#!/usr/bin/make -f # Uncomment this to turn on verbose mode. # export DH_VERBOSE=1 include /usr/share/hardening-includes/hardening.make # This has to be exported to make some magic below work. export DH_OPTIONS ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) OPTFLAGS := -O2 else OPTFLAGS := -O0 endif ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) RUN_TESTS := yes else RUN_TESTS := endif DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) CC := gcc else CC := $(DEB_HOST_GNU_TYPE)-gcc RUN_TESTS := endif DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null) DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null) # Take account of old dpkg-architecture output. ifeq ($(DEB_HOST_ARCH_OS),) DEB_HOST_ARCH_OS := $(subst -gnu,,$(shell dpkg-architecture -qDEB_HOST_GNU_SYSTEM)) ifeq ($(DEB_HOST_ARCH_OS),gnu) DEB_HOST_ARCH_OS := hurd endif endif ifeq ($(DEB_HOST_ARCH_CPU),) DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_GNU_CPU) ifeq ($(DEB_HOST_ARCH_CPU),x86_64) DEB_HOST_ARCH_CPU := amd64 endif endif ifneq (,$(findstring :$(DEB_HOST_ARCH_OS):,:linux:knetbsd:)) ifneq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:mips:mipsel:)) # Apparently this is not implied by -fPIE, at least on the mipsen. PIC_CFLAGS := -fPIC PIC_LDFLAGS := -fPIC endif endif # Change the version string to include the Debian version SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') DISTRIBUTOR := $(shell lsb_release -is 2>/dev/null || echo Debian) ifeq ($(DISTRIBUTOR),Ubuntu) DEFAULT_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games else DEFAULT_PATH := /usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games endif SUPERUSER_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 ifeq ($(DISTRIBUTOR),Ubuntu) server_recommends := ssh-import-id else server_recommends := endif # Common path configuration. confflags += --sysconfdir=/etc/ssh # Common build options. confflags += --disable-strip confflags += --with-mantype=doc confflags += --with-4in6 confflags += --with-privsep-path=/var/run/sshd confflags += --without-rand-helper # The Hurd needs libcrypt for res_query et al. ifeq ($(DEB_HOST_ARCH_OS),hurd) confflags += --with-libs=-lcrypt endif # Everything above here is common to the deb and udeb builds. confflags_udeb := $(confflags) # Options specific to the deb build. confflags += --with-tcp-wrappers confflags += --with-pam confflags += --with-libedit confflags += --with-kerberos5=/usr confflags += --with-ssl-engine ifeq ($(DEB_HOST_ARCH_OS),linux) confflags += --with-selinux endif # The deb build wants xauth; the udeb build doesn't. confflags += --with-xauth=/usr/bin/xauth confflags_udeb += --without-xauth # Default paths. The udeb build has /usr/bin/X11 and /usr/games removed. confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUSER_PATH) confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Compiler flags. cflags := $(OPTFLAGS) $(PIC_CFLAGS) $(HARDENING_CFLAGS) cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\" cflags_udeb := -Os cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\" confflags += --with-cflags='$(cflags)' confflags_udeb += --with-cflags='$(cflags_udeb)' # Linker flags. confflags += --with-ldflags='$(strip -Wl,--as-needed $(PIC_LDFLAGS) $(HARDENING_LDFLAGS))' confflags_udeb += --with-ldflags='-Wl,--as-needed' %: dh $@ override_dh_auto_configure: dh_auto_configure -Bbuild-deb -- $(confflags) dh_auto_configure -Bbuild-udeb -- $(confflags_udeb) override_dh_auto_build: # Debian's /var/log/btmp has inappropriate permissions. perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-deb/config.h perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-udeb/config.h # Avoid libnsl linkage. Ugh. perl -pi -e 's/ +-lnsl//' build-udeb/config.status cd build-udeb && ./config.status $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' $(MAKE) -C build-udeb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen $(MAKE) -C contrib gnome-ssh-askpass2 CC='$(CC) $(OPTFLAGS) -g -Wall -Wl,--as-needed' override_dh_auto_test: ifeq ($(RUN_TESTS),yes) $(MAKE) -C debian/tests endif override_dh_auto_clean: rm -rf build-deb build-udeb ifeq ($(RUN_TESTS),yes) $(MAKE) -C debian/tests clean endif $(MAKE) -C contrib clean (cat debian/copyright.head; iconv -f ISO-8859-1 -t UTF-8 LICENCE) \ > debian/copyright override_dh_auto_install: $(MAKE) -C build-deb DESTDIR=`pwd`/debian/tmp install-nokeys override_dh_install: rm -f debian/tmp/etc/ssh/sshd_config dh_install -Nopenssh-client-udeb -Nopenssh-server-udeb --fail-missing dh_install -popenssh-client-udeb -popenssh-server-udeb \ --sourcedir=build-udeb install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/openssh/gnome-ssh-askpass install -o root -g root debian/openssh-server.if-up debian/openssh-server/etc/network/if-up.d/openssh-server install -o root -g root -m 644 debian/openssh-server.ufw.profile debian/openssh-server/etc/ufw/applications.d/openssh-server # Remove version control tags to avoid unnecessary conffile # resolution steps for administrators. sed -i '/\$$OpenBSD:/d' \ debian/openssh-client/etc/ssh/moduli \ debian/openssh-client/etc/ssh/ssh_config override_dh_installdocs: dh_installdocs -Nopenssh-server -Nssh dh_installdocs -popenssh-server -pssh --link-doc=openssh-client # Avoid breaking dh_installexamples later. mkdir -p debian/openssh-server/usr/share/doc/openssh-client override_dh_installinit: dh_installinit -n --name ssh override_dh_installpam: dh_installpam --name sshd override_dh_fixperms: dh_fixperms chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign override_dh_installdeb: dh_installdeb perl -i debian/substitute-conffile.pl \ ETC_SSH_MODULI debian/openssh-client/etc/ssh/moduli \ ETC_SSH_SSH_CONFIG debian/openssh-client/etc/ssh/ssh_config \ debian/openssh-client/DEBIAN/preinst # Yes, ETC_PAM_D_SSH is meant to be spelled that way, to match the # old configuration file name we need to transfer. perl -i debian/substitute-conffile.pl \ ETC_DEFAULT_SSH debian/openssh-server/etc/default/ssh \ ETC_INIT_D_SSH debian/openssh-server/etc/init.d/ssh \ ETC_PAM_D_SSH debian/openssh-server/etc/pam.d/sshd \ debian/openssh-server/DEBIAN/preinst override_dh_gencontrol: dh_gencontrol -- -V'openssh-server:Recommends=$(server_recommends)' debian/faq.html: wget -O - http://www.openssh.org/faq.html | \ sed 's,\(href="\)\(txt/\|[^":]*\.html\),\1http://www.openssh.org/\2,g' \ > debian/faq.html # You only need to run this immediately after checking out the package from # revision control. quilt-setup: [ ! -d .pc ] set -e; for patch in $$(quilt series | tac); do \ patch -p1 -R --no-backup-if-mismatch <"debian/patches/$$patch"; \ done quilt push -a .PHONY: quilt-setup