1323124Sdes%define ver 7.3p1 2180740Sdes%define rel 1 3180740Sdes 4180740Sdes# OpenSSH privilege separation requires a user & group ID 5180740Sdes%define sshd_uid 74 6180740Sdes%define sshd_gid 74 7180740Sdes 8180740Sdes# Version of ssh-askpass 9180740Sdes%define aversion 1.2.4.1 10180740Sdes 11180740Sdes# Do we want to disable building of x11-askpass? (1=yes 0=no) 12180740Sdes%define no_x11_askpass 0 13180740Sdes 14180740Sdes# Do we want to disable building of gnome-askpass? (1=yes 0=no) 15180740Sdes%define no_gnome_askpass 0 16180740Sdes 17180740Sdes# Do we want to link against a static libcrypto? (1=yes 0=no) 18180740Sdes%define static_libcrypto 0 19180740Sdes 20180740Sdes# Do we want smartcard support (1=yes 0=no) 21180740Sdes%define scard 0 22180740Sdes 23180740Sdes# Use GTK2 instead of GNOME in gnome-ssh-askpass 24180740Sdes%define gtk2 1 25180740Sdes 26180740Sdes# Is this build for RHL 6.x? 27180740Sdes%define build6x 0 28180740Sdes 29180740Sdes# Do we want kerberos5 support (1=yes 0=no) 30180740Sdes%define kerberos5 1 31180740Sdes 32180740Sdes# Reserve options to override askpass settings with: 33180740Sdes# rpm -ba|--rebuild --define 'skip_xxx 1' 34180740Sdes%{?skip_x11_askpass:%define no_x11_askpass 1} 35180740Sdes%{?skip_gnome_askpass:%define no_gnome_askpass 1} 36180740Sdes 37180740Sdes# Add option to build without GTK2 for older platforms with only GTK+. 38180740Sdes# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples. 39180740Sdes# rpm -ba|--rebuild --define 'no_gtk2 1' 40180740Sdes%{?no_gtk2:%define gtk2 0} 41180740Sdes 42180740Sdes# Is this a build for RHL 6.x or earlier? 43180740Sdes%{?build_6x:%define build6x 1} 44180740Sdes 45180740Sdes# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc. 46180740Sdes%if %{build6x} 47180740Sdes%define _sysconfdir /etc 48180740Sdes%endif 49180740Sdes 50180740Sdes# Options for static OpenSSL link: 51180740Sdes# rpm -ba|--rebuild --define "static_openssl 1" 52180740Sdes%{?static_openssl:%define static_libcrypto 1} 53180740Sdes 54180740Sdes# Options for Smartcard support: (needs libsectok and openssl-engine) 55180740Sdes# rpm -ba|--rebuild --define "smartcard 1" 56180740Sdes%{?smartcard:%define scard 1} 57180740Sdes 58180740Sdes# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) 59180740Sdes%define rescue 0 60180740Sdes%{?build_rescue:%define rescue 1} 61180740Sdes 62180740Sdes# Turn off some stuff for resuce builds 63180740Sdes%if %{rescue} 64180740Sdes%define kerberos5 0 65180740Sdes%endif 66180740Sdes 67180740SdesSummary: The OpenSSH implementation of SSH protocol versions 1 and 2. 68180740SdesName: openssh 69180740SdesVersion: %{ver} 70180740Sdes%if %{rescue} 71180740SdesRelease: %{rel}rescue 72180740Sdes%else 73180740SdesRelease: %{rel} 74180740Sdes%endif 75180740SdesURL: http://www.openssh.com/portable.html 76180740SdesSource0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz 77214979Sdes%if ! %{no_x11_askpass} 78180740SdesSource1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz 79204861Sdes%endif 80180740SdesLicense: BSD 81180740SdesGroup: Applications/Internet 82180740SdesBuildRoot: %{_tmppath}/%{name}-%{version}-buildroot 83180740SdesObsoletes: ssh 84180740Sdes%if %{build6x} 85180740SdesPreReq: initscripts >= 5.00 86180740Sdes%else 87225825SdesRequires: initscripts >= 5.20 88180740Sdes%endif 89295367SdesBuildRequires: perl, openssl-devel 90225825SdesBuildRequires: /bin/login 91180740Sdes%if ! %{build6x} 92296781SdesBuildRequires: glibc-devel, pam 93180740Sdes%else 94225825SdesBuildRequires: /usr/include/security/pam_appl.h 95180740Sdes%endif 96180740Sdes%if ! %{no_x11_askpass} 97225825SdesBuildRequires: /usr/include/X11/Xlib.h 98180740Sdes%endif 99180740Sdes%if ! %{no_gnome_askpass} 100225825SdesBuildRequires: pkgconfig 101180740Sdes%endif 102180740Sdes%if %{kerberos5} 103225825SdesBuildRequires: krb5-devel 104225825SdesBuildRequires: krb5-libs 105180740Sdes%endif 106180740Sdes 107180740Sdes%package clients 108180740SdesSummary: OpenSSH clients. 109180740SdesRequires: openssh = %{version}-%{release} 110180740SdesGroup: Applications/Internet 111180740SdesObsoletes: ssh-clients 112180740Sdes 113180740Sdes%package server 114180740SdesSummary: The OpenSSH server daemon. 115180740SdesGroup: System Environment/Daemons 116180740SdesObsoletes: ssh-server 117225825SdesRequires: openssh = %{version}-%{release}, chkconfig >= 0.9 118180740Sdes%if ! %{build6x} 119180740SdesRequires: /etc/pam.d/system-auth 120180740Sdes%endif 121180740Sdes 122180740Sdes%package askpass 123180740SdesSummary: A passphrase dialog for OpenSSH and X. 124180740SdesGroup: Applications/Internet 125180740SdesRequires: openssh = %{version}-%{release} 126180740SdesObsoletes: ssh-extras 127180740Sdes 128180740Sdes%package askpass-gnome 129180740SdesSummary: A passphrase dialog for OpenSSH, X, and GNOME. 