openssh.spec revision 204861
1%define ver 5.4p1 2%define rel 1 3 4# OpenSSH privilege separation requires a user & group ID 5%define sshd_uid 74 6%define sshd_gid 74 7 8# Version of ssh-askpass 9%define aversion 1.2.4.1 10 11# Do we want to disable building of x11-askpass? (1=yes 0=no) 12%define no_x11_askpass 0 13 14# Do we want to disable building of gnome-askpass? (1=yes 0=no) 15%define no_gnome_askpass 0 16 17# Do we want to link against a static libcrypto? (1=yes 0=no) 18%define static_libcrypto 0 19 20# Do we want smartcard support (1=yes 0=no) 21%define scard 0 22 23# Use GTK2 instead of GNOME in gnome-ssh-askpass 24%define gtk2 1 25 26# Is this build for RHL 6.x? 27%define build6x 0 28 29# Do we want kerberos5 support (1=yes 0=no) 30%define kerberos5 1 31 32# Reserve options to override askpass settings with: 33# rpm -ba|--rebuild --define 'skip_xxx 1' 34%{?skip_x11_askpass:%define no_x11_askpass 1} 35%{?skip_gnome_askpass:%define no_gnome_askpass 1} 36 37# Add option to build without GTK2 for older platforms with only GTK+. 38# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples. 39# rpm -ba|--rebuild --define 'no_gtk2 1' 40%{?no_gtk2:%define gtk2 0} 41 42# Is this a build for RHL 6.x or earlier? 43%{?build_6x:%define build6x 1} 44 45# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc. 46%if %{build6x} 47%define _sysconfdir /etc 48%endif 49 50# Options for static OpenSSL link: 51# rpm -ba|--rebuild --define "static_openssl 1" 52%{?static_openssl:%define static_libcrypto 1} 53 54# Options for Smartcard support: (needs libsectok and openssl-engine) 55# rpm -ba|--rebuild --define "smartcard 1" 56%{?smartcard:%define scard 1} 57 58# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) 59%define rescue 0 60%{?build_rescue:%define rescue 1} 61 62# Turn off some stuff for resuce builds 63%if %{rescue} 64%define kerberos5 0 65%endif 66 67Summary: The OpenSSH implementation of SSH protocol versions 1 and 2. 68Name: openssh 69Version: %{ver} 70%if %{rescue} 71Release: %{rel}rescue 72%else 73Release: %{rel} 74%endif 75URL: http://www.openssh.com/portable.html 76Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz 77%if ! %{skip_x11_askpass} 78Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz 79%endif 80License: BSD 81Group: Applications/Internet 82BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot 83Obsoletes: ssh 84%if %{build6x} 85PreReq: initscripts >= 5.00 86%else 87PreReq: initscripts >= 5.20 88%endif 89BuildPreReq: perl, openssl-devel, tcp_wrappers 90BuildPreReq: /bin/login 91%if ! %{build6x} 92BuildPreReq: glibc-devel, pam 93%else 94BuildPreReq: /usr/include/security/pam_appl.h 95%endif 96%if ! %{no_x11_askpass} 97BuildPreReq: /usr/include/X11/Xlib.h 98%endif 99%if ! %{no_gnome_askpass} 100BuildPreReq: pkgconfig 101%endif 102%if %{kerberos5} 103BuildPreReq: krb5-devel 104BuildPreReq: krb5-libs 105%endif 106 107%package clients 108Summary: OpenSSH clients. 109Requires: openssh = %{version}-%{release} 110Group: Applications/Internet 111Obsoletes: ssh-clients 112 113%package server 114Summary: The OpenSSH server daemon. 115Group: System Environment/Daemons 116Obsoletes: ssh-server 117PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9 118%if ! %{build6x} 119Requires: /etc/pam.d/system-auth 120%endif 121 122%package askpass 123Summary: A passphrase dialog for OpenSSH and X. 124Group: Applications/Internet 125Requires: openssh = %{version}-%{release} 126Obsoletes: ssh-extras 127 128%package askpass-gnome 129Summary: A passphrase dialog for OpenSSH, X, and GNOME. 130Group: Applications/Internet 131Requires: openssh = %{version}-%{release} 132Obsoletes: ssh-extras 133 134%description 135SSH (Secure SHell) is a program for logging into and executing 136commands on a remote machine. SSH is intended to replace rlogin and 137rsh, and to provide secure encrypted communications between two 138untrusted hosts over an insecure network. X11 connections and 139arbitrary TCP/IP ports can also be forwarded over the secure channel. 140 141OpenSSH is OpenBSD's version of the last free version of SSH, bringing 142it up to date in terms of security and features, as well as removing 143all patented algorithms to separate libraries. 144 145This package includes the core files necessary for both the OpenSSH 146client and server. To make this package useful, you should also 147install openssh-clients, openssh-server, or both. 148 149%description clients 150OpenSSH is a free version of SSH (Secure SHell), a program for logging 151into and executing commands on a remote machine. This package includes 152the clients necessary to make encrypted connections to SSH servers. 153You'll also need to install the openssh package on OpenSSH clients. 154 155%description server 156OpenSSH is a free version of SSH (Secure SHell), a program for logging 157into and executing commands on a remote machine. This package contains 158the secure shell daemon (sshd). The sshd daemon allows SSH clients to 159securely connect to your SSH server. You also need to have the openssh 160package installed. 