%define _sysconfdir /etc/ssh
%define _libexecdir %{_libdir}/ssh
+# Do we want to disable root_login? (1=yes 0=no)
+%define no_root_login 0
+
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
%if %{use_stable}
- %define version 3.2.3p1
+ %define version 3.4p1
%define cvs %{nil}
%define release 2
%else
%define xsa x11-ssh-askpass
%define askpass %{xsa}-1.2.4.1
+# OpenSSH privilege separation requires a user & group ID
+%define sshd_uid 67
+%define sshd_gid 67
+
Name : openssh
Version : %{version}%{cvs}
Release : %{release}
--with-pam \
--with-tcp-wrappers \
--with-ipv4-default \
+ --sysconfdir=%{_sysconfdir}/ssh \
+ --libexecdir=%{_libexecdir}/openssh \
+ --with-privsep-path=%{_var}/empty/sshd \
#leave this line for easy edits.
%__make CFLAGS="$RPM_OPT_FLAGS"
# OpenLinux specific configuration
mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}}
+mkdir -p %{buildroot}%{_var}/empty/sshd
# enabling X11 forwarding on the server is convenient and okay,
# on the client side it's a potential security risk!
-%__perl -pi -e 's:X11Forwarding no:X11Forwarding yes:g' \
+%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \
+ %{buildroot}%{_sysconfdir}/sshd_config
+
+%if %{no_root_login}
+%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \
%{buildroot}%{_sysconfdir}/sshd_config
+%endif
install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd
# FIXME: disabled, find out why this doesn't work with nis
/usr/sbin/ssh-host-keygen
: # to protect the rpm database
+%pre server
+%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || :
+%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
+ -c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || :
+: # to protect the rpm database
%Post server
if [ -x %{LSBinit}-install ]; then
%Files server
%defattr(-,root,root)
+%dir %attr(0700,root,root) %{_var}/empty/sshd
%config %{SVIdir}/sshd
%config /etc/pam.d/sshd
%config %{_sysconfdir}/moduli