130180740SdesGroup: Applications/Internet 131180740SdesRequires: openssh = %{version}-%{release} 132180740SdesObsoletes: ssh-extras 133180740Sdes 134180740Sdes%description 135180740SdesSSH (Secure SHell) is a program for logging into and executing 136180740Sdescommands on a remote machine. SSH is intended to replace rlogin and 137180740Sdesrsh, and to provide secure encrypted communications between two 138180740Sdesuntrusted hosts over an insecure network. X11 connections and 139180740Sdesarbitrary TCP/IP ports can also be forwarded over the secure channel. 140180740Sdes 141180740SdesOpenSSH is OpenBSD's version of the last free version of SSH, bringing 142180740Sdesit up to date in terms of security and features, as well as removing 143180740Sdesall patented algorithms to separate libraries. 144180740Sdes 145180740SdesThis package includes the core files necessary for both the OpenSSH 146180740Sdesclient and server. To make this package useful, you should also 147180740Sdesinstall openssh-clients, openssh-server, or both. 148180740Sdes 149180740Sdes%description clients 150180740SdesOpenSSH is a free version of SSH (Secure SHell), a program for logging 151180740Sdesinto and executing commands on a remote machine. This package includes 152180740Sdesthe clients necessary to make encrypted connections to SSH servers. 153180740SdesYou'll also need to install the openssh package on OpenSSH clients. 154180740Sdes 155180740Sdes%description server 156180740SdesOpenSSH is a free version of SSH (Secure SHell), a program for logging 157180740Sdesinto and executing commands on a remote machine. This package contains 158180740Sdesthe secure shell daemon (sshd). The sshd daemon allows SSH clients to 159180740Sdessecurely connect to your SSH server. You also need to have the openssh 160180740Sdespackage installed. 161180740Sdes 162180740Sdes%description askpass 163180740SdesOpenSSH is a free version of SSH (Secure SHell), a program for logging 164180740Sdesinto and executing commands on a remote machine. This package contains 165180740Sdesan X11 passphrase dialog for OpenSSH. 166180740Sdes 167180740Sdes%description askpass-gnome 168180740SdesOpenSSH is a free version of SSH (Secure SHell), a program for logging 169180740Sdesinto and executing commands on a remote machine. This package contains 170180740Sdesan X11 passphrase dialog for OpenSSH and the GNOME GUI desktop 171180740Sdesenvironment. 172180740Sdes 173180740Sdes%prep 174180740Sdes 175180740Sdes%if ! %{no_x11_askpass} 176180740Sdes%setup -q -a 1 177180740Sdes%else 178180740Sdes%setup -q 179180740Sdes%endif 180180740Sdes 181180740Sdes%build 182180740Sdes%if %{rescue} 183180740SdesCFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS 184180740Sdes%endif 185180740Sdes 186180740Sdes%if %{kerberos5} 187296781SdesK5DIR=`rpm -ql krb5-devel | grep 'include/krb5\.h' | sed 's,\/include\/krb5.h,,'` 188180740Sdesecho K5DIR=$K5DIR 189180740Sdes%endif 190180740Sdes 191180740Sdes%configure \ 192180740Sdes --sysconfdir=%{_sysconfdir}/ssh \ 193180740Sdes --libexecdir=%{_libexecdir}/openssh \ 194180740Sdes --datadir=%{_datadir}/openssh \ 195180740Sdes --with-default-path=/usr/local/bin:/bin:/usr/bin \ 196180740Sdes --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ 197180740Sdes --with-privsep-path=%{_var}/empty/sshd \ 198180740Sdes --with-md5-passwords \ 199180740Sdes%if %{scard} 200180740Sdes --with-smartcard \ 201180740Sdes%endif 202180740Sdes%if %{rescue} 203180740Sdes --without-pam \ 204180740Sdes%else 205180740Sdes --with-pam \ 206180740Sdes%endif 207180740Sdes%if %{kerberos5} 208180740Sdes --with-kerberos5=$K5DIR \ 209180740Sdes%endif 210180740Sdes 211180740Sdes 212180740Sdes%if %{static_libcrypto} 213180740Sdesperl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile 214180740Sdes%endif 215180740Sdes 216180740Sdesmake 217180740Sdes 218180740Sdes%if ! %{no_x11_askpass} 219180740Sdespushd x11-ssh-askpass-%{aversion} 220180740Sdes%configure --libexecdir=%{_libexecdir}/openssh 221180740Sdesxmkmf -a 222180740Sdesmake 223180740Sdespopd 224180740Sdes%endif 225180740Sdes 226180740Sdes# Define a variable to toggle gnome1/gtk2 building. This is necessary 227180740Sdes# because RPM doesn't handle nested %if statements. 