From 5c8b5cb5381806d4f0b10db048ec32e4decdc993 Mon Sep 17 00:00:00 2001 From: Jan F Date: Jun 28 2011 08:35:28 +0000 Subject: Systemd compatibility according to Mathieu Bridon Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) --- diff --git a/openssh.spec b/openssh.spec index c158677..c4f78a3 100644 --- a/openssh.spec +++ b/openssh.spec @@ -48,9 +48,6 @@ %define pam_ssh_agent 0 %endif -# Whether add systemd units -%define systemd 0 - # Reserve options to override askpass settings with: # rpm -ba|--rebuild --define 'skip_xxx 1' %{?skip_gnome_askpass:%global no_gnome_askpass 1} @@ -82,7 +79,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.8p2 -%define openssh_rel 10 +%define openssh_rel 13 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 31 @@ -105,11 +102,11 @@ Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/p Source5: pam_ssh_agent-rmheaders Source6: ssh-keycat.pam Source7: sshd.sysconfig -Source8: ssh-keygen-dsa.service -Source9: ssh-keygen-rsa.service -Source10: ssh-keygen-rsa1.service +Source8: sshd-keygen.service +Source9: sshd@.service +Source10: sshd.socket Source11: sshd.service -Source12: sshd.socket +Source13: sshd-keygen Patch99: openssh-5.8p1-wIm.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) @@ -263,10 +260,27 @@ Requires: fipscheck-lib%{_isa} >= 1.3.0 Summary: An open source SSH server daemon Group: System Environment/Daemons Requires: openssh = %{version}-%{release} -Requires(post): chkconfig >= 0.9, /sbin/service Requires(pre): /usr/sbin/useradd Requires: pam >= 1.0.1-3 Requires: fipscheck-lib%{_isa} >= 1.3.0 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +# This is actually needed for the %triggerun script but Requires(triggerun) +# is not valid. We can use %post because this particular %triggerun script +# should fire just after this package is installed. +Requires(post): systemd-sysv + +# Not yet ready +# %package server-ondemand +# Summary: Systemd unit file to run an ondemand OpenSSH server +# Group: System Environment/Daemons +# Requires: %{name}-server%{?_isa} = %{version}-%{release} + +%package server-sysvinit +Summary: The SysV initscript to manage the OpenSSH server. +Group: System Environment/Daemons +Requires: %{name}-server%{?_isa} = %{version}-%{release} %if %{ldap} %package ldap @@ -319,6 +333,19 @@ into and executing commands on a remote machine. This package contains the secure shell daemon (sshd). The sshd daemon allows SSH clients to securely connect to your SSH server. +# %description server-ondemand +# OpenSSH is a free version of SSH (Secure SHell), a program for logging +# into and executing commands on a remote machine. This package contains +# the systemd unit files to run an ondemand (socket activated) SSH server. + +%description server-sysvinit +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +the SysV init script to manage the OpenSSH server when running a legacy +SysV-compatible init system. + +It is not required when the init system used is systemd. + %if %{ldap} %description ldap OpenSSH LDAP backend is a way how to distribute the authorized tokens @@ -541,14 +568,12 @@ install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd -%if %{systemd} +install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} -install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-dsa.service -install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-rsa.service -install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-rsa1.service +install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service +install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service +install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service -install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket -%endif install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ @@ -602,56 +627,39 @@ getent passwd sshd >/dev/null || \ %endif %post server -%if %{systemd} -if [ -x /bin/systemctl ]; then - if [ $1 -eq 1 ]; then +if [ $1 -eq 1 ] ; then /bin/systemctl enable sshd.service >/dev/null 2>&1 || : - /bin/systemctl enable ssh-keygen-dsa.service >/dev/null 2>&1 || : - /bin/systemctl enable ssh-keygen-rsa.service >/dev/null 2>&1 || : - /bin/systemctl enable ssh-keygen-rsa1.service >/dev/null 2>&1 || : - fi + /bin/systemctl enable