nas.nasa.gov + 20051025 - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the sizeof(long long) checks, to make fixing bug #1104 easier (no changes @@ -3115,4 +3120,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3923 2005/10/25 08:55:00 dtucker Exp $ +$Id: ChangeLog,v 1.3924 2005/10/30 00:55:45 djm Exp $ diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 6ad862fad..27d043e3b 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -1,14 +1,29 @@ -Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation -Name: openssh -Version: 4.2p1 -URL: http://www.openssh.com/ -Release: 1 -Source0: openssh-%{version}.tar.gz -Copyright: BSD -Group: Applications/Internet -BuildRoot: /tmp/openssh-%{version}-buildroot -PreReq: openssl -Obsoletes: ssh +# Default values for additional components +%define build_x11_askpass 1 + +# Define the UID/GID to use for privilege separation +%define sshd_gid 65 +%define sshd_uid 71 + +# The version of x11-ssh-askpass to use +%define xversion 1.2.4.1 + +# Allow the ability to override defaults with -D skip_xxx=1 +%{?skip_x11_askpass:%define build_x11_askpass 0} + +Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation +Name: openssh +Version: 4.2p1 +URL: http://www.openssh.com/ +Release: 1 +Source0: openssh-%{version}.tar.gz +Source1: x11-ssh-askpass-%{xversion}.tar.gz +License: BSD +Group: Productivity/Networking/SSH +BuildRoot: %{_tmppath}/openssh-%{version}-buildroot +PreReq: openssl +Obsoletes: ssh +Provides: ssh # # (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) # building prerequisites -- stuff for @@ -16,14 +31,25 @@ Obsoletes: ssh # TCP Wrappers (nkitb), # and Gnome (glibdev, gtkdev, and gnlibsd) # -BuildPrereq: openssl -BuildPrereq: nkitb -BuildPrereq: glibdev -BuildPrereq: gtkdev -BuildPrereq: gnlibsd +BuildPrereq: openssl +BuildPrereq: nkitb +#BuildPrereq: glibdev +#BuildPrereq: gtkdev +#BuildPrereq: gnlibsd + +%package askpass +Summary: A passphrase dialog for OpenSSH and the X window System. +Group: Productivity/Networking/SSH +Requires: openssh = %{version} +Obsoletes: ssh-extras +Provides: openssh:${_libdir}/ssh/ssh-askpass + +%if %{build_x11_askpass} +BuildPrereq: XFree86-devel +%endif %description -Ssh (Secure Shell) a program for logging into a remote machine and for +Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and @@ -34,10 +60,26 @@ up to date in terms of security and features, as well as removing all patented algorithms to seperate libraries (OpenSSL). This package includes all files necessary for both the OpenSSH -client and server. Additionally, this package contains the GNOME -passphrase dialog. +client and server. + +%description askpass +Ssh (Secure Shell) is a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains an X Window System passphrase dialog for OpenSSH. %changelog +* Wed Oct 26 2005 Iain Morgan +- Removed accidental inclusion of --without-zlib-version-check +* Tue Oct 25 2005 Iain Morgan +- Overhaul to deal with newer versions of SuSE and OpenSSH * Mon Jun 12 2000 Damien Miller - Glob manpages to catch compressed files * Wed Mar 15 2000 Damien Miller @@ -84,116 +126,124 @@ passphrase dialog. %prep +%if %{build_x11_askpass} +%setup -q -a 1 +%else %setup -q +%endif %build CFLAGS="$RPM_OPT_FLAGS" \ -./configure --prefix=/usr \ - --sysconfdir=/etc/ssh \ - --datadir=/usr/share/openssh \ +%configure --prefix=/usr \ + --sysconfdir=%{_sysconfdir}/ssh \ + --mandir=%{_mandir} \ + --with-privsep-path=/var/lib/empty \ --with-pam \ - --with-gnome-askpass \ --with-tcp-wrappers \ - --with-ipv4-default \ - --libexecdir=/usr/lib/ssh + --libexecdir=%{_libdir}/ssh make -cd contrib -gcc -O -g `gnome-config --cflags gnome gnomeui` \ - gnome-ssh-askpass.c -o gnome-ssh-askpass \ - `gnome-config --libs gnome gnomeui` +%if %{build_x11_askpass} +cd x11-ssh-askpass-%{xversion} +%configure --mandir=/usr/X11R6/man \ + --libexecdir=%{_libdir}/ssh +xmkmf -a +make cd .. +%endif %install rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT/ -install -d $RPM_BUILD_ROOT/etc/ssh/ install -d $RPM_BUILD_ROOT/etc/pam.d/ -install -d $RPM_BUILD_ROOT/sbin/init.d/ +install -d $RPM_BUILD_ROOT/etc/init.d/ install -d $RPM_BUILD_ROOT/var/adm/fillup-templates -install -d $RPM_BUILD_ROOT/usr/lib/ssh install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd -install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd -ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd -install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/gnome-ssh-askpass -ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/ssh-askpass -install -m744 contrib/suse/rc.config.sshd \ +install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd +install -m744 contrib/suse/sysconfig.ssh \ $RPM_BUILD_ROOT/var/adm/fillup-templates +%if %{build_x11_askpass} +cd x11-ssh-askpass-%{xversion} +make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/ +rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin +%endif + %clean rm -rf $RPM_BUILD_ROOT +%pre +/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || : +/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || : + %post -if [ "$1" = 1 ]; then - echo "Creating SSH stop/start scripts in the rc directories..." - ln -s ../sshd /sbin/init.d/rc2.d/K20sshd - ln -s ../sshd /sbin/init.d/rc2.d/S20sshd - ln -s ../sshd /sbin/init.d/rc3.d/K20sshd - ln -s ../sshd /sbin/init.d/rc3.d/S20sshd -fi -echo "Updating /etc/rc.config..." -if [ -x /bin/fillup ] ; then - /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd -else - echo "ERROR: fillup not found. This should NOT happen in SuSE Linux." - echo "Update /etc/rc.config by hand from the following template file:" - echo " /var/adm/fillup-templates/rc.config.sshd" -fi if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then - echo "Generating SSH host key..." - /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 + echo "Generating SSH RSA host key..." + /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2 fi if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then echo "Generating SSH DSA host key..." - /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 -fi -if test -r /var/run/sshd.pid -then - echo "Restarting the running SSH daemon..." - /usr/sbin/rcsshd restart >&2 + /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2 fi +%{fillup_and_insserv -n -s -y ssh sshd START_SSHD} +%run_permissions + +%verifyscript +%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh %preun -if [ "$1" = 0 ] -then - echo "Stopping the SSH daemon..." - /usr/sbin/rcsshd stop >&2 - echo "Removing SSH stop/start scripts from the rc directories..." - rm /sbin/init.d/rc2.d/K20sshd - rm /sbin/init.d/rc2.d/S20sshd - rm /sbin/init.d/rc3.d/K20sshd - rm /sbin/init.d/rc3.d/S20sshd -fi +%stop_on_removal sshd + +%postun +%restart_on_update sshd +%{insserv_cleanup} %files %defattr(-,root,root) %doc ChangeLog OVERVIEW README* %doc RFC.nroff TODO CREDITS LICENCE -%attr(0755,root,root) %dir /etc/ssh -%attr(0644,root,root) %config /etc/ssh/ssh_config -%attr(0600,root,root) %config /etc/ssh/sshd_config -%attr(0600,root,root) %config /etc/ssh/moduli -%attr(0644,root,root) %config /etc/pam.d/sshd -%attr(0755,root,root) %config /sbin/init.d/sshd -%attr(0755,root,root) /usr/bin/ssh-keygen -%attr(0755,root,root) /usr/bin/scp -%attr(4755,root,root) /usr/bin/ssh -%attr(-,root,root) /usr/bin/slogin -%attr(0755,root,root) /usr/bin/ssh-agent -%attr(0755,root,root) /usr/bin/ssh-add -%attr(0755,root,root) /usr/bin/ssh-keyscan -%attr(0755,root,root) /usr/bin/sftp -%attr(0755,root,root) /usr/sbin/sshd -%attr(-,root,root) /usr/sbin/rcsshd -%attr(0755,root,root) %dir /usr/lib/ssh -%attr(0755,root,root) /usr/lib/ssh/ssh-askpass -%attr(0755,root,root) /usr/lib/ssh/gnome-ssh-askpass -%attr(0644,root,root) %doc /usr/man/man1/scp.1* -%attr(0644,root,root) %doc /usr/man/man1/ssh.1* -%attr(-,root,root) %doc /usr/man/man1/slogin.1* -%attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1* -%attr(0644,root,root) %doc /usr/man/man1/ssh-add.1* -%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1* -%attr(0644,root,root) %doc /usr/man/man8/sshd.8* -%attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli +%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/init.d/sshd +%attr(0755,root,root) %{_bindir}/ssh-keygen +%attr(0755,root,root) %{_bindir}/scp +%attr(0755,root,root) %{_bindir}/ssh +%attr(-,root,root) %{_bindir}/slogin +%attr(0755,root,root) %{_bindir}/ssh-agent +%attr(0755,root,root) %{_bindir}/ssh-add +%attr(0755,root,root) %{_bindir}/ssh-keyscan +%attr(0755,root,root) %{_bindir}/sftp +%attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %dir %{_libdir}/ssh +%attr(0755,root,root) %{_libdir}/ssh/sftp-server +%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign +%attr(0644,root,root) %doc %{_mandir}/man1/scp.1* +%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1* +%attr(-,root,root) %doc %{_mandir}/man1/slogin.1* +%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1* +%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1* +%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1* +%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1* +%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1* +%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5* +%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5* +%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8* +%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8* +%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8* +%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh +%if %{build_x11_askpass} +%files askpass +%defattr(-,root,root) +%doc x11-ssh-askpass-%{xversion}/README +%doc x11-ssh-askpass-%{xversion}/ChangeLog +%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad +%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass +%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass +%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x* +%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x* +%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass +%endif diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd index f7d431ebb..573960bfa 100644 --- a/contrib/suse/rc.sshd +++ b/contrib/suse/rc.sshd @@ -1,80 +1,133 @@ #! /bin/sh -# Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany. +# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany. # -# Author: Chris Saia +# Author: Jiri Smid # -# /sbin/init.d/sshd +# /etc/init.d/sshd # # and symbolic its link # -# /sbin/rcsshd +# /usr/sbin/rcsshd # +### BEGIN INIT INFO +# Provides: sshd +# Required-Start: $network $remote_fs +# Required-Stop: $network $remote_fs +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Description: Start the sshd daemon +### END INIT INFO -. /etc/rc.config +SSHD_BIN=/usr/sbin/sshd +test -x $SSHD_BIN || exit 5 -# Determine the base and follow a runlevel link name. -base=${0##*/} -link=${base#*[SK][0-9][0-9]} +SSHD_SYSCONFIG=/etc/sysconfig/ssh +test -r $SSHD_SYSCONFIG || exit 6 +. $SSHD_SYSCONFIG -# Force execution if not called by a runlevel directory. -test $link = $base && START_SSHD=yes -test "$START_SSHD" = yes || exit 0 +SSHD_PIDFILE=/var/run/sshd.init.pid + +. /etc/rc.status + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v ditto but be verbose in local rc status +# rc_status -v -r ditto and clear the local rc status +# rc_failed set local and overall rc status to failed +# rc_reset clear local rc status (overall remains) +# rc_exit exit appropriate to overall rc status + +# First reset status of this service +rc_reset -# The echo return value for success (defined in /etc/rc.config). -return=$rc_done case "$1" in start) - echo -n "Starting service sshd" + if ! test -f /etc/ssh/ssh_host_key ; then + echo Generating /etc/ssh/ssh_host_key. + ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N '' + fi + if ! test -f /etc/ssh/ssh_host_dsa_key ; then + echo Generating /etc/ssh/ssh_host_dsa_key. + + ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N '' + fi + if ! test -f /etc/ssh/ssh_host_rsa_key ; then + echo Generating /etc/ssh/ssh_host_rsa_key. + + ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N '' + fi + echo -n "Starting SSH daemon" ## Start daemon with startproc(8). If this fails ## the echo return value is set appropriate. - startproc /usr/sbin/sshd || return=$rc_failed + startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" - echo -e "$return" + # Remember status and be verbose + rc_status -v ;; stop) - echo -n "Stopping service sshd" + echo -n "Shutting down SSH daemon" ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. - killproc -TERM /usr/sbin/sshd || return=$rc_failed + killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd - echo -e "$return" + # Remember status and be verbose + rc_status -v ;; + try-restart) + ## Stop the service and if this succeeds (i.e. the + ## service was running before), start it again. + $0 status >/dev/null && $0 restart + + # Remember status and be quiet + rc_status + ;; restart) - ## If first returns OK call the second, if first or - ## second command fails, set echo return value. - $0 stop && $0 start || return=$rc_failed - ;; - reload) - ## Choose ONE of the following two cases: + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + $0 start - ## First possibility: A few services accepts a signal - ## to reread the (changed) configuration. + # Remember status and be quiet + rc_status + ;; + force-reload|reload) + ## Signal the daemon to reload its config. Most daemons + ## do this on signal 1 (SIGHUP). echo -n "Reload service sshd" - killproc -HUP /usr/sbin/sshd || return=$rc_failed - echo -e "$return" - ;; + + killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd + + rc_status -v + + ;; status) - echo -n "Checking for service sshd" - ## Check status with checkproc(8), if process is running - ## checkproc will return with exit status 0. + echo -n "Checking for service sshd " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. - checkproc /usr/sbin/sshd && echo OK || echo No process + # Status has a slightly different for the status command: + # 0 - service running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running + + checkproc -p $SSHD_PIDFILE /usr/sbin/sshd + + rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, ## give out the argument which is required for a reload. - test /etc/ssh/sshd_config -nt /var/run/sshd.pid && echo reload + test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload ;; *) - echo "Usage: $0 {start|stop|status|restart|reload[|probe]}" + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac - -# Inform the caller not only verbosely and set an exit status. -test "$return" = "$rc_done" || exit 1 -exit 0 +rc_exit diff --git a/contrib/suse/sysconfig.ssh b/contrib/suse/sysconfig.ssh new file mode 100644 index 000000000..c6a37e5cb --- /dev/null +++ b/contrib/suse/sysconfig.ssh @@ -0,0 +1,9 @@ +## Path: Network/Remote access/SSH +## Description: SSH server settings +## Type: string +## Default: "" +## ServiceRestart: sshd +# +# Options for sshd +# +SSHD_OPTS="" -- cgit v1.2.3