diff --git a/openssh.spec b/openssh.spec index c158677..c4f78a3 100644 --- a/openssh.spec +++ b/openssh.spec @@ -48,9 +48,6 @@ %define pam_ssh_agent 0 %endif -# Whether add systemd units -%define systemd 0 - # Reserve options to override askpass settings with: # rpm -ba|--rebuild --define 'skip_xxx 1' %{?skip_gnome_askpass:%global no_gnome_askpass 1} @@ -82,7 +79,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.8p2 -%define openssh_rel 10 +%define openssh_rel 13 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 31 @@ -105,11 +102,11 @@ Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/p Source5: pam_ssh_agent-rmheaders Source6: ssh-keycat.pam Source7: sshd.sysconfig -Source8: ssh-keygen-dsa.service -Source9: ssh-keygen-rsa.service -Source10: ssh-keygen-rsa1.service +Source8: sshd-keygen.service +Source9: sshd@.service +Source10: sshd.socket Source11: sshd.service -Source12: sshd.socket +Source13: sshd-keygen Patch99: openssh-5.8p1-wIm.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) @@ -263,10 +260,27 @@ Requires: fipscheck-lib%{_isa} >= 1.3.0 Summary: An open source SSH server daemon Group: System Environment/Daemons Requires: openssh = %{version}-%{release} -Requires(post): chkconfig >= 0.9, /sbin/service Requires(pre): /usr/sbin/useradd Requires: pam >= 1.0.1-3 Requires: fipscheck-lib%{_isa} >= 1.3.0 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +# This is actually needed for the %triggerun script but Requires(triggerun) +# is not valid. We can use %post because this particular %triggerun script +# should fire just after this package is installed. +Requires(post): systemd-sysv + +# Not yet ready +# %package server-ondemand +# Summary: Systemd unit file to run an ondemand OpenSSH server +# Group: System Environment/Daemons +# Requires: %{name}-server%{?_isa} = %{version}-%{release} + +%package server-sysvinit +Summary: The SysV initscript to manage the OpenSSH server. +Group: System Environment/Daemons +Requires: %{name}-server%{?_isa} = %{version}-%{release} %if %{ldap} %package ldap @@ -319,6 +333,19 @@ into and executing commands on a remote machine. This package contains the secure shell daemon (sshd). The sshd daemon allows SSH clients to securely connect to your SSH server. +# %description server-ondemand +# OpenSSH is a free version of SSH (Secure SHell), a program for logging +# into and executing commands on a remote machine. This package contains +# the systemd unit files to run an ondemand (socket activated) SSH server. + +%description server-sysvinit +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +the SysV init script to manage the OpenSSH server when running a legacy +SysV-compatible init system. + +It is not required when the init system used is systemd. + %if %{ldap} %description ldap OpenSSH LDAP backend is a way how to distribute the authorized tokens @@ -541,14 +568,12 @@ install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd -%if %{systemd} +install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} -install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-dsa.service -install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-rsa.service -install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/ssh-keygen-rsa1.service +install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service +install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service +install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service -install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket -%endif install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ @@ -602,56 +627,39 @@ getent passwd sshd >/dev/null || \ %endif %post server -%if %{systemd} -if [ -x /bin/systemctl ]; then - if [ $1 -eq 1 ]; then +if [ $1 -eq 1 ] ; then /bin/systemctl enable sshd.service >/dev/null 2>&1 || : - /bin/systemctl enable ssh-keygen-dsa.service >/dev/null 2>&1 || : - /bin/systemctl enable ssh-keygen-rsa.service >/dev/null 2>&1 || : - /bin/systemctl enable ssh-keygen-rsa1.service >/dev/null 2>&1 || : - fi + /bin/systemctl enable sshd-keygen.service >/dev/null 2>&1 || : fi -%endif -if [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --add sshd -fi -exit 0 %postun server -%if %{systemd} -if [ -x /bin/systemctl ]; then - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - if [ $1 -ge 1 ]; then +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + # Package upgrade, not uninstall /bin/systemctl try-restart sshd.service >/dev/null 2>&1 || : - fi -fi -%endif -if [ -x /sbin/service ]; then - if [ $1 -ne 0 ]; then - /sbin/service sshd condrestart > /dev/null 2>&1 || : - fi + /bin/systemctl try-restart sshd-keygen.service >/dev/null 2>&1 || : fi -exit 0 %preun server -if [ $1 -eq 0 ]; then -%if %{systemd} - if [ -x /bin/systemctl ]; then - /bin/systemctl disable sshd.service > /dev/null 2>&1 || : - /bin/systemctl disable ssh-keygen-dsa.service > /dev/null 2>&1 || : - /bin/systemctl disable ssh-keygen-rsa.service > /dev/null 2>&1 || : - /bin/systemctl disable ssh-keygen-rsa1.service > /dev/null 2>&1 || : +if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /bin/systemctl --no-reload disable sshd.service > /dev/null 2>&1 || : + /bin/systemctl --no-reload disable sshd-keygen.service > /dev/null 2>&1 || : /bin/systemctl stop sshd.service > /dev/null 2>&1 || : - fi -%endif - if [ -x /sbin/service ]; then - /sbin/service sshd stop > /dev/null 2>&1 || : - fi - if [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --del sshd - fi + /bin/systemctl stop sshd-keygen.service > /dev/null 2>&1 || : fi -exit 0 + +%triggerun -n openssh-server -- openssh-server < 5.8p2-12 +/usr/bin/systemd-sysv-convert --save sshd >/dev/null 2>&1 || : +/bin/systemctl enable sshd.service >/dev/null 2>&1 +/bin/systemctl enable sshd-keygen.service >/dev/null 2>&1 +/sbin/chkconfig --del sshd >/dev/null 2>&1 || : +/bin/systemctl try-restart sshd.service >/dev/null 2>&1 || : +# This one was never a service, so we don't simply restart it +/bin/systemctl is-active -q sshd.service && /bin/systemctl start sshd-keygen.service >/dev/null 2>&1 || : + +%triggerpostun -n openssh-server-sysvinit -- openssh-server < 5.8p2-12 +/sbin/chkconfig --add sshd >/dev/null 2>&1 || : %files %defattr(-,root,root) @@ -701,6 +709,7 @@ exit 0 %defattr(-,root,root) %dir %attr(0711,root,root) %{_var}/empty/sshd %attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %{_sbindir}/sshd-keygen %attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* @@ -710,14 +719,17 @@ exit 0 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd -%attr(0755,root,root) /etc/rc.d/init.d/sshd -%if %{systemd} -%attr(0644,root,root) %{_unitdir}/ssh-keygen-dsa.service -%attr(0644,root,root) %{_unitdir}/ssh-keygen-rsa.service -%attr(0644,root,root) %{_unitdir}/ssh-keygen-rsa1.service +%attr(0644,root,root) %{_unitdir}/sshd-keygen.service %attr(0644,root,root) %{_unitdir}/sshd.service -%attr(0644,root,root) %{_unitdir}/sshd.socket -%endif + +# %files server-ondemand +# %defattr(-,root,root) +# %attr(0644,root,root) %{_unitdir}/sshd@.service +# %attr(0644,root,root) %{_unitdir}/sshd.socket + +%files server-sysvinit +%defattr(-,root,root) +%attr(0755,root,root) /etc/rc.d/init.d/sshd %endif %if %{ldap} @@ -753,6 +765,14 @@ exit 0 %endif %changelog +* Tue Jun 28 2011 Jan F. Chadima - 5.8p2-11 + 0.9.2-31 +- Systemd compatibility according to Mathieu Bridon +- Split out the host keygen into their own command, to ease future migration + to systemd. Compatitbility with the init script was kept. +- Migrate the package to full native systemd unit files, according to the Fedora + packaging guidelines. +- Prepate the unit files for running an ondemand server. (do not add it actually) + * Tue Jun 21 2011 Jan F. Chadima - 5.8p2-10 + 0.9.2-31 - Mention IPv6 usage in man pages diff --git a/ssh-keygen-dsa.service b/ssh-keygen-dsa.service deleted file mode 100644 index 11504cf..0000000 --- a/ssh-keygen-dsa.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=SSH DSA Keygeneration. -After=syslog.target -Before=sshd.service -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key - -[Service] -Type=oneshot -EnvironmentFile=/etc/sysconfig/sshd -ExecStart=/usr/bin/ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N '' -ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_dsa_key -ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_dsa_key -ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_dsa_key.pub -ExecStartPost=/sbin/restorecon /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/ssh-keygen-rsa.service b/ssh-keygen-rsa.service deleted file mode 100644 index ca23a07..0000000 --- a/ssh-keygen-rsa.