# OpenSSH # # OPTION: # Use --define 'buildaix5 1' to allow image to be installed on AIX 5. # By default, this spec file builds for AIX 4.3.3 only. On AIX 5, there # is an installp version supported for AIX5 licensees, so in most cases # that is the one you will want. But you can use the buildaix5 define # to override and build your own unsupported version. # %{?buildaix5:%define buildaix5 1} %{!?buildaix5:%define buildaix5 0} Summary: Open Source Secure Shell Name: openssh Version: 3.6.1p2 Release: 1 License: IBM_ILA URL: http://www.openssh.org Group:Shell/Security Source: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz # # NOTE: If you are building OpenSSH yourself and want to get a copy # of the IBM_ILA license file listed below, visit: # ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/LICENSES/IBM_ILA.txt # and copy that file into the SOURCES directory, naming it IBM_ILA. # Source1: IBM_ILA Patch1: %{name}-buffer.patch Patch2: %{name}-passexpire22.patch Prefix: %{_prefix} Prereq: openssl BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot BuildRequires: openssl-devel # Don't use this rpm on AIX 5.1. Use the official installp version. %if %{buildaix5} == 0 Conflicts: AIX-rpm >= 5.0.0.0 %endif BuildRequires: prngd >= 0.9.19 Prereq: prngd >= 0.9.19 %define DEFCC cc %package clients Summary: OpenSSH Secure Shell protocol clients Requires: openssh = %{version} Group: Applications/Internet Obsoletes: ssh-clients %package server Summary: OpenSSH Secure Shell protocol server (sshd) Group: System Environment/Daemons Obsoletes: ssh-server PreReq: openssh = %{version} PreReq: openssl %description OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunnelling capabilities, as well as a variety of authentication methods. NOTE: This image is meant for AIX 4.3.3 only. For AIX 5.1, please install the official openssh installp (found on the AIX Bonus Pack, or at the web site: http://oss.software.ibm.com/developerworks/projects/opensshi This is not supported. However, note that it DOES contain the security patch released on Sept 17, 2003 which was released by openssh.org to address a buffer overflow vulnerability. %description clients Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL). This package includes the clients necessary to make encrypted connections to SSH servers. NOTE: This image is meant for AIX 4.3.3 only. For AIX 5.1, please install the official openssh installp (found on the AIX Bonus Pack, or at the web site: http://oss.software.ibm.com/developerworks/projects/opensshi %description server Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL). This package contains the secure shell daemon. The sshd is the server part of the secure shell protocol and allows ssh clients to connect to your host. NOTE: This image is meant for AIX 4.3.3 only. For AIX 5.1, please install the official openssh installp (found on the AIX Bonus Pack, or at the web site: http://oss.software.ibm.com/developerworks/projects/opensshi ) %prep %setup -q %patch1 -p0 -b .buffer %patch2 -p1 -b .passexpire # Add license info cat $RPM_SOURCE_DIR/IBM_ILA > LICENSE cat LICENCE >> LICENSE %build # Use the default compiler for this platform - gcc otherwise if [[ -z "$CC" ]] then if test "X`type %{DEFCC} 2>/dev/null`" != 'X'; then export CC=%{DEFCC} else export CC=gcc fi fi if test "X$CC" != "Xgcc" then export RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's:-fsigned-char::'` export CFLAGS="$RPM_OPT_FLAGS" fi export blibpath="/opt/freeware/lib:/usr/lib:/lib" %configure --prefix=%{prefix} \ --sysconfdir=/etc/ssh \ --libexecdir=%{_libexecdir}/openssh \ --with-ipv4-default \ --with-rsh=/usr/bin/rsh \ --with-ssl-dir=/opt/freeware make # # Now create an 'sshd' startup script # mkdir aix cat < aix/sshd #!