sshd-keygen.service >/dev/null 2>&1 || : fi -%endif -if [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --add sshd -fi -exit 0 %postun server -%if %{systemd} -if [ -x /bin/systemctl ]; then - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - if [ $1 -ge 1 ]; then +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + # Package upgrade, not uninstall /bin/systemctl try-restart sshd.service >/dev/null 2>&1 || : - fi -fi -%endif -if [ -x /sbin/service ]; then - if [ $1 -ne 0 ]; then - /sbin/service sshd condrestart > /dev/null 2>&1 || : - fi + /bin/systemctl try-restart sshd-keygen.service >/dev/null 2>&1 || : fi -exit 0 %preun server -if [ $1 -eq 0 ]; then -%if %{systemd} - if [ -x /bin/systemctl ]; then - /bin/systemctl disable sshd.service > /dev/null 2>&1 || : - /bin/systemctl disable ssh-keygen-dsa.service > /dev/null 2>&1 || : - /bin/systemctl disable ssh-keygen-rsa.service > /dev/null 2>&1 || : - /bin/systemctl disable ssh-keygen-rsa1.service > /dev/null 2>&1 || : +if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /bin/systemctl --no-reload disable sshd.service > /dev/null 2>&1 || : + /bin/systemctl --no-reload disable sshd-keygen.service > /dev/null 2>&1 || : /bin/systemctl stop sshd.service > /dev/null 2>&1 || : - fi -%endif - if [ -x /sbin/service ]; then - /sbin/service sshd stop > /dev/null 2>&1 || : - fi - if [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --del sshd - fi + /bin/systemctl stop sshd-keygen.service > /dev/null 2>&1 || : fi -exit 0 + +%triggerun -n openssh-server -- openssh-server < 5.8p2-12 +/usr/bin/systemd-sysv-convert --save sshd >/dev/null 2>&1 || : +/bin/systemctl enable sshd.service >/dev/null 2>&1 +/bin/systemctl enable sshd-keygen.service >/dev/null 2>&1 +/sbin/chkconfig --del sshd >/dev/null 2>&1 || : +/bin/systemctl try-restart sshd.service >/dev/null 2>&1 || : +# This one was never a service, so we don't simply restart it +/bin/systemctl is-active -q sshd.service && /bin/systemctl start sshd-keygen.service >/dev/null 2>&1 || : + +%triggerpostun -n openssh-server-sysvinit -- openssh-server < 5.8p2-12 +/sbin/chkconfig --add sshd >/dev/null 2>&1 || : %files %defattr(-,root,root) @@ -701,6 +709,7 @@ exit 0 %defattr(-,root,root) %dir %attr(0711,root,root) %{_var}/empty/sshd %attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %{_sbindir}/sshd-keygen %attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* @@ -710,14 +719,17 @@ exit 0 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd -%attr(0755,root,root) /etc/rc.d/init.d/sshd -%if %{systemd} -%attr(0644,root,root) %{_unitdir}/ssh-keygen-dsa.service -%attr(0644,root,root) %{_unitdir}/ssh-keygen-rsa.service -%attr(0644,root,root) %{_unitdir}/ssh-keygen-rsa1.service +%attr(0644,root,root) %{_unitdir}/sshd-keygen.service %attr(0644,root,root) %{_unitdir}/sshd.service -%attr(0644,root,root) %{_unitdir}/sshd.socket -%endif + +# %files server-ondemand +# %defattr(-,root,root) +# %attr(0644,root,root) %{_unitdir}/sshd@.service +# %attr(0644,root,root) %{_unitdir}/sshd.socket + +%files server-sysvinit +%defattr(-,root,root) +%attr(0755,root,root) /etc/rc.d/init.d/sshd %endif %if %{ldap} @@ -753,6 +765,14 @@ exit 0 %endif %changelog +* Tue Jun 28 2011 Jan F. Chadima - 5.8p2-11 + 0.9.2-31 +- Systemd compatibility according to Mathieu Bridon +- Split out the host keygen into their own command, to ease future migration + to systemd. Compatitbility with the init script was kept. +- Migrate the package to full native systemd unit files, according to the Fedora + packaging guidelines. +- Prepate the unit files for running an ondemand server. (do not add it actually) + * Tue Jun 21 2011 Jan F. Chadima - 5.8p2-10 + 0.9.2-31 - Mention IPv6 usage in man pages diff --git a/ssh-keygen-dsa.service b/ssh-keygen-dsa.service deleted file mode 100644 index 11504cf..0000000 --- a/ssh-keygen-dsa.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=SSH DSA Keygeneration. -After=syslog.target -Before=sshd.service -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key - -[Service] -Type=oneshot -EnvironmentFile=/etc/sysconfig/sshd -ExecStart=/usr/bin/ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N '' -ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_dsa_key -ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_dsa_key -ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_dsa_key.pub -ExecStartPost=/sbin/restorecon /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/ssh-keygen-rsa.service b/ssh-keygen-rsa.service deleted file mode 100644 index ca23a07..0000000 --- a/ssh-keygen-rsa.