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=SSH RSA Keygeneration. -After=syslog.target -Before=sshd.service -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key - -[Service] -Type=oneshot -EnvironmentFile=/etc/sysconfig/sshd -ExecStart=/usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' -ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_rsa_key -ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_rsa_key -ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_rsa_key.pub -ExecStartPost=/sbin/restorecon /ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/ssh-keygen-rsa1.service b/ssh-keygen-rsa1.service deleted file mode 100644 index 1ec5626..0000000 --- a/ssh-keygen-rsa1.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=SSH RSA1 Keygeneration. -After=syslog.target -Before=sshd.service -ConditionPathExists=!/etc/ssh/ssh_host_key - -[Service] -Type=oneshot -EnvironmentFile=/etc/sysconfig/sshd -ExecStart=/usr/bin/ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -C '' -N '' -ExecStartPost=/bin/chown root:ssh_keys /etc/ssh/ssh_host_key -ExecStartPost=/bin/chmod 640 /etc/ssh/ssh_host_key -ExecStartPost=/bin/chmod 644 /etc/ssh/ssh_host_key.pub -ExecStartPost=/sbin/restorecon /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/sshd.init b/sshd.init index 720c1d2..8901b4f 100755 --- a/sshd.init +++ b/sshd.init @@ -37,79 +37,12 @@ prog="sshd" lockfile=/var/lock/subsys/$prog # Some functions to make the below more readable -KEYGEN=/usr/bin/ssh-keygen SSHD=/usr/sbin/sshd -RSA1_KEY=/etc/ssh/ssh_host_key -RSA_KEY=/etc/ssh/ssh_host_rsa_key -DSA_KEY=/etc/ssh/ssh_host_dsa_key XPID_FILE=/var/run/sshd.pid PID_FILE=/var/run/sshd-s.pid runlevel=$(set -- $(runlevel); eval "echo \$$#" ) -do_rsa1_keygen() { - if [ ! -s $RSA1_KEY ]; then - echo -n $"Generating SSH1 RSA host key: " - rm -f $RSA1_KEY - if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $RSA1_KEY - chmod 640 $RSA1_KEY - chmod 644 $RSA1_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $RSA1_KEY.pub - fi - success $"RSA1 key generation" - echo - else - failure $"RSA1 key generation" - echo - exit 1 - fi - fi -} - -do_rsa_keygen() { - if [ ! -s $RSA_KEY ]; then - echo -n $"Generating SSH2 RSA host key: " - rm -f $RSA_KEY - if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $RSA_KEY - chmod 640 $RSA_KEY - chmod 644 $RSA_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $RSA_KEY.pub - fi - success $"RSA key generation" - echo - else - failure $"RSA key generation" - echo - exit 1 - fi - fi -} - -do_dsa_keygen() { - if [ ! -s $DSA_KEY ]; then - echo -n $"Generating SSH2 DSA host key: " - rm -f $DSA_KEY - if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $DSA_KEY - chmod 640 $DSA_KEY - chmod 644 $DSA_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $DSA_KEY.pub - fi - success $"DSA key generation" - echo - else - failure $"DSA key generation" - echo - exit 1 - fi - fi -} - do_restart_sanity_check() { $SSHD -t @@ -125,13 +58,7 @@ start() [ -x $SSHD ] || exit 5 [ -f /etc/ssh/sshd_config ] || exit 6 # Create keys if necessary - if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then - do_rsa_keygen - if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then - do_rsa1_keygen - do_dsa_keygen - fi - fi + /usr/sbin/sshd-keygen echo -n $"Starting $prog: " $SSHD $OPTIONS && success || failure diff --git a/sshd.service b/sshd.service index 0f8e9f0..c69f017 100644 --- a/sshd.service +++ b/sshd.service @@ -3,11 +3,8 @@ Description=OpenSSH server daemon. After=syslog.target network.target [Service] -Type=forking -PIDFile=/var/run/sshd.pid -EnvironmentFile=/etc/sysconfig/sshd -ExecStartPre=/usr/sbin/sshd -t -ExecStart=/usr/sbin/sshd $OPTIONS +ExecStart=/usr/sbin/sshd -D +ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target diff --git a/sshd.socket b/sshd.socket index a278031..fd68407 100644 --- a/sshd.socket +++ b/sshd.socket @@ -1,5 +1,4 @@ [Unit] -Description=OpenSSH Server Socket. Conflicts=sshd.service [Socket]