228180740Sdes%if %{gtk2} 229180740Sdes gtk2=yes 230180740Sdes%else 231180740Sdes gtk2=no 232180740Sdes%endif 233180740Sdes 234180740Sdes%if ! %{no_gnome_askpass} 235180740Sdespushd contrib 236180740Sdesif [ $gtk2 = yes ] ; then 237180740Sdes make gnome-ssh-askpass2 238180740Sdes mv gnome-ssh-askpass2 gnome-ssh-askpass 239180740Sdeselse 240180740Sdes make gnome-ssh-askpass1 241180740Sdes mv gnome-ssh-askpass1 gnome-ssh-askpass 242180740Sdesfi 243180740Sdespopd 244180740Sdes%endif 245180740Sdes 246180740Sdes%install 247180740Sdesrm -rf $RPM_BUILD_ROOT 248180740Sdesmkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh 249180740Sdesmkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh 250180740Sdesmkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd 251180740Sdes 252180740Sdesmake install DESTDIR=$RPM_BUILD_ROOT 253180740Sdes 254180740Sdesinstall -d $RPM_BUILD_ROOT/etc/pam.d/ 255180740Sdesinstall -d $RPM_BUILD_ROOT/etc/rc.d/init.d 256180740Sdesinstall -d $RPM_BUILD_ROOT%{_libexecdir}/openssh 257180740Sdes%if %{build6x} 258180740Sdesinstall -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd 259180740Sdes%else 260180740Sdesinstall -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd 261180740Sdes%endif 262180740Sdesinstall -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd 263180740Sdes 264180740Sdes%if ! %{no_x11_askpass} 265180740Sdesinstall -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass 266180740Sdesln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass 267180740Sdes%endif 268180740Sdes 269180740Sdes%if ! %{no_gnome_askpass} 270180740Sdesinstall -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass 271180740Sdes%endif 272180740Sdes 273180740Sdes%if ! %{scard} 274180740Sdes rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin 275180740Sdes%endif 276180740Sdes 277180740Sdes%if ! %{no_gnome_askpass} 278180740Sdesinstall -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ 279180740Sdesinstall -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ 280180740Sdesinstall -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ 281180740Sdes%endif 282180740Sdes 283180740Sdesperl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* 284180740Sdes 285180740Sdes%clean 286180740Sdesrm -rf $RPM_BUILD_ROOT 287180740Sdes 288180740Sdes%triggerun server -- ssh-server 289180740Sdesif [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then 290180740Sdes touch /var/run/sshd.restart 291180740Sdesfi 292180740Sdes 293180740Sdes%triggerun server -- openssh-server < 2.5.0p1 294180740Sdes# Count the number of HostKey and HostDsaKey statements we have. 295180740Sdesgawk 'BEGIN {IGNORECASE=1} 296180740Sdes /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1} 297180740Sdes END {exit sawhostkey}' /etc/ssh/sshd_config 298180740Sdes# And if we only found one, we know the client was relying on the old default 299180740Sdes# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't 300180740Sdes# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying 301180740Sdes# one nullifies the default, which would have loaded both. 302180740Sdesif [ $? -eq 1 ] ; then 303180740Sdes echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config 304180740Sdes echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config 305180740Sdesfi 306180740Sdes 307180740Sdes%triggerpostun server -- ssh-server 308180740Sdesif [ "$1" != 0 ] ; then 309180740Sdes /sbin/chkconfig --add sshd 310180740Sdes if test -f /var/run/sshd.restart ; then 311180740Sdes rm -f /var/run/sshd.restart 312180740Sdes /sbin/service sshd start > /dev/null 2>&1 || : 313180740Sdes fi 314180740Sdesfi 315180740Sdes 316180740Sdes%pre server 317180740Sdes%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || : 318180740Sdes%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \ 319180740Sdes -g sshd -M -r sshd 2>/dev/null || : 320180740Sdes 321180740Sdes%post server 322180740Sdes/sbin/chkconfig --add sshd 323180740Sdes 324180740Sdes%postun server 325180740Sdes/sbin/service sshd condrestart > /dev/null 2>&1 || : 326180740Sdes 327180740Sdes%preun server 328180740Sdesif [ "$1" = 0 ] 329180740Sdesthen 330180740Sdes /sbin/service sshd stop > /dev/null 2>&1 || : 331180740Sdes /sbin/chkconfig --del sshd 332180740Sdesfi 333180740Sdes 334180740Sdes%files 335180740Sdes%defattr(-,root,root) 336239844Sdes%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO 337180740Sdes%attr(0755,root,root) %{_bindir}/scp 338180740Sdes%attr(0644,root,root) %{_mandir}/man1/scp.1* 339180740Sdes%attr(0755,root,root) %dir %{_sysconfdir}/ssh 340180740Sdes%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli 341180740Sdes%if ! %{rescue} 342180740Sdes%attr(0755,root,root) %{_bindir}/ssh-keygen 343180740Sdes%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* 344180740Sdes%attr(0755,root,root) %dir %{_libexecdir}/openssh 345180740Sdes%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign 346204861Sdes%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper 347180740Sdes%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* 348204861Sdes%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* 349180740Sdes%endif 350180740Sdes%if %{scard} 351180740Sdes%attr(0755,root,root) %dir %{_datadir}/openssh 352180740Sdes%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin 353180740Sdes%endif 354180740Sdes 355180740Sdes%files clients 356180740Sdes%defattr(-,root,root) 357180740Sdes%attr(0755,root,root) %{_bindir}/ssh 