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=SSH RSA Keygeneration. -After=syslog.target -Before=sshd.service -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key - -[Service] -Type=oneshot -EnvironmentFile=/etc/sysconfig/sshd -ExecStart=/usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' -ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_rsa_key -ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_rsa_key -ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_rsa_key.pub -ExecStartPost=/sbin/restorecon /ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/ssh-keygen-rsa1.service b/ssh-keygen-rsa1.service deleted file mode 100644 index 1ec5626..0000000 --- a/ssh-keygen-rsa1.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=SSH RSA1 Keygeneration. -After=syslog.target -Before=sshd.service -ConditionPathExists=!/etc/ssh/ssh_host_key - -[Service] -Type=oneshot -EnvironmentFile=/etc/sysconfig/sshd -ExecStart=/usr/bin/ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -C '' -N '' -ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_key -ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_key -ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_key.pub -ExecStartPost=/sbin/restorecon /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/sshd.init b/sshd.init index 720c1d2..8901b4f 100755 --- a/sshd.init +++ b/sshd.init @@ -37,79 +37,12 @@ prog="sshd" lockfile=/var/lock/subsys/$prog # Some functions to make the below more readable -KEYGEN=/usr/bin/ssh-keygen SSHD=/usr/sbin/sshd -RSA1_KEY=/etc/ssh/ssh_host_key -RSA_KEY=/etc/ssh/ssh_host_rsa_key -DSA_KEY=/etc/ssh/ssh_host_dsa_key XPID_FILE=/var/run/sshd.pid PID_FILE=/var/run/sshd-s.pid runlevel=$(set -- $(runlevel); eval "echo \$$#" ) -do_rsa1_keygen() { - if [ ! -s $RSA1_KEY ]; then - echo -n $"Generating SSH1 RSA host key: " - rm -f $RSA1_KEY - if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $RSA1_KEY - chmod 640 $RSA1_KEY - chmod 644 $RSA1_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $RSA1_KEY.pub - fi - success $"RSA1 key generation" - echo - else - failure $"RSA1 key generation" - echo - exit 1 - fi - fi -} - -do_rsa_keygen() { - if [ ! -s $RSA_KEY ]; then - echo -n $"Generating SSH2 RSA host key: " - rm -f $RSA_KEY - if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $RSA_KEY - chmod 640 $RSA_KEY - chmod 644 $RSA_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $RSA_KEY.pub - fi - success $"RSA key generation" - echo - else - failure $"RSA key generation" - echo - exit 1 - fi - fi -} - -do_dsa_keygen() { - if [ ! -s $DSA_KEY ]; then - echo -n $"Generating SSH2 DSA host key: " - rm -f $DSA_KEY - if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $DSA_KEY - chmod 640 $DSA_KEY - chmod 644 $DSA_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $DSA_KEY.pub - fi - success $"DSA key generation" - echo - else - failure $"DSA key generation" - echo - exit 1 - fi - fi -} - do_restart_sanity_check() { $SSHD -t @@ -125,13 +58,7 @@ start() [ -x $SSHD ] || exit 5 [ -f /etc/ssh/sshd_config ] || exit 6 # Create keys if necessary - if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then - do_rsa_keygen - if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then - do_rsa1_keygen - do_dsa_keygen - fi - fi + /usr/sbin/sshd-keygen echo -n $"Starting $prog: " $SSHD $OPTIONS && success || failure diff --git a/sshd.service b/sshd.service index 0f8e9f0..c69f017 100644 --- a/sshd.service +++ b/sshd.service @@ -3,11 +3,8 @@ Description=OpenSSH server daemon. After=syslog.target network.target [Service] -Type=forking -PIDFile=/var/run/sshd.pid -EnvironmentFile=/etc/sysconfig/sshd -ExecStartPre=/usr/sbin/sshd -t -ExecStart=/usr/sbin/sshd $OPTIONS +ExecStart=/usr/sbin/sshd -D +ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target diff --git a/sshd.socket b/sshd.socket index a278031..fd68407 100644 --- a/sshd.socket +++ b/sshd.socket @@ -1,5 +1,4 @@ [Unit] -Description=OpenSSH Server Socket. Conflicts=sshd.service [Socket]