161 162%description askpass 163OpenSSH is a free version of SSH (Secure SHell), a program for logging 164into and executing commands on a remote machine. This package contains 165an X11 passphrase dialog for OpenSSH. 166 167%description askpass-gnome 168OpenSSH is a free version of SSH (Secure SHell), a program for logging 169into and executing commands on a remote machine. This package contains 170an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop 171environment. 172 173%prep 174 175%if ! %{no_x11_askpass} 176%setup -q -a 1 177%else 178%setup -q 179%endif 180 181%build 182%if %{rescue} 183CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS 184%endif 185 186%if %{kerberos5} 187K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'` 188echo K5DIR=$K5DIR 189%endif 190 191%configure \ 192 --sysconfdir=%{_sysconfdir}/ssh \ 193 --libexecdir=%{_libexecdir}/openssh \ 194 --datadir=%{_datadir}/openssh \ 195 --with-tcp-wrappers \ 196 --with-rsh=%{_bindir}/rsh \ 197 --with-default-path=/usr/local/bin:/bin:/usr/bin \ 198 --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ 199 --with-privsep-path=%{_var}/empty/sshd \ 200 --with-md5-passwords \ 201%if %{scard} 202 --with-smartcard \ 203%endif 204%if %{rescue} 205 --without-pam \ 206%else 207 --with-pam \ 208%endif 209%if %{kerberos5} 210 --with-kerberos5=$K5DIR \ 211%endif 212 213 214%if %{static_libcrypto} 215perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile 216%endif 217 218make 219 220%if ! %{no_x11_askpass} 221pushd x11-ssh-askpass-%{aversion} 222%configure --libexecdir=%{_libexecdir}/openssh 223xmkmf -a 224make 225popd 226%endif 227 228# Define a variable to toggle gnome1/gtk2 building. This is necessary 229# because RPM doesn't handle nested %if statements. 230%if %{gtk2} 231 gtk2=yes 232%else 233 gtk2=no 234%endif 235 236%if ! %{no_gnome_askpass} 237pushd contrib 238if [ $gtk2 = yes ] ; then 239 make gnome-ssh-askpass2 240 mv gnome-ssh-askpass2 gnome-ssh-askpass 241else 242 make gnome-ssh-askpass1 243 mv gnome-ssh-askpass1 gnome-ssh-askpass 244fi 245popd 246%endif 247 248%install 249rm -rf $RPM_BUILD_ROOT 250mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh 251mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh 252mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd 253 254make install DESTDIR=$RPM_BUILD_ROOT 255 256install -d $RPM_BUILD_ROOT/etc/pam.d/ 257install -d $RPM_BUILD_ROOT/etc/rc.d/init.d 258install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh 259%if %{build6x} 260install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd 261%else 262install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd 263%endif 264install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd 265 266%if ! %{no_x11_askpass} 267install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass 268ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass 269%endif 270 271%if ! %{no_gnome_askpass} 272install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass 273%endif 274 275%if ! %{scard} 276 rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin 277%endif 278 279%if ! %{no_gnome_askpass} 280install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ 281install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ 282install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ 283%endif 284 285perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* 286 287%clean 288rm -rf $RPM_BUILD_ROOT 289 290%triggerun server -- ssh-server 291if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then 292 touch /var/run/sshd.restart 293fi 294 295%triggerun server -- openssh-server < 2.5.0p1 296# Count the number of HostKey and HostDsaKey statements we have. 297gawk 'BEGIN {IGNORECASE=1} 298 /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1} 299 END {exit sawhostkey}' /etc/ssh/sshd_config 300# And if we only found one, we know the client was relying on the old default 301# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't 302# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying 303# one nullifies the default, which would have loaded both. 304if [ $? -eq 1 ] ; then 305 echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config 306 echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config 307fi 308 309%triggerpostun server -- ssh-server 310if [ "$1" != 0 ] ; then 311 /sbin/chkconfig --add sshd 312 if test -f /var/run/sshd.restart ; then 313 rm -f /var/run/sshd.restart 314 /sbin/service sshd start > /dev/null 2>&1 || : 315 fi 316fi 317 318%pre server 319%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || : 320%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \ 321 -g sshd -M -r sshd 2>/dev/null || : 322 323%post server 324/sbin/chkconfig --add sshd 325 326%postun server 327/sbin/service sshd condrestart > /dev/null 2>&1 || : 328 329%preun server 330if [ "$1" = 0 ] 331then 332 /sbin/service sshd stop > /dev/null 2>&1 || : 333 /sbin/chkconfig --del sshd 334fi 335 336%files 337%defattr(-,root,root) 338%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO WARNING* 339%attr(0755,root,root) %{_bindir}/scp 