358180740Sdes%attr(0644,root,root) %{_mandir}/man1/ssh.1* 359180740Sdes%attr(0644,root,root) %{_mandir}/man5/ssh_config.5* 360180740Sdes%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config 361180740Sdes%if ! %{rescue} 362180740Sdes%attr(2755,root,nobody) %{_bindir}/ssh-agent 363180740Sdes%attr(0755,root,root) %{_bindir}/ssh-add 364180740Sdes%attr(0755,root,root) %{_bindir}/ssh-keyscan 365180740Sdes%attr(0755,root,root) %{_bindir}/sftp 366180740Sdes%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* 367180740Sdes%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* 368180740Sdes%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* 369180740Sdes%attr(0644,root,root) %{_mandir}/man1/sftp.1* 370180740Sdes%endif 371180740Sdes 372180740Sdes%if ! %{rescue} 373180740Sdes%files server 374180740Sdes%defattr(-,root,root) 375180740Sdes%dir %attr(0111,root,root) %{_var}/empty/sshd 376180740Sdes%attr(0755,root,root) %{_sbindir}/sshd 377180740Sdes%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server 378180740Sdes%attr(0644,root,root) %{_mandir}/man8/sshd.8* 379180750Sdes%attr(0644,root,root) %{_mandir}/man5/moduli.5* 380180740Sdes%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* 381180740Sdes%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* 382180740Sdes%attr(0755,root,root) %dir %{_sysconfdir}/ssh 383180740Sdes%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config 384180740Sdes%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd 385180740Sdes%attr(0755,root,root) %config /etc/rc.d/init.d/sshd 386180740Sdes%endif 387180740Sdes 388180740Sdes%if ! %{no_x11_askpass} 389180740Sdes%files askpass 390180740Sdes%defattr(-,root,root) 391180740Sdes%doc x11-ssh-askpass-%{aversion}/README 392180740Sdes%doc x11-ssh-askpass-%{aversion}/ChangeLog 393180740Sdes%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad 394180740Sdes%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass 395180740Sdes%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass 396180740Sdes%endif 397180740Sdes 398180740Sdes%if ! %{no_gnome_askpass} 399180740Sdes%files askpass-gnome 400180740Sdes%defattr(-,root,root) 401180740Sdes%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.* 402180740Sdes%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass 403180740Sdes%endif 404180740Sdes 405180740Sdes%changelog 406214979Sdes* Wed Jul 14 2010 Tim Rice <tim@multitalents.net> 407214979Sdes- test for skip_x11_askpass (line 77) should have been for no_x11_askpass 408214979Sdes 409180740Sdes* Mon Jun 2 2003 Damien Miller <djm@mindrot.org> 410180740Sdes- Remove noip6 option. This may be controlled at run-time in client config 411180740Sdes file using new AddressFamily directive 412180740Sdes 413180740Sdes* Mon May 12 2003 Damien Miller <djm@mindrot.org> 414180740Sdes- Don't install profile.d scripts when not building with GNOME/GTK askpass 415180740Sdes (patch from bet@rahul.net) 416180740Sdes 417180740Sdes* Wed Oct 01 2002 Damien Miller <djm@mindrot.org> 418180740Sdes- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks 419180740Sdes 420180740Sdes* Mon Sep 30 2002 Damien Miller <djm@mindrot.org> 421180740Sdes- Use contrib/ Makefile for building askpass programs 422180740Sdes 423180740Sdes* Fri Jun 21 2002 Damien Miller <djm@mindrot.org> 424180740Sdes- Merge in spec changes from seba@iq.pl (Sebastian Pachuta) 425180740Sdes- Add new {ssh,sshd}_config.5 manpages 426180740Sdes- Add new ssh-keysign program and remove setuid from ssh client 427180740Sdes 428180740Sdes* Fri May 10 2002 Damien Miller <djm@mindrot.org> 429180740Sdes- Merge in spec changes from RedHat, reorgansie a little 430180740Sdes- Add Privsep user, group and directory 431180740Sdes 432180740Sdes* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2 433180740Sdes- bump and grind (through the build system) 434180740Sdes 435180740Sdes* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1 436180740Sdes- require sharutils for building (mindrot #137) 437180740Sdes- require db1-devel only when building for 6.x (#55105), which probably won't 438180740Sdes work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck 439180740Sdes- require pam-devel by file (not by package name) again 440180740Sdes- add Markus's patch to compile with OpenSSL 0.9.5a (from 441180740Sdes http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're 442180740Sdes building for 6.x 443180740Sdes 444180740Sdes* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0 445180740Sdes- update to 3.1p1 446180740Sdes 447180740Sdes* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305 448180740Sdes- update to SNAP-20020305 449180740Sdes- drop debug patch, fixed upstream 450180740Sdes 451180740Sdes* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220 452180740Sdes- update to SNAP-20020220 for testing purposes (you've been warned, if there's 453180740Sdes anything to be warned about, gss patches won't apply, I don't mind) 454180740Sdes 455180740Sdes* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3 456180740Sdes- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key 457180740Sdes exchange, authentication, and named key support 458180740Sdes 459180740Sdes* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2 460180740Sdes- remove dependency on db1-devel, which has just been swallowed up whole 461180740Sdes by gnome-libs-devel 462180740Sdes 463180740Sdes* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com> 464180740Sdes- adjust build dependencies so that build6x actually works right (fix 465180740Sdes from Hugo van der Kooij) 466180740Sdes 467180740Sdes* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1 468180740Sdes- update to 3.0.2p1 469180740Sdes 470180740Sdes* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1 471180740Sdes- update to 3.0.1p1 472180740Sdes 473180740Sdes* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com> 474180740Sdes- update to current CVS (not for use in distribution) 475180740Sdes 476180740Sdes* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1 477180740Sdes- merge some of Damien Miller <djm@mindrot.org> changes from the upstream 478180740Sdes 3.0p1 spec file and init script 479180740Sdes 480180740Sdes* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com> 481180740Sdes- update to 3.0p1 482180740Sdes- update to x11-ssh-askpass 1.2.4.1 483180740Sdes- change build dependency on a file from pam-devel to the pam-devel package 484180740Sdes- replace primes with moduli 485180740Sdes 486180740Sdes* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9 487180740Sdes- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs 488180740Sdes 489180740Sdes* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8 490180740Sdes- Merge changes to rescue build from current sysadmin survival cd 491180740Sdes 492180740Sdes* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7 493180740Sdes- fix scp's server's reporting of file sizes, and build with the proper 494180740Sdes preprocessor define to get large-file capable open(), stat(), etc. 495180740Sdes (sftp has been doing this correctly all along) (#51827) 496180740Sdes- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247) 497180740Sdes- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298) 498180740Sdes- mark profile.d scriptlets as config files (#42337) 499180740Sdes- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug 500180740Sdes- change a couple of log() statements to debug() statements (#50751) 501180740Sdes- pull cvs patch to add -t flag to sshd (#28611) 502180740Sdes- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221) 503180740Sdes 504180740Sdes* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6 505180740Sdes- add db1-devel as a BuildPrerequisite (noted by Hans Ecke) 506180740Sdes 507180740Sdes* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com> 508180740Sdes- pull cvs patch to fix remote port forwarding with protocol 2 509180740Sdes 510180740Sdes* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com> 511180740Sdes- pull cvs patch to add session initialization to no-pty sessions 512180740Sdes- pull cvs patch to not cut off challengeresponse auth needlessly 513180740Sdes- refuse to do X11 forwarding if xauth isn't there, handy if you enable 514180740Sdes it by default on a system that doesn't have X installed (#49263) 515180740Sdes 516180740Sdes* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com> 517180740Sdes- don't apply patches to code we don't intend to build (spotted by Matt Galgoci) 518180740Sdes 519180740Sdes* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com> 520180740Sdes- pass OPTIONS correctly to initlog (#50151) 521180740Sdes 522180740Sdes* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com> 523180740Sdes- switch to x11-ssh-askpass 1.2.2 524180740Sdes 525180740Sdes* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com> 526180740Sdes- rebuild in new environment 527180740Sdes 528180740Sdes* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com> 529180740Sdes- disable the gssapi patch 530180740Sdes 531180740Sdes* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com> 532180740Sdes- update to 2.9p2 533180740Sdes- refresh to a new version of the gssapi patch 534180740Sdes 535180740Sdes* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com> 536180740Sdes- change Copyright: BSD to License: BSD 537180740Sdes- add Markus Friedl's unverified patch for the cookie file deletion problem 538180740Sdes so that we can verify it 539180740Sdes- drop patch to check if xauth is present (was folded into cookie patch) 540180740Sdes- don't apply gssapi patches for the errata candidate 541180740Sdes- clear