/usr/bin/ksh ########################################################## # name: sshd # purpose: script that will start or stop the sshd daemon. ########################################################## case "\$1" in start ) startsrc -g ssh ;; stop ) stopsrc -g ssh ;; * ) echo "Usage: $0 (start | stop)" exit 1 esac exit 0 EOF %install rm -rf $RPM_BUILD_ROOT mkdir -p -m755 $RPM_BUILD_ROOT/var/empty mkdir -p -m755 $RPM_BUILD_ROOT/etc/ssh mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p -m755 $RPM_BUILD_ROOT/etc/rc.d/init.d install -m 750 aix/sshd $RPM_BUILD_ROOT/etc/rc.d/init.d for n in 2 3 4 5 6 7 8 9 do mkdir -p -m755 $RPM_BUILD_ROOT/etc/rc.d/rc$n.d ln -s ../init.d/sshd $RPM_BUILD_ROOT/etc/rc.d/rc$n.d/S55sshd ln -s ../init.d/sshd $RPM_BUILD_ROOT/etc/rc.d/rc$n.d/K55sshd done install -m 644 ssh_config $RPM_BUILD_ROOT/etc/ssh/ssh_config make DESTDIR=$RPM_BUILD_ROOT install install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* (cd $RPM_BUILD_ROOT for dir in bin sbin do mkdir -p usr/$dir cd usr/$dir ln -sf ../..%{prefix}/$dir/* . cd - done for dir in man1 man5 man8 do mkdir -p usr/share/man/$dir cd usr/share/man/$dir ln -sf ../../../..%{prefix}/man/$dir/* . cd - done ) %clean rm -rf $RPM_BUILD_ROOT %post server # # Add user and group "sshd" for privilege separation feature. # lsgroup sshd >/dev/null 2>&1 || { mkgroup sshd || true } lsuser sshd >/dev/null 2>&1 || { mkuser -a pgrp=sshd login=false home=/var/empty gecos="OpenSSH privilege separation" account_locked=true sshd || true } # # Create the 'host' private and public keys for the sshd daemon to load # #generate the RSA host key if [ ! -s /etc/ssh/ssh_host_rsa_key ] then /usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' >/dev/null 2>&1 if [ $? -ne 0 ] then echo "RSA key generation failed" exit 1 fi fi # generate the RSA1 host key for the ssh daemon if [ ! -s /etc/ssh/ssh_host_key ] then /usr/bin/ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -C '' -N '' > /dev/null 2>&1 if [ $? -ne 0 ] then echo "RSA1 key generation failed" exit 1 fi fi #generate the DSA host key if [ ! -s /etc/ssh/ssh_host_dsa_key ] then /usr/bin/ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N '' >/dev/null 2>&1 if [ $? -ne 0 ] then echo "DSA key generation failed" exit 1 fi fi # Add SRC groups for the openssh daemon # sshd daemon /usr/bin/lssrc -s sshd > /dev/null rc=$? # rc not equal 0 means the daemon is not there # # create the SRC group using the following parameters: # # -u UserID of 0 # -a argument to sshd "-D". "-D" allows us to use SRC control, no forks # -R restart the subsystem if stops abnormally # -S sshd uses signals communication method # -n signal 15 = to normally stop the daemon # -f signal 9 to force a stop of the daemon # if [ $rc -ne 0 ] then /usr/bin/mkssys -s sshd -p /usr/sbin/sshd -G ssh -u 0 -a "-D" -R -S -n 15 -f 9 rc=$? if [ $rc -ne 0 ] then exit $rc fi [[ -z "$INUBOSTYPE" ]] && /usr/bin/startsrc -s sshd && exit $? fi exit 0 %preun server if [ $1 = 0 ]; then # remove SRC info for sshd daemons # sshd /usr/bin/lssrc -s sshd > /dev/null 2>&1 rc=$? # rc equal 0 means the daemon is there, so remove it if [ $rc -eq 0 ] then /usr/bin/stopsrc -s sshd > /dev/null 2>&1 /usr/bin/rmssys -s sshd > /dev/null 2>&1 rc=$? if [ $rc -ne 0 ] then exit $rc fi fi exit 0 fi %files %defattr(-,root,root) %doc CREDITS ChangeLog INSTALL LICENSE OVERVIEW README* RFC* TODO WARNING* %attr(0755,root,root) %{_bindir}/scp %attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0755,root,root) %dir /etc/ssh %attr(0600,root,root) %config(noreplace) /etc/ssh/moduli %attr(0755,root,root) %{_bindir}/ssh-keygen %attr(0755,root,root) %{_libexecdir}/openssh/ssh-rand-helper %attr(0755,root,root) %{_libexecdir}/openssh/ssh-keysign %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* %attr(0644,root,root) %{_mandir}/man8/ssh-rand-helper.8* %attr(0755,root,root) %dir %{_libexecdir}/openssh %attr(0755,root,root) %dir /var/empty /usr/bin/scp /usr/bin/ssh-keygen /usr/share/man/man1/scp.1* /usr/share/man/man1/ssh-keygen.1* /usr/share/man/man8/ssh-keysign.8* /usr/share/man/man8/ssh-rand-helper.8* %files clients %defattr(-,root,root) %doc LICENSE %attr(4755,root,root) %{_bindir}/ssh %attr(0644,root,root) %{_mandir}/man1/ssh.1* %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config %attr(-,root,root) %{_mandir}/man5/ssh_config.5* %attr(-,root,root) %{_bindir}/slogin %attr(-,root,root) %{_mandir}/man1/slogin.1* %attr(0755,root,root) %{_bindir}/ssh-agent %attr(0755,root,root) %{_bindir}/ssh-add %attr(0755,root,root) %{_bindir}/ssh-keyscan %attr(0755,root,root) %{_bindir}/sftp %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* %attr(0644,root,root) %{_mandir}/man1/ssh-add.1* %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* %attr(0644,root,root) %{_mandir}/man1/sftp.1* /usr/bin/ssh /usr/bin/ssh-agent /usr/bin/ssh-add /usr/bin/ssh-keyscan /usr/bin/sftp /usr/share/man/man1/ssh.1* /usr/share/man/man1/slogin.1* /usr/share/man/man1/ssh-agent.1* /usr/share/man/man1/ssh-add.1* /usr/share/man/man1/ssh-keyscan.1* /usr/share/man/man1/sftp.1* /usr/share/man/man5/ssh_config.5* %files server %defattr(-,root,root) %doc LICENSE %attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0644,root,root) %{_mandir}/man8/sshd.