-%define ver 3.3p1
+%define ver 5.1p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID
# Do we want smartcard support (1=yes 0=no)
%define scard 0
+# Use GTK2 instead of GNOME in gnome-ssh-askpass
+%define gtk2 1
+
# Is this build for RHL 6.x?
%define build6x 0
-# Disable IPv6 (avoids DNS hangs on some glibc versions)
-%define noip6 0
-
# Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1
%{?skip_x11_askpass:%define no_x11_askpass 1}
%{?skip_gnome_askpass:%define no_gnome_askpass 1}
+# Add option to build without GTK2 for older platforms with only GTK+.
+# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
+# rpm -ba|--rebuild --define 'no_gtk2 1'
+%{?no_gtk2:%define gtk2 0}
+
# Is this a build for RHL 6.x or earlier?
%{?build_6x:%define build6x 1}
# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
%if %{build6x}
%define _sysconfdir /etc
-%define noip6 1
%endif
# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "smartcard 1"
%{?smartcard:%define scard 1}
-# Option to disable ipv6
-# rpm -ba|--rebuild --define "noipv6 1"
-%{?noipv6:%define noip6 1}
-
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
%define rescue 0
%{?build_rescue:%define rescue 1}
%endif
URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
-Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
+Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
%else
PreReq: initscripts >= 5.20
%endif
-BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers
+BuildPreReq: perl, openssl-devel, tcp_wrappers
BuildPreReq: /bin/login
-%if %{build6x}
+%if ! %{build6x}
BuildPreReq: glibc-devel, pam
%else
-BuildPreReq: db1-devel, /usr/include/security/pam_appl.h
+BuildPreReq: /usr/include/security/pam_appl.h
%endif
%if ! %{no_x11_askpass}
BuildPreReq: XFree86-devel
%endif
%if ! %{no_gnome_askpass}
-BuildPreReq: gnome-libs-devel
+BuildPreReq: pkgconfig
+%endif
+%if %{kerberos5}
+BuildPreReq: krb5-devel
+BuildPreReq: krb5-libs
%endif
%package clients
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
%endif
+%if %{kerberos5}
+K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
+echo K5DIR=$K5DIR
+%endif
+
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
+ --with-md5-passwords \
%if %{scard}
--with-smartcard \
%endif
-%if %{noip6}
- --with-ipv4-default \
-%endif
%if %{rescue}
- --without-pam --with-md5-passwords \
+ --without-pam \
%else
--with-pam \
%endif
%if %{kerberos5}
- --with-kerberos5=/usr/kerberos \
+ --with-kerberos5=$K5DIR \
%endif
popd
%endif
+# Define a variable to toggle gnome1/gtk2 building. This is necessary
+# because RPM doesn't handle nested %if statements.
+%if %{gtk2}
+ gtk2=yes
+%else
+ gtk2=no
+%endif
+
%if ! %{no_gnome_askpass}
pushd contrib
-gcc $RPM_OPT_FLAGS `gnome-config --cflags gnome gnomeui` \
- gnome-ssh-askpass.c -o gnome-ssh-askpass \
- `gnome-config --libs gnome gnomeui`
+if [ $gtk2 = yes ] ; then
+ make gnome-ssh-askpass2
+ mv gnome-ssh-askpass2 gnome-ssh-askpass
+else
+ make gnome-ssh-askpass1
+ mv gnome-ssh-askpass1 gnome-ssh-askpass
+fi
popd
%endif
install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
+%if ! %{scard}
+ rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
+%endif
+
+%if ! %{no_gnome_askpass}
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+%endif
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
%attr(-,root,root) %{_bindir}/slogin
%attr(-,root,root) %{_mandir}/man1/slogin.1*
%if ! %{rescue}
-%attr(0755,root,root) %{_bindir}/ssh-agent
+%attr(2755,root,nobody) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
+%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%endif
%changelog
+* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
+- Remove noip6 option. This may be controlled at run-time in client config
+ file using new AddressFamily directive
+
+* Mon May 12 2003 Damien Miller <djm@mindrot.org>
+- Don't install profile.d scripts when not building with GNOME/GTK askpass
+ (patch from bet@rahul.net)
+
+* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
+- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
+
+* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
+- Use contrib/ Makefile for building askpass programs
+
* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
- Add new {ssh,sshd}_config.5 manpages
* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com>
- remove explicit openssl requirement, fixes builddistro issue
-- make initscript stop() function wait until sshd really dead to avoid
+- make initscript stop() function wait until sshd really dead to avoid
races in condrestart
* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com>