supplemental groups list at startup 542180740Sdes 543180740Sdes* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com> 544180740Sdes- fix an error parsing the new default sshd_config 545180740Sdes- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not 546180740Sdes dealing with comments right 547180740Sdes 548180740Sdes* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com> 549180740Sdes- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house, 550180740Sdes to be removed before the next beta cycle because it's a big departure 551180740Sdes from the upstream version 552180740Sdes 553180740Sdes* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com> 554180740Sdes- finish marking strings in the init script for translation 555180740Sdes- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd 556180740Sdes at startup (change merged from openssh.com init script, originally by 557180740Sdes Pekka Savola) 558180740Sdes- refuse to do X11 forwarding if xauth isn't there, handy if you enable 559180740Sdes it by default on a system that doesn't have X installed 560180740Sdes 561180740Sdes* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com> 562180740Sdes- update to 2.9 563180740Sdes- drop various patches that came from or went upstream or to or from CVS 564180740Sdes 565180740Sdes* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com> 566180740Sdes- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer) 567180740Sdes 568180740Sdes* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com> 569180740Sdes- remove explicit openssl requirement, fixes builddistro issue 570180740Sdes- make initscript stop() function wait until sshd really dead to avoid 571180740Sdes races in condrestart 572180740Sdes 573180740Sdes* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com> 574180740Sdes- mention that challengereponse supports PAM, so disabling password doesn't 575180740Sdes limit users to pubkey and rsa auth (#34378) 576180740Sdes- bypass the daemon() function in the init script and call initlog directly, 577180740Sdes because daemon() won't start a daemon it detects is already running (like 578180740Sdes open connections) 579180740Sdes- require the version of openssl we had when we were built 580180740Sdes 581180740Sdes* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com> 582180740Sdes- make do_pam_setcred() smart enough to know when to establish creds and 583180740Sdes when to reinitialize them 584180740Sdes- add in a couple of other fixes from Damien for inclusion in the errata 585180740Sdes 586180740Sdes* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com> 587180740Sdes- update to 2.5.2p2 588180740Sdes- call setcred() again after initgroups, because the "creds" could actually 589180740Sdes be group memberships 590180740Sdes 591180740Sdes* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com> 592180740Sdes- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation) 593180740Sdes- don't enable challenge-response by default until we find a way to not 594180740Sdes have too many userauth requests (we may make up to six pubkey and up to 595180740Sdes three password attempts as it is) 596180740Sdes- remove build dependency on rsh to match openssh.com's packages more closely 597180740Sdes 598180740Sdes* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com> 599180740Sdes- remove dependency on openssl -- would need to be too precise 600180740Sdes 601180740Sdes* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com> 602180740Sdes- rebuild in new environment 603180740Sdes 604180740Sdes* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com> 605180740Sdes- Revert the patch to move pam_open_session. 606180740Sdes- Init script and spec file changes from Pekka Savola. (#28750) 607180740Sdes- Patch sftp to recognize '-o protocol' arguments. (#29540) 608180740Sdes 609180740Sdes* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com> 610180740Sdes- Chuck the closing patch. 611180740Sdes- Add a trigger to add host keys for protocol 2 to the config file, now that 612180740Sdes configuration file syntax requires us to specify it with HostKey if we 613180740Sdes specify any other HostKey values, which we do. 614180740Sdes 615180740Sdes* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com> 616180740Sdes- Redo patch to move pam_open_session after the server setuid()s to the user. 617180740Sdes- Rework the nopam patch to use be picked up by autoconf. 618180740Sdes 619180740Sdes* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com> 620180740Sdes- Update for 2.5.1p1. 621180740Sdes- Add init script mods from Pekka Savola. 622180740Sdes- Tweak the init script to match the CVS contrib script more closely. 623180740Sdes- Redo patch to ssh-add to try to adding both identity and id_dsa to also try 624180740Sdes adding id_rsa. 625180740Sdes 626180740Sdes* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com> 627180740Sdes- Update for 2.5.0p1. 