diff --git a/openssh-9.0p1-audit-log.patch b/openssh-9.0p1-audit-log.patch deleted file mode 100644 index fbf5094d883d0113ffa08e3702f3c7252d30763f..0000000000000000000000000000000000000000 --- a/openssh-9.0p1-audit-log.patch +++ /dev/null @@ -1,119 +0,0 @@ -diff -up openssh-9.0p1/audit-bsm.c.patch openssh-9.0p1/audit-bsm.c ---- openssh-9.0p1/audit-bsm.c.patch 2022-10-24 15:02:16.544858331 +0200 -+++ openssh-9.0p1/audit-bsm.c 2022-10-24 14:51:43.685766639 +0200 -@@ -405,7 +405,7 @@ audit_session_close(struct logininfo *li - } - - int --audit_keyusage(struct ssh *ssh, int host_user, char *fp, int rv) -+audit_keyusage(struct ssh *ssh, int host_user, char *key_fp, const struct sshkey_cert *cert, const char *issuer_fp, int rv) - { - /* not implemented */ - } -diff -up openssh-9.0p1/audit.c.patch openssh-9.0p1/audit.c ---- openssh-9.0p1/audit.c.patch 2022-10-24 15:02:16.544858331 +0200 -+++ openssh-9.0p1/audit.c 2022-10-24 15:20:38.854548226 +0200 -@@ -116,12 +116,22 @@ audit_event_lookup(ssh_audit_event_t ev) - void - audit_key(struct ssh *ssh, int host_user, int *rv, const struct sshkey *key) - { -- char *fp; -+ char *key_fp = NULL; -+ char *issuer_fp = NULL; -+ struct sshkey_cert *cert = NULL; - -- fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX); -- if (audit_keyusage(ssh, host_user, fp, (*rv == 0)) == 0) -+ key_fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX); -+ if (sshkey_is_cert(key) && key->cert != NULL && key->cert->signature_key != NULL) { -+ cert = key->cert; -+ issuer_fp = sshkey_fingerprint(cert->signature_key, -+ options.fingerprint_hash, SSH_FP_DEFAULT); -+ } -+ if (audit_keyusage(ssh, host_user, key_fp, cert, issuer_fp, (*rv == 0)) == 0) - *rv = -SSH_ERR_INTERNAL_ERROR; -- free(fp); -+ if (key_fp) -+ free(key_fp); -+ if (issuer_fp) -+ free(issuer_fp); - } - - void -diff -up openssh-9.0p1/audit.h.patch openssh-9.0p1/audit.h ---- openssh-9.0p1/audit.h.patch 2022-10-24 15:02:16.544858331 +0200 -+++ openssh-9.0p1/audit.h 2022-10-24 14:58:20.887565518 +0200 -@@ -64,7 +64,7 @@ void audit_session_close(struct logininf - int audit_run_command(struct ssh *, const char *); - void audit_end_command(struct ssh *, int, const char *); - ssh_audit_event_t audit_classify_auth(const char *); --int audit_keyusage(struct ssh *, int, char *, int); -+int audit_keyusage(struct ssh *, int, const char *, const struct sshkey_cert *, const char *, int); - void audit_key(struct ssh *, int, int *, const struct sshkey *); - void audit_unsupported(struct ssh *, int); - void audit_kex(struct ssh *, int, char *, char *, char *, char *); -diff -up openssh-9.0p1/audit-linux.c.patch openssh-9.0p1/audit-linux.c ---- openssh-9.0p1/audit-linux.c.patch 2022-10-24 15:02:16.544858331 +0200 -+++ openssh-9.0p1/audit-linux.c 2022-10-24 15:21:58.165303951 +0200 -@@ -137,10 +137,12 @@ fatal_report: - } - - int --audit_keyusage(struct ssh *ssh, int host_user, char *fp, int rv) -+audit_keyusage(struct ssh *ssh, int host_user, const char *key_fp, const struct sshkey_cert *cert, const char *issuer_fp, int rv) - { - char buf[AUDIT_LOG_SIZE]; - int audit_fd, rc, saved_errno; -+ const char *rip; -+ u_int i; - - audit_fd = audit_open(); - if (audit_fd < 0) { -@@ -150,14 +152,44 @@ audit_keyusage(struct ssh *ssh, int host - else - return 0; /* Must prevent login */ - } -+ rip = ssh_remote_ipaddr(ssh); - snprintf(buf, sizeof(buf), "%s_auth grantors=auth-key", host_user ? "pubkey" : "hostbased"); - rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, -- buf, audit_username(), -1, NULL, ssh_remote_ipaddr(ssh), NULL, rv); -+ buf, audit_username(), -1, NULL, rip, NULL, rv); - if ((rc < 0) && ((rc != -1) || (getuid() == 0))) - goto out; -- snprintf(buf, sizeof(buf), "op=negotiate kind=auth-key fp=%s", fp); -+ snprintf(buf, sizeof(buf), "op=negotiate kind=auth-key fp=%s", key_fp); - rc = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, buf, NULL, -- ssh_remote_ipaddr(ssh), NULL, rv); -+ rip, NULL, rv); -+ if ((rc < 0) && ((rc != -1) || (getuid() == 0))) -+ goto out; -+ -+ if (cert) { -+ char *pbuf; -+ -+ pbuf = audit_encode_nv_string("key_id", cert->key_id, 0); -+ if (pbuf == NULL) -+ goto out; -+ snprintf(buf, sizeof(buf), "cert %s cert_serial=%llu cert_issuer_alg=\"%s\" cert_issuer_fp=\"%s\"", -+ pbuf, (unsigned long long)cert->serial, sshkey_type(cert->signature_key), issuer_fp); -+ free(pbuf); -+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, -+ buf, audit_username(), -1, NULL, rip, NULL, rv); -+ if ((rc < 0) && ((rc != -1) || (getuid() == 0))) -+ goto out; -+ -+ for (i = 0; cert->principals != NULL && i < cert->nprincipals; i++) { -+ pbuf = audit_encode_nv_string("cert_principal", cert->principals[i], 0); -+ if (pbuf == NULL) -+ goto out; -+ snprintf(buf, sizeof(buf), "principal %s", pbuf); -+ free(pbuf); -+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, -+ buf, audit_username(), -1, NULL, rip, NULL, rv); -+ if ((rc < 0) && ((rc != -1) || (getuid() == 0))) -+ goto out; -+ } -+ } - out: - saved_errno = errno; - audit_close(audit_fd); diff --git a/openssh.spec b/openssh.spec index f880bbbf7a363f4ae84fb2a1d9a60c6997e1eedb..ff3a540e67746975a5d637ffde65084f5125781d 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,308 +1,115 @@ -%define anolis_release 4 -# Do we want SELinux & Audit -%if 0%{?!noselinux:1} -%global WITH_SELINUX 1 -%else -%global WITH_SELINUX 0 -%endif - +%define anolis_release 5 %global _hardened_build 1 +%global sysconfig_anaconda /etc/sysconfig/sshd-permitrootlogin -# Do we want to disable building of gnome-askpass? (1=yes 0=no) -%global no_gnome_askpass 0 - -# Do we want to link against a static libcrypto? (1=yes 0=no) -%global static_libcrypto 0 - -# Use GTK3 instead of GTK2 in gnome-ssh-askpass -%global gtk3 1 - -# Build position-independent executables (requires toolchain support)? -%global pie 1 - -# Do we want kerberos5 support (1=yes 0=no) -%global kerberos5 1 - -# Do we want libedit support -%global libedit 1 - -# Whether to build pam_ssh_agent_auth -%if 0%{?!nopam:1} -%global pam_ssh_agent 1 -%else -%global pam_ssh_agent 0 -%endif - -# Reserve options to override askpass settings with: -# rpm -ba|--rebuild --define 'skip_xxx 1' -%{?skip_gnome_askpass:%global no_gnome_askpass 1} - -# Add option to build without GTK2 for older platforms with only GTK+. -# rpm -ba|--rebuild --define 'no_gtk3 1' -%{?no_gtk3:%global gtk3 0} - -# Options for static OpenSSL link: -# rpm -ba|--rebuild --define "static_openssl 1" -%{?static_openssl:%global static_libcrypto 1} - -# Options for libfido2 support -# libfido2 has strong dependecy on libcbor, but libcbor changes its soname too often, -# which will lead to frequent rebuilds of libfido. providing a switch on libfido2 support -# within openssh is a must-have choice. %bcond_without libfido2 +%bcond_without libedit +%bcond_without pam -# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%global openssh_ver 9.0p1 -%global pam_ssh_agent_ver 0.10.4 -%global pam_ssh_agent_rel 7 - -Summary: An open source implementation of SSH protocol version 2 -Name: openssh -Version: %{openssh_ver} +Name: openssh +Version: 9.0p1 Release: %{anolis_release}%{?dist} -URL: http://www.openssh.com/portable.html -#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ +Summary: An open source implementation of SSH protocol version 2 +License: BSD +URL: http://www.openssh.com/portable.html Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc +Source1: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-0.10.4.tar.gz Source2: sshd.pam -Source3: gpgkey-736060BA.gpg -Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz -Source5: pam_ssh_agent-rmheaders -Source6: ssh-keycat.pam -Source7: sshd.sysconfig -Source9: sshd@.service -Source10: sshd.socket -Source11: sshd.service -Source12: sshd-keygen@.service -Source13: sshd-keygen -Source15: sshd-keygen.target -Source16: ssh-agent.service -Source17: ssh-agent.socket -Source19: openssh-server-systemd-sysusers.conf - -#https://bugzilla.mindrot.org/show_bug.cgi?id=2581 -Patch100: openssh-6.7p1-coverity.patch - -Patch200: openssh-7.6p1-audit.patch -# Audit race condition in forked child (#1310684) -Patch201: openssh-7.1p2-audit-race-condition.patch -Patch202: openssh-9.0p1-audit-log.patch - -# --- pam_ssh-agent --- -# make it build reusing the openssh sources -Patch300: pam_ssh_agent_auth-0.9.3-build.patch -# check return value of seteuid() -# https://sourceforge.net/p/pamsshagentauth/bugs/23/ -Patch301: pam_ssh_agent_auth-0.10.3-seteuid.patch -# explicitly make pam callbacks visible -Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch -# update to current version of agent structure -Patch305: pam_ssh_agent_auth-0.9.3-agent_structure.patch -# remove prefixes to be able to build against current openssh library -Patch306: pam_ssh_agent_auth-0.10.2-compat.patch -# Fix NULL dereference from getpwuid() return value -# https://sourceforge.net/p/pamsshagentauth/bugs/22/ -Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch -Patch308: pam_ssh_agent_auth-0.10.4-rsasha2.patch - -#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) -Patch400: openssh-7.8p1-role-mls.patch -Patch404: openssh-6.6p1-privsep-selinux.patch -#? -Patch502: openssh-6.6p1-keycat.patch - -#https://bugzilla.mindrot.org/show_bug.cgi?id=1644 -Patch601: openssh-6.6p1-allow-ip-opts.patch -#(drop?) https://bugzilla.mindrot.org/show_bug.cgi?id=1925 -Patch606: openssh-5.9p1-ipv6man.patch -#? -Patch607: openssh-5.8p2-sigpipe.