340%attr(0644,root,root) %{_mandir}/man1/scp.1* 341%attr(0755,root,root) %dir %{_sysconfdir}/ssh 342%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli 343%if ! %{rescue} 344%attr(0755,root,root) %{_bindir}/ssh-keygen 345%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* 346%attr(0755,root,root) %dir %{_libexecdir}/openssh 347%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign 348%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper 349%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* 350%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* 351%endif 352%if %{scard} 353%attr(0755,root,root) %dir %{_datadir}/openssh 354%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin 355%endif 356 357%files clients 358%defattr(-,root,root) 359%attr(0755,root,root) %{_bindir}/ssh 360%attr(0644,root,root) %{_mandir}/man1/ssh.1* 361%attr(0644,root,root) %{_mandir}/man5/ssh_config.5* 362%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config 363%attr(-,root,root) %{_bindir}/slogin 364%attr(-,root,root) %{_mandir}/man1/slogin.1* 365%if ! %{rescue} 366%attr(2755,root,nobody) %{_bindir}/ssh-agent 367%attr(0755,root,root) %{_bindir}/ssh-add 368%attr(0755,root,root) %{_bindir}/ssh-keyscan 369%attr(0755,root,root) %{_bindir}/sftp 370%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* 371%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* 372%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* 373%attr(0644,root,root) %{_mandir}/man1/sftp.1* 374%endif 375 376%if ! %{rescue} 377%files server 378%defattr(-,root,root) 379%dir %attr(0111,root,root) %{_var}/empty/sshd 380%attr(0755,root,root) %{_sbindir}/sshd 381%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server 382%attr(0644,root,root) %{_mandir}/man8/sshd.8* 383%attr(0644,root,root) %{_mandir}/man5/moduli.5* 384%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* 385%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* 386%attr(0755,root,root) %dir %{_sysconfdir}/ssh 387%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config 388%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd 389%attr(0755,root,root) %config /etc/rc.d/init.d/sshd 390%endif 391 392%if ! %{no_x11_askpass} 393%files askpass 394%defattr(-,root,root) 395%doc x11-ssh-askpass-%{aversion}/README 396%doc x11-ssh-askpass-%{aversion}/ChangeLog 397%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad 398%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass 399%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass 400%endif 401 402%if ! %{no_gnome_askpass} 403%files askpass-gnome 404%defattr(-,root,root) 405%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.* 406%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass 407%endif 408 409%changelog 410* Mon Jun 2 2003 Damien Miller <djm@mindrot.org> 411- Remove noip6 option. This may be controlled at run-time in client config 412 file using new AddressFamily directive 413 414* Mon May 12 2003 Damien Miller <djm@mindrot.org> 415- Don't install profile.d scripts when not building with GNOME/GTK askpass 416 (patch from bet@rahul.net) 417 418* Wed Oct 01 2002 Damien Miller <djm@mindrot.org> 419- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks 420 421* Mon Sep 30 2002 Damien Miller <djm@mindrot.org> 422- Use contrib/ Makefile for building askpass programs 423 424* Fri Jun 21 2002 Damien Miller <djm@mindrot.org> 425- Merge in spec changes from seba@iq.pl (Sebastian Pachuta) 426- Add new {ssh,sshd}_config.5 manpages 427- Add new ssh-keysign program and remove setuid from ssh client 428 429* Fri May 10 2002 Damien Miller <djm@mindrot.org> 430- Merge in spec changes from RedHat, reorgansie a little 431- Add Privsep user, group and directory 432 433* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2 434- bump and grind (through the build system) 435 436* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1 437- require sharutils for building (mindrot #137) 438- require db1-devel only when building for 6.x (#55105), which probably won't 439 work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck 440- require pam-devel by file (not by package name) again 441- add Markus's patch to compile with OpenSSL 0.9.5a (from 442 http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're 443 building for 6.x 444 445* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0 446- update to 3.1p1 447 448* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305 449- update to SNAP-20020305 450- drop debug patch, fixed upstream 451 452* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220 453- update to SNAP-20020220 for testing purposes (you've been warned, if there's 454 anything to be warned about, gss patches won't apply, I don't mind) 455 456* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3 457- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key 458 exchange, authentication, and named key support 459 460* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2 461- remove dependency on db1-devel, which has just been swallowed up whole 462 by gnome-libs-devel 463 464* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com> 