628180740Sdes- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass 629180740Sdes- Resync with parts of Damien Miller's openssh.spec from CVS, including 630180740Sdes update of x11 askpass to 1.2.0. 631180740Sdes- Only require openssl (don't prereq) because we generate keys in the init 632180740Sdes script now. 633180740Sdes 634180740Sdes* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com> 635180740Sdes- Don't open a PAM session until we've forked and become the user (#25690). 636180740Sdes- Apply Andrew Bartlett's patch for letting pam_authenticate() know which 637180740Sdes host the user is attempting a login from. 638180740Sdes- Resync with parts of Damien Miller's openssh.spec from CVS. 639180740Sdes- Don't expose KbdInt responses in debug messages (from CVS). 640180740Sdes- Detect and handle errors in rsa_{public,private}_decrypt (from CVS). 641180740Sdes 642180740Sdes* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com> 643180740Sdes- i18n-tweak to initscript. 644180740Sdes 645180740Sdes* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com> 646180740Sdes- More gettextizing. 647180740Sdes- Close all files after going into daemon mode (needs more testing). 648180740Sdes- Extract patch from CVS to handle auth banners (in the client). 649180740Sdes- Extract patch from CVS to handle compat weirdness. 650180740Sdes 651180740Sdes* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com> 652180740Sdes- Finish with the gettextizing. 653180740Sdes 654180740Sdes* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com> 655180740Sdes- Fix a bug in auth2-pam.c (#23877) 656180740Sdes- Gettextize the init script. 657180740Sdes 658180740Sdes* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com> 659180740Sdes- Incorporate a switch for using PAM configs for 6.x, just in case. 660180740Sdes 661180740Sdes* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com> 662180740Sdes- Incorporate Bero's changes for a build specifically for rescue CDs. 663180740Sdes 664180740Sdes* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com> 665180740Sdes- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has 666180740Sdes succeeded, to allow public-key authentication after a failure with "none" 667180740Sdes authentication. (#21268) 668180740Sdes 669180740Sdes* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com> 670180740Sdes- Update to x11-askpass 1.1.1. (#21301) 671180740Sdes- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290) 672180740Sdes 673180740Sdes* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com> 674180740Sdes- Merge multiple PAM text messages into subsequent prompts when possible when 675180740Sdes doing keyboard-interactive authentication. 676180740Sdes 677180740Sdes* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com> 678180740Sdes- Disable the built-in MD5 password support. We're using PAM. 679180740Sdes- Take a crack at doing keyboard-interactive authentication with PAM, and 680180740Sdes enable use of it in the default client configuration so that the client 681180740Sdes will try it when the server disallows password authentication. 682180740Sdes- Build with debugging flags. Build root policies strip all binaries anyway. 683180740Sdes 684180740Sdes* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com> 685180740Sdes- Use DESTDIR instead of %%makeinstall. 686180740Sdes- Remove /usr/X11R6/bin from the path-fixing patch. 687180740Sdes 688180740Sdes* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com> 689180740Sdes- Add the primes file from the latest snapshot to the main package (#20884). 690180740Sdes- Add the dev package to the prereq list (#19984). 691180740Sdes- Remove the default path and mimic login's behavior in the server itself. 692180740Sdes 693180740Sdes* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com> 694180740Sdes- Resync with conditional options in Damien Miller's .spec file for an errata. 695180740Sdes- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh. 696180740Sdes 697180740Sdes* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com> 698180740Sdes- Update to OpenSSH 2.3.0p1. 699180740Sdes- Update to x11-askpass 1.1.0. 700180740Sdes- Enable keyboard-interactive authentication. 701180740Sdes 702180740Sdes* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com> 703180740Sdes- Update to ssh-askpass-x11 1.0.3. 704180740Sdes- Change authentication related messages to be private (#19966). 705180740Sdes 706180740Sdes* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com> 707180740Sdes- Patch ssh-keygen to be able to list signatures for DSA public key files 708180740Sdes it generates. 