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1789 -Patch609: openssh-7.2p2-x11.patch - -#? -Patch700: openssh-7.7p1-fips.patch -#? -Patch702: openssh-5.1p1-askpass-progress.patch -Patch703: openssh-4.3p2-askpass-grab-info.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) -Patch707: openssh-7.7p1-anolis.patch -# warn users for unsupported UsePAM=no (#757545) -Patch711: openssh-7.8p1-UsePAM-warning.patch -# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL -Patch712: openssh-6.3p1-ctr-evp-fast.patch - -# GSSAPI Key Exchange (RFC 4462 + RFC 8732) -Patch800: openssh-8.0p1-gssapi-keyex.patch -#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html -Patch801: openssh-6.6p1-force_krb.patch -# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843) -# CVE-2014-9278 -Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch -# Improve ccache handling in openssh (#991186, #1199363, #1566494) -# https://bugzilla.mindrot.org/show_bug.cgi?id=2775 -Patch804: openssh-7.7p1-gssapi-new-unique.patch -# Respect k5login_directory option in krk5.conf (#1328243) -Patch805: openssh-7.2p2-k5login_directory.patch - - -#https://bugzilla.mindrot.org/show_bug.cgi?id=1780 -Patch901: openssh-6.6p1-kuserok.patch -# Use tty allocation for a remote scp (#985650) -Patch906: openssh-6.4p1-fromto-remote.patch -# privsep_preauth: use SELinux context from selinux-policy (#1008580) -Patch916: openssh-6.6.1p1-selinux-contexts.patch -# log via monitor in chroots without /dev/log (#2681) -Patch918: openssh-6.6.1p1-log-in-chroot.patch -# scp file into non-existing directory (#1142223) -Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch -# apply upstream patch and make sshd -T more consistent (#1187521) -Patch922: openssh-6.8p1-sshdT-output.patch -# Add sftp option to force mode of created files (#1191055) -Patch926: openssh-6.7p1-sftp-force-permission.patch -# make s390 use /dev/ crypto devices -- ignore closefrom -Patch939: openssh-7.2p2-s390-closefrom.patch -# Move MAX_DISPLAYS to a configuration option (#1341302) -Patch944: openssh-7.3p1-x11-max-displays.patch -# Help systemd to track the running service -Patch948: openssh-7.4p1-systemd.patch -# Pass inetd flags for SELinux down to openbsd compat level -Patch949: openssh-7.6p1-cleanup-selinux.patch -# Sandbox adjustments for s390 and audit -Patch950: openssh-7.5p1-sandbox.patch -# PKCS#11 URIs (upstream #2817, 2nd iteration) -# https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11 -Patch951: openssh-8.0p1-pkcs11-uri.patch -# Unbreak scp between two IPv6 hosts (#1620333) -Patch953: openssh-7.8p1-scp-ipv6.patch -# Mention crypto-policies in manual pages (#1668325) -Patch962: openssh-8.0p1-crypto-policies.patch -# Use OpenSSL high-level API to produce and verify signatures (#1707485) -Patch963: openssh-8.0p1-openssl-evp.patch -# Use OpenSSL KDF (#1631761) -Patch964: openssh-8.0p1-openssl-kdf.patch -# sk-dummy.so built with -fvisibility=hidden does not work -Patch965: openssh-8.2p1-visibility.patch -# Do not break X11 without IPv6 -Patch966: openssh-8.2p1-x11-without-ipv6.patch -# ssh-keygen printing fingerprint issue with Windows keys (#1901518) -Patch974: openssh-8.0p1-keygen-strip-doseol.patch -# sshd provides PAM an incorrect error code (#1879503) -Patch975: openssh-8.0p1-preserve-pam-errors.patch -# Implement kill switch for SCP protocol -Patch977: openssh-8.7p1-scp-kill-switch.patch - -# https://github.com/openssh/openssh-portable/pull/299 -Patch981: openssh-8.7p1-recursive-scp.patch -# https://github.com/djmdjm/openssh-wip/pull/13 -Patch982: openssh-8.7p1-minrsabits.patch -Patch983: openssh-8.7p1-evpgenkey.patch -Patch984: openssh-8.7p1-ibmca.patch -# Fix for scp clearing file when src and dest are the same (#2056884) -# upstream commits: -# 7b1cbcb7599d9f6a3bbad79d412604aa1203b5ee -Patch1001: openssh-8.7p1-scp-clears-file.patch -# Add missing options from ssh_config into ssh manpage -# upstream bug: -# https://bugzilla.mindrot.org/show_bug.cgi?id=3455 -Patch1002: openssh-8.7p1-ssh-manpage.patch -# Always return allocated strings from the kex filtering so that we can free them -# upstream commits: -# 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 -# 6c31ba10e97b6953c4f325f526f3e846dfea647a -# 322964f8f2e9c321e77ebae1e4d2cd0ccc5c5a0b -Patch1003: openssh-8.7p1-mem-leak.patch -# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures -# upstream MR: -# https://github.com/openssh-gsskex/openssh-gsskex/pull/21 -Patch1004: openssh-8.7p1-gssapi-auth.patch - -# Don't propose disallowed algorithms during hostkey negotiation -# upstream MR: -# https://github.com/openssh/openssh-portable/pull/323 -Patch1006: openssh-8.7p1-negotiate-supported-algs.patch - -# downstream only -# we skip some ssh-rsa/ssh-dss tests to make native test suite pass -#Patch1100: openssh-8.8p1-skip-some-tests.patch - -License: BSD -Requires: /sbin/nologin - -%if ! %{no_gnome_askpass} -BuildRequires: libX11-devel -%if %{gtk3} -BuildRequires: gtk3-devel -%endif -%endif - -BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel -BuildRequires: audit-libs-devel >= 2.0.5 -BuildRequires: util-linux, groff -BuildRequires: pam-devel -BuildRequires: openssl-devel >= 0.9.8j -BuildRequires: perl-podlators -BuildRequires: systemd-devel -BuildRequires: systemd-rpm-macros -BuildRequires: gcc make -BuildRequires: p11-kit-devel +Source3: pam_ssh_agent-rmheaders +Source4: ssh-keycat.pam +Source5: sshd.sysconfig +Source6: sshd@.service +Source7: sshd.socket +Source8: sshd.service +Source9: sshd-keygen@.service +Source10: sshd-keygen +Source11: sshd-keygen.target +Source12: ssh-agent.service +Source13: ssh-agent.socket +Source14: openssh-server-systemd-sysusers.conf + +# --- patches for pam_ssh-agent --- +Patch100: pam_ssh_agent_auth-0.9.3-build.patch +Patch101: pam_ssh_agent_auth-0.10.3-seteuid.patch +Patch102: pam_ssh_agent_auth-0.9.2-visibility.patch +Patch103: pam_ssh_agent_auth-0.10.2-compat.patch +Patch104: pam_ssh_agent_auth-0.9.3-agent_structure.patch +Patch105: pam_ssh_agent_auth-0.10.2-dereference.patch +Patch106: pam_ssh_agent_auth-0.10.4-rsasha2.patch + +Patch300: openssh-7.8p1-role-mls.patch +Patch301: openssh-6.6p1-privsep-selinux.patch +Patch302: openssh-6.6p1-keycat.patch +Patch303: openssh-6.6p1-allow-ip-opts.patch +Patch304: openssh-5.9p1-ipv6man.patch +Patch305: openssh-5.8p2-sigpipe.patch +Patch306: openssh-7.2p2-x11.patch +Patch307: openssh-5.1p1-askpass-progress.patch +Patch308: openssh-4.3p2-askpass-grab-info.patch +Patch309: openssh-7.7p1-anolis.patch +Patch310: openssh-7.8p1-UsePAM-warning.patch +Patch311: openssh-6.3p1-ctr-evp-fast.patch +Patch312: openssh-8.0p1-gssapi-keyex.patch +Patch313: openssh-6.6p1-force_krb.patch +Patch314: openssh-7.7p1-gssapi-new-unique.patch +Patch315: openssh-7.2p2-k5login_directory.patch +Patch316: openssh-6.6p1-kuserok.patch +Patch317: openssh-6.4p1-fromto-remote.patch +Patch318: openssh-6.6.1p1-selinux-contexts.patch +Patch319: openssh-6.6.1p1-log-in-chroot.patch +Patch320: openssh-6.6.1p1-scp-non-existing-directory.patch +Patch321: openssh-6.6p1-GSSAPIEnablek5users.patch +Patch322: openssh-6.8p1-sshdT-output.patch +Patch323: openssh-6.7p1-sftp-force-permission.patch +Patch324: openssh-7.2p2-s390-closefrom.patch +Patch325: openssh-7.3p1-x11-max-displays.patch +Patch326: openssh-7.4p1-systemd.patch +Patch327: openssh-7.6p1-cleanup-selinux.patch +Patch328: openssh-7.5p1-sandbox.patch +Patch329: openssh-8.0p1-pkcs11-uri.patch +Patch330: openssh-7.8p1-scp-ipv6.patch +Patch331: openssh-8.0p1-crypto-policies.patch +Patch332: openssh-8.0p1-openssl-evp.patch +Patch333: openssh-8.0p1-openssl-kdf.patch +Patch334: openssh-8.2p1-visibility.patch +Patch335: openssh-8.2p1-x11-without-ipv6.patch +Patch336: openssh-8.0p1-keygen-strip-doseol.patch +Patch337: openssh-8.0p1-preserve-pam-errors.patch +Patch338: openssh-8.7p1-scp-kill-switch.patch +Patch339: openssh-8.7p1-recursive-scp.patch +Patch340: openssh-8.7p1-minrsabits.patch +Patch341: openssh-8.7p1-evpgenkey.patch +Patch342: openssh-8.7p1-ibmca.patch +Patch343: openssh-7.6p1-audit.patch +Patch344: openssh-7.1p2-audit-race-condition.patch +Patch345: openssh-7.7p1-fips.patch +Patch346: openssh-8.7p1-scp-clears-file.patch +Patch347: openssh-8.7p1-ssh-manpage.patch +Patch348: openssh-8.7p1-mem-leak.patch +Patch349: openssh-8.7p1-gssapi-auth.patch +Patch350: openssh-8.7p1-negotiate-supported-algs.patch +Patch351: openssh-6.7p1-coverity.patch + +BuildRequires: autoconf automake make gcc +BuildRequires: perl-interpreter perl-generators perl-podlators +BuildRequires: zlib-devel libX11-devel gtk3-devel pam-devel p11-kit-devel krb5-devel +BuildRequires: audit-libs-devel >= 2.0.5 openssl-devel >= 0.9.8j +BuildRequires: libselinux-devel >= 2.3-5 audit-libs >= 1.0.8 +BuildRequires: util-linux groff xauth +BuildRequires: systemd-devel systemd-rpm-macros %if %{with libfido2} BuildRequires: libfido2-devel %endif -Recommends: p11-kit -Obsoletes: openssh-ldap < 8.3p1-4 -Obsoletes: openssh-cavs < 8.4p1-5 - -%if %{kerberos5} -BuildRequires: krb5-devel -%endif - -%if %{libedit} +%if %{with libedit} BuildRequires: libedit-devel ncurses-devel %endif -%if %{WITH_SELINUX} -Requires: libselinux >= 2.3-5 -BuildRequires: libselinux-devel >= 2.3-5 -Requires: audit-libs >= 1.0.8 -BuildRequires: audit-libs >= 1.0.8 -%endif - -BuildRequires: xauth -# for tarball signature verification -BuildRequires: gnupg2 - -%package clients -Summary: An open source SSH client applications -Requires: openssh = %{version}-%{release} -Requires: crypto-policies >= 20220824-1 - -%package server -Summary: An open source SSH server daemon -Requires: openssh = %{version}-%{release} -Requires(pre): /usr/sbin/useradd -Requires: pam >= 1.0.1-3 -Requires: crypto-policies >= 20220824-1 -%{?systemd_requires} - -%package keycat -Summary: A mls keycat backend for openssh -Requires: openssh = %{version}-%{release} - -%package askpass -Summary: A passphrase dialog for OpenSSH and X -Requires: openssh = %{version}-%{release} - -%package doc -Summary: Documentation files for %{name} -Requires: openssh = %{version}-%{release} -BuildArch: noarch +Recommends: p11-kit -%package -n pam_ssh_agent_auth -Summary: PAM module for authentication with ssh-agent -Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{anolis_release}%{?dist} -License: BSD +Requires: /sbin/nologin +Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 +Obsoletes: openssh-ldap < 8.3p1-4 +Obsoletes: openssh-cavs < 8.4p1-5 %description SSH (Secure SHell) is a program for logging into and executing @@ -318,26 +125,60 @@ This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. +%package clients +Summary: An open source SSH client applications +Requires: openssh = %{EVR} +Requires: crypto-policies >= 20220824-1 + %description clients OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package includes the clients necessary to make encrypted connections to SSH servers. +%package server +Summary: An open source SSH server daemon +Requires: openssh = %{EVR} +Requires(pre): /usr/sbin/useradd +Requires: pam >= 1.0.1-3 crypto-policies >= 20220824-1 +%{?systemd_requires} + %description server OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package contains the secure shell daemon (sshd). The sshd daemon allows SSH clients to securely connect to your SSH server. +%package keycat +Summary: A mls keycat backend for openssh +Requires: openssh = %{EVR} + %description keycat OpenSSH mls keycat is backend for using the authorized keys in the openssh in the mls mode. +%package askpass +Summary: A passphrase dialog for OpenSSH and X +Requires: openssh = %{EVR} + %description askpass OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package contains an X11 passphrase dialog for OpenSSH. +%package doc +Summary: Documentation files for %{name} +Requires: openssh = %{EVR} +BuildArch: noarch + +%description doc +The %{name}-doc package contains documentation files for %{name}. + +%package -n pam_ssh_agent_auth +Summary: PAM module for authentication with ssh-agent +Version: 0.10.4 +Release: 7.%{anolis_release}%{?dist} +License: BSD + %description -n pam_ssh_agent_auth This package contains a PAM module which can be used to authenticate users using ssh keys stored in a ssh-agent. Through the use of the @@ -346,91 +187,20 @@ remote ssh-agent instance. The module is most useful for su and sudo service stacks. -%description doc -The %{name}-doc package contains documentation files for %{name}. - %prep -gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} -%setup -q -a 4 - -%if %{pam_ssh_agent} -pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} -%patch300 -p2 -b .psaa-build -%patch301 -p2 -b .psaa-seteuid -%patch302 -p2 -b .psaa-visibility -%patch306 -p2 -b .psaa-compat -%patch305 -p2 -b .psaa-agent -%patch307 -p2 -b .psaa-deref -%patch308 -p2 -b .rsasha2 -# Remove duplicate headers and library files -rm -f $(cat %{SOURCE5}) +%setup -q -a 1 + +%if %{with pam} +pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 +%autopatch -M 200 -p2 +rm -f $(cat %{SOURCE3}) popd %endif -%patch400 -p1 -b .role-mls -%patch404 -p1 -b .privsep-selinux - -%patch502 -p1 -b .keycat - -%patch601 -p1 -b .ip-opts -%patch606 -p1 -b .ipv6man -%patch607 -p1 -b .sigpipe -%patch609 -p1 -b .x11 -%patch702 -p1 -b .progress -%patch703 -p1 -b .grab-info -%patch707 -p1 -b .anolis -%patch711 -p1 -b .log-usepam-no -%patch712 -p1 -b .evp-ctr -# -%patch800 -p1 -b .gsskex -%patch801 -p1 -b .force_krb -%patch804 -p1 -b .ccache_name -%patch805 -p1 -b .k5login -# -%patch901 -p1 -b .kuserok -%patch906 -p1 -b .fromto-remote -%patch916 -p1 -b .contexts -%patch918 -p1 -b .log-in-chroot -%patch919 -p1 -b .scp -%patch802 -p1 -b .GSSAPIEnablek5users -%patch922 -p1 -b .sshdt -%patch926 -p1 -b .sftp-force-mode -%patch939 -p1 -b .s390-dev -%patch944 -p1 -b .x11max -%patch948 -p1 -b .systemd -%patch949 -p1 -b .refactor -%patch950 -p1 -b .sandbox -%patch951 -p1 -b .pkcs11-uri -%patch953 -p1 -b .scp-ipv6 -%patch962 -p1 -b .crypto-policies -%patch963 -p1 -b .openssl-evp -%patch964 -p1 -b .openssl-kdf -%patch965 -p1 -b .visibility -%patch966 -p1 -b .x11-ipv6 -%patch974 -p1 -b .keygen-strip-doseol -%patch975 -p1 -b .preserve-pam-errors -%patch977 -p1 -b .kill-scp - -%patch981 -p1 -b .scp-sftpdirs -%patch982 -p1 -b .minrsabits -%patch983 -p1 -b .evpgenrsa -%patch984 -p1 -b .ibmca - -%patch200 -p1 -b .audit -%patch201 -p1 -b .audit-race -%patch700 -p1 -b .fips - -%patch1001 -p1 -b .scp-clears-file -%patch1002 -p1 -b .ssh-manpage -%patch1003 -p1 -b .mem-leak -%patch1004 -p1 -b .gssapi-auth - -%patch1006 -p1 -b .negotiate-supported-algs - -%patch100 -p1 -b .coverity +%autopatch -m 200 -p1 autoreconf -pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} +pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 autoreconf popd @@ -438,21 +208,10 @@ popd %set_build_flags # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth # it is needed for lib(open)ssh build too since it is linked to the pam module too -CFLAGS="$CFLAGS -fvisibility=hidden"; export CFLAGS -%if %{pie} -%ifarch s390 s390x sparc sparcv9 sparc64 -CFLAGS="$CFLAGS -fPIC" -%else -CFLAGS="$CFLAGS -fpic" -%endif +CFLAGS="$CFLAGS -fvisibility=hidden -fpic"; export CFLAGS SAVE_LDFLAGS="$LDFLAGS" -LDFLAGS="$LDFLAGS -pie -z relro -z now" +LDFLAGS="$LDFLAGS -pie -z relro -z now"; export LDFLAGS -export CFLAGS -export LDFLAGS - -%endif -%if %{kerberos5} if test -r /etc/profile.d/krb5-devel.sh ; then source /etc/profile.d/krb5-devel.sh fi @@ -466,7 +225,6 @@ else CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS CFLAGS="$CFLAGS -I%{_includedir}/gssapi" fi -%endif %configure \ --sysconfdir=%{_sysconfdir}/ssh \ @@ -480,7 +238,7 @@ fi --with-ssl-engine \ --with-ipaddr-display \ --with-pie=no \ - --without-hardening `# The hardening flags are configured by system` \ + --without-hardening \ --with-systemd \ --with-default-pkcs11-provider=yes \ %if %{with libfido2} @@ -490,111 +248,80 @@ fi %endif --with-security-key-builtin=yes \ --with-pam \ -%if %{WITH_SELINUX} --with-selinux --with-audit=linux \ --with-sandbox=seccomp_filter \ -%endif -%if %{kerberos5} --with-kerberos5${krb5_prefix:+=${krb5_prefix}} \ -%else - --without-kerberos5 \ -%endif -%if %{libedit} +%if %{with libedit} --with-libedit %else --without-libedit %endif -%if %{static_libcrypto} -perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile -%endif %make_build -# Define a variable to toggle gtk2/gtk3 building. This is necessary -# because RPM doesn't handle nested %%if statements. -%if %{gtk3} - gtk3=yes -%else - gtk3=no -%endif - -%if ! %{no_gnome_askpass} pushd contrib -if [ $gtk3 = yes ] ; then - CFLAGS="$CFLAGS %{?__global_ldflags}" \ - make gnome-ssh-askpass3 - mv gnome-ssh-askpass3 gnome-ssh-askpass -fi +CFLAGS="$CFLAGS %{?__global_ldflags}" make gnome-ssh-askpass3 +mv gnome-ssh-askpass3 gnome-ssh-askpass popd -%endif -%if %{pam_ssh_agent} -pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} +%if %{with pam} +pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 LDFLAGS="$SAVE_LDFLAGS" %configure --with-selinux \ --libexecdir=/%{_libdir}/security \ --with-mantype=man \ - --without-openssl-header-check `# The check is broken` + --without-openssl-header-check %make_build popd %endif %check -#to run tests use "--with check" %if %{?_with_check:1}%{!?_with_check:0} make tests %endif %install -mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh -mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d -mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d -mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh +mkdir -p -m755 %{buildroot}%{_sysconfdir}/ssh +mkdir -p -m755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d +mkdir -p -m755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d +mkdir -p -m755 %{buildroot}%{_libexecdir}/openssh %make_install -install -d $RPM_BUILD_ROOT/etc/pam.d/ -install -d $RPM_BUILD_ROOT/etc/sysconfig/ -install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh -install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd -install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat -install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd -install -m644 ssh_config_anolis $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/50-anolis.conf -install -m644 sshd_config_anolis $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/50-anolis.conf -install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} -install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service -install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket -install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service -install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service -install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target -install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir} -install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service -install -m644 %{SOURCE17} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.socket -install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen -install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ -install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ +install -d %{buildroot}/etc/pam.d/ +install -d %{buildroot}/etc/sysconfig/ +install -d %{buildroot}%{_libexecdir}/openssh +install -m644 %{SOURCE2} %{buildroot}/etc/pam.d/sshd +install -m644 %{SOURCE4} %{buildroot}/etc/pam.d/ssh-keycat +install -m644 %{SOURCE5} %{buildroot}/etc/sysconfig/sshd +install -m644 ssh_config_anolis %{buildroot}/etc/ssh/ssh_config.d/50-anolis.conf +install -m644 sshd_config_anolis %{buildroot}/etc/ssh/sshd_config.d/50-anolis.conf +install -d -m755 %{buildroot}/%{_unitdir} +install -m644 %{SOURCE6} %{buildroot}/%{_unitdir}/sshd@.service +install -m644 %{SOURCE7} %{buildroot}/%{_unitdir}/sshd.socket +install -m644 %{SOURCE8} %{buildroot}/%{_unitdir}/sshd.service +install -m644 %{SOURCE9} %{buildroot}/%{_unitdir}/sshd-keygen@.service +install -m644 %{SOURCE11} %{buildroot}/%{_unitdir}/sshd-keygen.target +install -d -m755 %{buildroot}/%{_userunitdir} +install -m644 %{SOURCE12} %{buildroot}/%{_userunitdir}/ssh-agent.service +install -m644 %{SOURCE13} %{buildroot}/%{_userunitdir}/ssh-agent.socket +install -m744 %{SOURCE10} %{buildroot}/%{_libexecdir}/openssh/sshd-keygen +install -m755 contrib/ssh-copy-id %{buildroot}%{_bindir}/ +install contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1/ install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd -install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/openssh-server.conf - -%if ! %{no_gnome_askpass} -install -m755 contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass -%endif +install -p -D -m 0644 %{SOURCE14} %{buildroot}%{_sysusersdir}/openssh-server.conf -%if ! %{no_gnome_askpass} -ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass -install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ -install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ -install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ -%endif +install -m755 contrib/gnome-ssh-askpass %{buildroot}%{_libexecdir}/openssh/gnome-ssh-askpass -%if %{no_gnome_askpass} -rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.* -%endif +ln -s gnome-ssh-askpass %{buildroot}%{_libexecdir}/openssh/ssh-askpass +install -m 755 -d %{buildroot}%{_sysconfdir}/profile.d/ +install -m 755 contrib/redhat/gnome-ssh-askpass.csh %{buildroot}%{_sysconfdir}/profile.d/ +install -m 755 contrib/redhat/gnome-ssh-askpass.sh %{buildroot}%{_sysconfdir}/profile.d/ -perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* +perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/man*/* -%if %{pam_ssh_agent} -pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} +%if %{with pam} +pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 %make_install popd %endif @@ -602,18 +329,14 @@ popd %generate_compatibility_deps %pre server -%sysusers_create_compat %{SOURCE19} +%sysusers_create_compat %{SOURCE14} # We want to remove group ownership for standard host keys if they exist test -f /etc/ssh/ssh_host_rsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_rsa_key || : test -f /etc/ssh/ssh_host_ecdsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ecdsa_key || : test -f /etc/ssh/ssh_host_ed25519_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ed25519_key || : - + %post server %systemd_post sshd.service sshd.socket -# drop-in directory (in F32+). -# Do this only if the file generated by anaconda exists, contains our config -# directive and sshd_config contains include directive as shipped in our package -%global sysconfig_anaconda /etc/sysconfig/sshd-permitrootlogin test -f %{sysconfig_anaconda} && \ test ! -f /etc/ssh/sshd_config.d/01-permitrootlogin.conf && \ grep -q '^PERMITROOTLOGIN="-oPermitRootLogin=yes"' %{sysconfig_anaconda} && \ @@ -636,28 +359,23 @@ test -f %{sysconfig_anaconda} && \ %systemd_user_preun ssh-agent.socket %files -%dir %{abidir} -%license LICENCE -%attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli +%attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0755,root,root) %{_bindir}/ssh-keygen -%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0755,root,root) %dir %{_libexecdir}/openssh %attr(4555,root,root) %{_libexecdir}/openssh/ssh-keysign -%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* -%files doc -%doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO +%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* +%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* +%license LICENCE %files clients -%attr(0755,root,root) %{_bindir}/ssh -%attr(0644,root,root) %{_mandir}/man1/ssh.1* -%attr(0755,root,root) %{_bindir}/scp -%attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config -%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/ %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-anolis.conf -%attr(0644,root,root) %{_mandir}/man5/ssh_config.5* +%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/ + +%attr(0755,root,root) %{_bindir}/ssh +%attr(0755,root,root) %{_bindir}/scp %attr(0755,root,root) %{_bindir}/ssh-agent %attr(0755,root,root) %{_bindir}/ssh-add %attr(0755,root,root) %{_bindir}/ssh-keyscan @@ -665,58 +383,71 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %{_bindir}/ssh-copy-id %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper %attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper +%attr(0644,root,root) %{_userunitdir}/ssh-agent.service +%attr(0644,root,root) %{_userunitdir}/ssh-agent.socket + +%attr(0644,root,root) %{_mandir}/man1/ssh.1* +%attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* %attr(0644,root,root) %{_mandir}/man1/ssh-add.1* %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* %attr(0644,root,root) %{_mandir}/man1/sftp.1* %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1* +%attr(0644,root,root) %{_mandir}/man5/ssh_config.5* %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* %attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8* -%attr(0644,root,root) %{_userunitdir}/ssh-agent.service -%attr(0644,root,root) %{_userunitdir}/ssh-agent.socket %files server -%dir %attr(0711,root,root) %{_datadir}/empty.sshd -%attr(0755,root,root) %{_sbindir}/sshd -%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server -%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen -%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* -%attr(0644,root,root) %{_mandir}/man5/moduli.5* -%attr(0644,root,root) %{_mandir}/man8/sshd.8* -%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config -%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/ %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-anolis.conf %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd +%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/ +%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf + +%attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server +%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen + %attr(0644,root,root) %{_unitdir}/sshd.service %attr(0644,root,root) %{_unitdir}/sshd@.service %attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service %attr(0644,root,root) %{_unitdir}/sshd-keygen.target -%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf +%dir %attr(0711,root,root) %{_datadir}/empty.sshd + +%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* +%attr(0644,root,root) %{_mandir}/man5/moduli.5* +%attr(0644,root,root) %{_mandir}/man8/sshd.8* +%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %files keycat -%doc HOWTO.ssh-keycat -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat %attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat +%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat +%doc HOWTO.ssh-keycat -%if ! %{no_gnome_askpass} %files askpass %attr(0644,root,root) %{_sysconfdir}/profile.d/gnome-ssh-askpass.* %attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass -%endif -%if %{pam_ssh_agent} +%if %{with pam} %files -n pam_ssh_agent_auth -%license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE +%license pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/OPENSSH_LICENSE %attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so %attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8* +%dir %{abidir} %attr(0644,root,rooti) %{abidir}/pam_ssh_agent_auth.dump %endif +%files doc +%doc README* +%doc CREDITS ChangeLog OVERVIEW PROTOCOL* TODO + %changelog +* Wed Apr 12 2023 Yuanhong Peng - 9.0p1-5 +- Refactor the specfile + * Fri Mar 31 2023 mgb01105731 - 9.0p1-4 - Del Specific Fields