465- adjust build dependencies so that build6x actually works right (fix 466 from Hugo van der Kooij) 467 468* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1 469- update to 3.0.2p1 470 471* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1 472- update to 3.0.1p1 473 474* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com> 475- update to current CVS (not for use in distribution) 476 477* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1 478- merge some of Damien Miller <djm@mindrot.org> changes from the upstream 479 3.0p1 spec file and init script 480 481* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com> 482- update to 3.0p1 483- update to x11-ssh-askpass 1.2.4.1 484- change build dependency on a file from pam-devel to the pam-devel package 485- replace primes with moduli 486 487* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9 488- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs 489 490* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8 491- Merge changes to rescue build from current sysadmin survival cd 492 493* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7 494- fix scp's server's reporting of file sizes, and build with the proper 495 preprocessor define to get large-file capable open(), stat(), etc. 496 (sftp has been doing this correctly all along) (#51827) 497- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247) 498- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298) 499- mark profile.d scriptlets as config files (#42337) 500- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug 501- change a couple of log() statements to debug() statements (#50751) 502- pull cvs patch to add -t flag to sshd (#28611) 503- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221) 504 505* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6 506- add db1-devel as a BuildPrerequisite (noted by Hans Ecke) 507 508* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com> 509- pull cvs patch to fix remote port forwarding with protocol 2 510 511* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com> 512- pull cvs patch to add session initialization to no-pty sessions 513- pull cvs patch to not cut off challengeresponse auth needlessly 514- refuse to do X11 forwarding if xauth isn't there, handy if you enable 515 it by default on a system that doesn't have X installed (#49263) 516 517* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com> 518- don't apply patches to code we don't intend to build (spotted by Matt Galgoci) 519 520* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com> 521- pass OPTIONS correctly to initlog (#50151) 522 523* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com> 524- switch to x11-ssh-askpass 1.2.2 525 526* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com> 527- rebuild in new environment 528 529* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com> 530- disable the gssapi patch 531 532* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com> 533- update to 2.9p2 534- refresh to a new version of the gssapi patch 535 536* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com> 537- change Copyright: BSD to License: BSD 538- add Markus Friedl's unverified patch for the cookie file deletion problem 539 so that we can verify it 540- drop patch to check if xauth is present (was folded into cookie patch) 541- don't apply gssapi patches for the errata candidate 542- clear supplemental groups list at startup 543 544* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com> 545- fix an error parsing the new default sshd_config 546- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not 547 dealing with comments right 548 549* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com> 550- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house, 551 to be removed before the next beta cycle because it's a big departure 552 from the upstream version 553 554* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com> 555- finish marking strings in the init script for translation 556- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd 557 at startup (change merged from openssh.com init script, originally by 558 Pekka Savola) 559- refuse to do X11 forwarding if xauth isn't there, handy if you enable 560 it by default on a system that doesn't have X installed 561 562* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com> 563- update to 2.9 564- drop various patches that came from or went upstream or to or from CVS 565 566* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com> 567- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer) 568 569* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com> 570- remove explicit openssl requirement, fixes builddistro issue 571- make initscript stop() function wait until sshd really dead to avoid 572 races in condrestart 573 574* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com> 575- mention that challengereponse supports PAM, so disabling password doesn't 576 limit users to pubkey and rsa auth (#34378) 577- bypass the daemon() function