709180740Sdes 710180740Sdes* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com> 711225825Sdes- Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always 712180740Sdes build PAM authentication in. 713180740Sdes- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed. 714180740Sdes- Clean out no-longer-used patches. 715180740Sdes- Patch ssh-add to try to add both identity and id_dsa, and to error only 716180740Sdes when neither exists. 717180740Sdes 718180740Sdes* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com> 719180740Sdes- Update x11-askpass to 1.0.2. (#17835) 720225825Sdes- Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will 721180740Sdes always find them in the right place. (#17909) 722180740Sdes- Set the default path to be the same as the one supplied by /bin/login, but 723180740Sdes add /usr/X11R6/bin. (#17909) 724180740Sdes- Try to handle obsoletion of ssh-server more cleanly. Package names 725180740Sdes are different, but init script name isn't. (#17865) 726180740Sdes 727180740Sdes* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com> 728180740Sdes- Update to 2.2.0p1. (#17835) 729180740Sdes- Tweak the init script to allow proper restarting. (#18023) 730180740Sdes 731180740Sdes* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com> 732180740Sdes- Update to 20000823 snapshot. 733180740Sdes- Change subpackage requirements from %%{version} to %%{version}-%%{release} 734180740Sdes- Back out the pipe patch. 735180740Sdes 736180740Sdes* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com> 737180740Sdes- Update to 2.1.1p4, which includes fixes for config file parsing problems. 738180740Sdes- Move the init script back. 739180740Sdes- Add Damien's quick fix for wackiness. 740180740Sdes 741180740Sdes* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com> 742180740Sdes- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok(). 743180740Sdes 744180740Sdes* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com> 745180740Sdes- Move condrestart to server postun. 746180740Sdes- Move key generation to init script. 747180740Sdes- Actually use the right patch for moving the key generation to the init script. 748180740Sdes- Clean up the init script a bit. 749180740Sdes 750180740Sdes* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com> 751180740Sdes- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard. 752180740Sdes 753180740Sdes* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com> 754180740Sdes- Update to 2.1.1p2. 755180740Sdes- Use of strtok() considered harmful. 756180740Sdes 757180740Sdes* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com> 758180740Sdes- Get the build root out of the man pages. 759180740Sdes 760180740Sdes* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com> 761180740Sdes- Add and use condrestart support in the init script. 762180740Sdes- Add newer initscripts as a prereq. 763180740Sdes 764180740Sdes* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com> 765180740Sdes- Build in new environment (release 2) 766180740Sdes- Move -clients subpackage to Applications/Internet group 767180740Sdes 768180740Sdes* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com> 769180740Sdes- Update to 2.2.1p1 770180740Sdes 771180740Sdes* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com> 772180740Sdes- Patch to build with neither RSA nor RSAref. 773180740Sdes- Miscellaneous FHS-compliance tweaks. 774180740Sdes- Fix for possibly-compressed man pages. 775180740Sdes 776180740Sdes* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au> 777180740Sdes- Updated for new location 778180740Sdes- Updated for new gnome-ssh-askpass build 779180740Sdes 780180740Sdes* Sun Dec 26 1999 Damien Miller <djm@mindrot.org> 781180740Sdes- Added Jim Knoble's <jmknoble@pobox.com> askpass 782180740Sdes 783180740Sdes* Mon Nov 15 1999 Damien Miller <djm@mindrot.org> 784180740Sdes- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com> 785180740Sdes 786180740Sdes* Sat Nov 13 1999 Damien Miller <djm@mindrot.org> 787180740Sdes- Added 'Obsoletes' directives 788180740Sdes 789180740Sdes* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au> 790180740Sdes- Use make install 791180740Sdes- Subpackages 792180740Sdes 793180740Sdes* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au> 794180740Sdes- Added links for slogin 795180740Sdes- Fixed perms on manpages 796180740Sdes 797180740Sdes* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au> 798180740Sdes- Renamed init script 799180740Sdes 800180740Sdes* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au> 801180740Sdes- Back to old binary names 802180740Sdes 803180740Sdes* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au> 804180740Sdes- Use autoconf 805180740Sdes- New binary names 806180740Sdes 807180740Sdes* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au> 808180740Sdes- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec. 809