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0755,root,root) %dir /etc/ssh %attr(0600,root,root) %config(noreplace) /etc/ssh/sshd_config %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* /usr/share/man/man5/sshd_config.5* /usr/share/man/man8/sshd.8* /usr/share/man/man8/sftp-server.8* /usr/sbin/sshd /etc/rc.d/*/* %changelog * Wed Sep 17 2003 David Clissold - They've updated the patch, so rebuilding w/ the new patch. - http://www.openssh.com/txt/buffer.adv * Tue Sep 16 2003 David Clissold - Add patch for new security advisory, published at - http://www.openssh.com/txt/buffer.adv today (9/16/03). * Tue Jul 08 2003 David Clissold - Update to version 3.6.1p2. * Tue May 06 2003 David Clissold - Update to version 3.6.1p1. * Fri Apr 18 2003 David Clissold - No functional change (thus no binaries of 3.4p1-8 released). - Changed spec to house the short "sshd" script within. - Made reference to where IBM_ILA can be obtained. - These changes made for people to more easily track down the - pieces needed if they want to build a local copy from this spec. * Thu Jan 30 2003 David Clissold - Backport a new "pubkey" patch from Kevin Cawlfield from use - in the AIX 5L OpenSSH build. * Tue Jan 07 2003 David Clissold - Backport a couple patches from Kevin Cawlfield from use - in the AIX 5L OpenSSH build. - This supercedes the earlier patch by Matt Millard, now removed. * Mon Nov 25 2002 David Clissold - Add IBM ILA license. - Add a patch to set LOGIN variable on AIX. * Fri Sep 20 2002 David Clissold - 3.4p1-4 - Update the aixlogin patch; was not resetting failedlogins after a - subsequent successful login. * Wed Sep 04 2002 David Clissold - Add OPTIONAL patch contributed by Matt Millard - Changes standard behavior to ignore rlogin=no if root user. The patch - is not used by default. - Also: add option to override AIX5 build restriction. * Tue Jul 16 2002 David Clissold - Duh. move mkgroup/mkuser to beginning of %post. 3.4p1-3 * Fri Jul 12 2002 David Clissold - Correction to mkuser line in the post script. 3.4p1-2 * Wed Jun 26 2002 Reza Arbab - Update to 3.4p1. * Mon Jun 24 2002 Reza Arbab - Update to 3.3p1. - require prngd * Fri Apr 26 2002 David Clissold - 1) Make this a 4.3.3 image only. - On AIX 5.1 (and up), this image conflicts with the official - supported installp image of openssh for AIX 5.1. Users on - AIX 5.1 should use the supported installp openssh, not the unsupported - Toolbox version with conflicting files. - 2) There was a security patch released a few days ago, which - does not effect our images because we don't build with Kerberos/AFS. - but since I'm rebuilding, I may as well include the patch for others - who might build from this SRPM with different options. * Thu Mar 07 2002 David Clissold - New security patch posted today, Mar 7, 2002. 2.9.9p2-6. * Tue Dec 04 2001 David Clissold - Add security patch posted on the openssh mailing list today. * Mon Oct 15 2001 Marc Stephenson - Fix startup links * Thu Oct 04 2001 Marc Stephenson - Explicitly prereq openssl * Tue Oct 02 2001 David Clissold - Updated to version 2.9.9p2 - They broke login logging to /etc/security/lastlog; add a patch * Tue Oct 02 2001 Marc Stephenson - Added /usr links Added startup configuration * Tue Sep 25 2001 David Clissold - Add patch to log loginfailures. Patch courtesy of - Klaus Wolkersdorfer (K.Wolkersdorfer@fz-juelich.de) * Thu Jul 26 2001 David Clissold - Set to conditionally build with/without prngd via PRNGD variable * Tue Jul 10 2001 Marc Stephenson - Adapt for AIX Toolbox including logic from RedHat SPEC file