in the init script and call initlog directly, 578 because daemon() won't start a daemon it detects is already running (like 579 open connections) 580- require the version of openssl we had when we were built 581 582* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com> 583- make do_pam_setcred() smart enough to know when to establish creds and 584 when to reinitialize them 585- add in a couple of other fixes from Damien for inclusion in the errata 586 587* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com> 588- update to 2.5.2p2 589- call setcred() again after initgroups, because the "creds" could actually 590 be group memberships 591 592* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com> 593- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation) 594- don't enable challenge-response by default until we find a way to not 595 have too many userauth requests (we may make up to six pubkey and up to 596 three password attempts as it is) 597- remove build dependency on rsh to match openssh.com's packages more closely 598 599* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com> 600- remove dependency on openssl -- would need to be too precise 601 602* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com> 603- rebuild in new environment 604 605* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com> 606- Revert the patch to move pam_open_session. 607- Init script and spec file changes from Pekka Savola. (#28750) 608- Patch sftp to recognize '-o protocol' arguments. (#29540) 609 610* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com> 611- Chuck the closing patch. 612- Add a trigger to add host keys for protocol 2 to the config file, now that 613 configuration file syntax requires us to specify it with HostKey if we 614 specify any other HostKey values, which we do. 615 616* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com> 617- Redo patch to move pam_open_session after the server setuid()s to the user. 618- Rework the nopam patch to use be picked up by autoconf. 619 620* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com> 621- Update for 2.5.1p1. 622- Add init script mods from Pekka Savola. 623- Tweak the init script to match the CVS contrib script more closely. 624- Redo patch to ssh-add to try to adding both identity and id_dsa to also try 625 adding id_rsa. 626 627* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com> 628- Update for 2.5.0p1. 629- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass 630- Resync with parts of Damien Miller's openssh.spec from CVS, including 631 update of x11 askpass to 1.2.0. 632- Only require openssl (don't prereq) because we generate keys in the init 633 script now. 634 635* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com> 636- Don't open a PAM session until we've forked and become the user (#25690). 637- Apply Andrew Bartlett's patch for letting pam_authenticate() know which 638 host the user is attempting a login from. 639- Resync with parts of Damien Miller's openssh.spec from CVS. 640- Don't expose KbdInt responses in debug messages (from CVS). 641- Detect and handle errors in rsa_{public,private}_decrypt (from CVS). 642 643* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com> 644- i18n-tweak to initscript. 645 646* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com> 647- More gettextizing. 648- Close all files after going into daemon mode (needs more testing). 649- Extract patch from CVS to handle auth banners (in the client). 650- Extract patch from CVS to handle compat weirdness. 651 652* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com> 653- Finish with the gettextizing. 654 655* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com> 656- Fix a bug in auth2-pam.c (#23877) 657- Gettextize the init script. 658 659* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com> 660- Incorporate a switch for using PAM configs for 6.x, just in case. 661 662* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com> 663- Incorporate Bero's changes for a build specifically for rescue CDs. 664 665* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com> 666- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has 667 succeeded, to allow public-key authentication after a failure with "none" 668 authentication. (#21268) 669 670* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com> 671- Update to x11-askpass 1.1.1. (#21301) 672- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290) 673 674* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com> 675- Merge multiple PAM text messages into subsequent prompts when possible when 676 doing keyboard-interactive authentication. 677 678* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com> 679- Disable the built-in MD5 password support. We're using PAM. 680- Take a crack at doing keyboard-interactive authentication with PAM, and 681 enable use of it in the default client configuration so that the client 682 will try it when the server disallows password authentication. 683- Build with debugging flags. Build root policies strip all binaries anyway. 