-%define ver 3.2.3p1
+%define ver 3.6.1p2
%define rel 1
# OpenSSH privilege separation requires a user & group ID
# Do we want smartcard support (1=yes 0=no)
%define scard 0
+# Use GTK2 instead of GNOME in gnome-ssh-askpass
+%define gtk2 1
+
# Is this build for RHL 6.x?
%define build6x 0
# Disable IPv6 (avoids DNS hangs on some glibc versions)
%define noip6 0
+# Do we want kerberos5 support (1=yes 0=no)
+%define kerberos5 1
+
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%define no_x11_askpass 1}
%define rescue 0
%{?build_rescue:%define rescue 1}
+# Turn off some stuff for resuce builds
+%if %{rescue}
+%define kerberos5 0
+%endif
+
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
Name: openssh
Version: %{ver}
%else
PreReq: initscripts >= 5.20
%endif
-BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers
+BuildPreReq: perl, openssl-devel, tcp_wrappers
BuildPreReq: /bin/login
-%if %{build6x}
+%if ! %{build6x}
BuildPreReq: glibc-devel, pam
%else
BuildPreReq: db1-devel, /usr/include/security/pam_appl.h
BuildPreReq: XFree86-devel
%endif
%if ! %{no_gnome_askpass}
-BuildPreReq: gnome-libs-devel
+BuildPreReq: pkgconfig
+%endif
+%if %{kerberos5}
+BuildPreReq: krb5-devel
+BuildPreReq: krb5-libs
%endif
%package clients
--with-ipv4-default \
%endif
%if %{rescue}
- --without-pam --with-md5-passwords
+ --without-pam --with-md5-passwords \
%else
- --with-pam --with-kerberos5=/usr/kerberos
+ --with-pam \
+%endif
+%if %{kerberos5}
+ --with-kerberos5=/usr/kerberos \
%endif
popd
%endif
+# Define a variable to toggle gnome1/gtk2 building. This is necessary
+# because RPM doesn't handle nested %if statements.
+%if %{gtk2}
+ gtk2=yes
+%else
+ gtk2=no
+%endif
+
%if ! %{no_gnome_askpass}
pushd contrib
-gcc $RPM_OPT_FLAGS `gnome-config --cflags gnome gnomeui` \
- gnome-ssh-askpass.c -o gnome-ssh-askpass \
- `gnome-config --libs gnome gnomeui`
+if [ $gtk2 = yes ] ; then
+ make gnome-ssh-askpass2
+ mv gnome-ssh-askpass2 gnome-ssh-askpass
+else
+ make gnome-ssh-askpass1
+ mv gnome-ssh-askpass1 gnome-ssh-askpass
+fi
popd
%endif
install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
+%if ! %{scard}
+ rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
+%endif
+
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
+%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
+%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%endif
%if %{scard}
%attr(0755,root,root) %dir %{_datadir}/openssh
%files clients
%defattr(-,root,root)
-%attr(4755,root,root) %{_bindir}/ssh
+%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
+%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(-,root,root) %{_bindir}/slogin
%attr(-,root,root) %{_mandir}/man1/slogin.1*
%if ! %{rescue}
-%attr(0755,root,root) %{_bindir}/ssh-agent
+%attr(2755,root,nobody) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
+%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%endif
%changelog
+* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
+- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
+
+* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
+- Use contrib/ Makefile for building askpass programs
+
+* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
+- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
+- Add new {ssh,sshd}_config.5 manpages
+- Add new ssh-keysign program and remove setuid from ssh client
+
* Fri May 10 2002 Damien Miller <djm@mindrot.org>
- Merge in spec changes from RedHat, reorgansie a little
- Add Privsep user, group and directory