684 685* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com> 686- Use DESTDIR instead of %%makeinstall. 687- Remove /usr/X11R6/bin from the path-fixing patch. 688 689* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com> 690- Add the primes file from the latest snapshot to the main package (#20884). 691- Add the dev package to the prereq list (#19984). 692- Remove the default path and mimic login's behavior in the server itself. 693 694* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com> 695- Resync with conditional options in Damien Miller's .spec file for an errata. 696- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh. 697 698* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com> 699- Update to OpenSSH 2.3.0p1. 700- Update to x11-askpass 1.1.0. 701- Enable keyboard-interactive authentication. 702 703* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com> 704- Update to ssh-askpass-x11 1.0.3. 705- Change authentication related messages to be private (#19966). 706 707* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com> 708- Patch ssh-keygen to be able to list signatures for DSA public key files 709 it generates. 710 711* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com> 712- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always 713 build PAM authentication in. 714- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed. 715- Clean out no-longer-used patches. 716- Patch ssh-add to try to add both identity and id_dsa, and to error only 717 when neither exists. 718 719* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com> 720- Update x11-askpass to 1.0.2. (#17835) 721- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will 722 always find them in the right place. (#17909) 723- Set the default path to be the same as the one supplied by /bin/login, but 724 add /usr/X11R6/bin. (#17909) 725- Try to handle obsoletion of ssh-server more cleanly. Package names 726 are different, but init script name isn't. (#17865) 727 728* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com> 729- Update to 2.2.0p1. (#17835) 730- Tweak the init script to allow proper restarting. (#18023) 731 732* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com> 733- Update to 20000823 snapshot. 734- Change subpackage requirements from %%{version} to %%{version}-%%{release} 735- Back out the pipe patch. 736 737* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com> 738- Update to 2.1.1p4, which includes fixes for config file parsing problems. 739- Move the init script back. 740- Add Damien's quick fix for wackiness. 741 742* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com> 743- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok(). 744 745* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com> 746- Move condrestart to server postun. 747- Move key generation to init script. 748- Actually use the right patch for moving the key generation to the init script. 749- Clean up the init script a bit. 750 751* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com> 752- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard. 753 754* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com> 755- Update to 2.1.1p2. 756- Use of strtok() considered harmful. 757 758* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com> 759- Get the build root out of the man pages. 760 761* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com> 762- Add and use condrestart support in the init script. 763- Add newer initscripts as a prereq. 764 765* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com> 766- Build in new environment (release 2) 767- Move -clients subpackage to Applications/Internet group 768 769* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com> 770- Update to 2.2.1p1 771 772* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com> 773- Patch to build with neither RSA nor RSAref. 774- Miscellaneous FHS-compliance tweaks. 775- Fix for possibly-compressed man pages. 776 777* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au> 778- Updated for new location 779- Updated for new gnome-ssh-askpass build 780 781* Sun Dec 26 1999 Damien Miller <djm@mindrot.org> 782- Added Jim Knoble's <jmknoble@pobox.com> askpass 783 784* Mon Nov 15 1999 Damien Miller <djm@mindrot.org> 785- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com> 786 787* Sat Nov 13 1999 Damien Miller <djm@mindrot.org> 788- Added 'Obsoletes' directives 789 790* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au> 791- Use make install 792- Subpackages 793 794* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au> 795- Added links for slogin 796- Fixed perms on manpages 797 798* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au> 799- Renamed init script 800 801* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au> 802- Back to old binary names 803 804* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au> 805- Use autoconf 806- New binary names 807 808* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au> 809- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec. 810