# Do we want SELinux & Audit

%if 0%{?!noselinux:1}

%define WITH_SELINUX 1

%else

%define WITH_SELINUX 0

%endif

# OpenSSH privilege separation requires a user & group ID

%define sshd_uid    74

%define sshd_gid    74

# Do we want to disable building of gnome-askpass? (1=yes 0=no)

%define no_gnome_askpass 0

# Do we want to link against a static libcrypto? (1=yes 0=no)

%define static_libcrypto 0

# Use GTK2 instead of GNOME in gnome-ssh-askpass

%define gtk2 1

# Build position-independent executables (requires toolchain support)?

%define pie 1

# Do we want kerberos5 support (1=yes 0=no)

%define kerberos5 1

# Do we want libedit support

%define libedit 1

# Do we want LDAP support

%define ldap 1

# Whether to build pam_ssh_agent_auth

%if 0%{?!nopam:1}

%define pam_ssh_agent 1

%else

%define pam_ssh_agent 0

%endif

# Reserve options to override askpass settings with:

# rpm -ba|--rebuild --define 'skip_xxx 1'

%{?skip_gnome_askpass:%global no_gnome_askpass 1}

# Add option to build without GTK2 for older platforms with only GTK+.

# Red Hat Linux <= 7.2 and Red Hat Advanced Server 2.1 are examples.

# rpm -ba|--rebuild --define 'no_gtk2 1'

%{?no_gtk2:%global gtk2 0}

# Options for static OpenSSL link:

# rpm -ba|--rebuild --define "static_openssl 1"

%{?static_openssl:%global static_libcrypto 1}

# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)

%define rescue 0

%{?build_rescue:%global rescue 1}

%{?build_rescue:%global rescue_rel rescue}

# Turn off some stuff for resuce builds

%if %{rescue}

%define kerberos5 0

%define libedit 0

%define pam_ssh_agent 0

%endif

# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1

%define openssh_ver 6.6.1p1

%define openssh_rel 35

%define pam_ssh_agent_ver 0.9.3

%define pam_ssh_agent_rel 9

Summary: An open source implementation of SSH protocol versions 1 and 2

Name: openssh

Version: %{openssh_ver}

Release: %{openssh_rel}%{?dist}%{?rescue_rel}

URL: http://www.openssh.com/portable.html

#URL1: http://pamsshagentauth.sourceforge.net

# Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz

Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz

#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc

Source2: sshd.pam

Source3: sshd.init

Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2

Source5: pam_ssh_agent-rmheaders

Source6: ssh-keycat.pam

Source7: sshd.sysconfig

Source9: sshd@.service

Source10: sshd.socket

Source11: sshd.service

Source12: sshd-keygen.service

Source13: sshd-keygen

# Internal debug

Patch0: openssh-5.9p1-wIm.patch

#?

Patch100: openssh-6.6.1p1-coverity.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1872

Patch101: openssh-6.6p1-fingerprint.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1889

Patch103: openssh-5.8p1-packet.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1402

Patch200: openssh-6.6p1-audit.patch

# https://bugzilla.redhat.com/show_bug.cgi?id=1171248

# record pfs= field in CRYPTO_SESSION audit event

Patch201: openssh-6.6.1p1-audit-pfs.patch

# Do not write to one socket from more processes (#1310684)

Patch202: openssh-6.6p1-audit-race-condition.patch

# --- pam_ssh-agent ---

# make it build reusing the openssh sources

Patch300: pam_ssh_agent_auth-0.9.3-build.patch

# check return value of seteuid()

Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch

# explicitly make pam callbacks visible

Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch

# don't use xfree (#1024965)

Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch

# don't use xfree (#1024965)

Patch304: pam_ssh_agent_auth-0.9.3-command.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)

Patch400: openssh-6.6p1-role-mls.patch

#https://bugzilla.redhat.com/show_bug.cgi?id=781634

Patch404: openssh-6.6p1-privsep-selinux.patch

#?-- unwanted child :(

Patch501: openssh-6.6p1-ldap.patch

#?

Patch502: openssh-6.6p1-keycat.patch

#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644

Patch601: openssh-6.6p1-allow-ip-opts.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1893

Patch604: openssh-6.6p1-keyperm.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1925

Patch606: openssh-5.9p1-ipv6man.patch

#?

Patch607: openssh-5.8p2-sigpipe.patch

#?

Patch608: openssh-6.1p1-askpass-ld.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1789

Patch609: openssh-5.5p1-x11.patch

#?

Patch700: openssh-6.6p1-fips.patch

#?

# drop? Patch701: openssh-5.6p1-exit-deadlock.patch

#?

Patch702: openssh-5.1p1-askpass-progress.patch

#?

Patch703: openssh-4.3p2-askpass-grab-info.patch

# https://bugzilla.redhat.com/show_bug.cgi?id=205842

# drop? Patch704: openssh-5.9p1-edns.patch

#?

Patch706: openssh-6.6.1p1-localdomain.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)

Patch707: openssh-6.6p1-redhat.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)

Patch708: openssh-6.6p1-entropy.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)

Patch709: openssh-6.2p1-vendor.patch

# warn users for unsupported UsePAM=no (#757545)

Patch711: openssh-6.6p1-log-usepam-no.patch

# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL

Patch712: openssh-6.3p1-ctr-evp-fast.patch

# add cavs test binary for the aes-ctr

Patch713: openssh-6.6p1-ctr-cavstest.patch

#http://www.sxw.org.uk/computing/patches/openssh.html

#changed cache storage type - #848228

Patch800: openssh-6.6p1-gsskex.patch

#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html

Patch801: openssh-6.6p1-force_krb.patch

# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)

# CVE-2014-9278

Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch

# Respect k5login_directory option in krk5.conf (#1328243)

Patch803: openssh-6.6p1-k5login_directory.patch

Patch900: openssh-6.1p1-gssapi-canohost.patch

#https://bugzilla.mindrot.org/show_bug.cgi?id=1780

Patch901: openssh-6.6p1-kuserok.patch

# use default_ccache_name from /etc/krb5.conf (#991186)

Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch

# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375

Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch

# Use tty allocation for a remote scp (#985650)

Patch906: openssh-6.4p1-fromto-remote.patch

# Try CLOCK_BOOTTIME with fallback (#1091992)

Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch

# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey

# dialog by offering only certificate keys. (#1081338)

Patch908: openssh-6.6p1-CVE-2014-2653.patch

# OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 key exchange incorrectly

# Disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6

Patch909: openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch

# standardise on NI_MAXHOST for gethostname() string lengths (#1051490)

Patch910: openssh-6.6.1p1-NI_MAXHOST.patch

# set a client's address right after a connection is set

# http://bugzilla.mindrot.org/show_bug.cgi?id=2257

Patch911: openssh-6.6p1-set_remote_ipaddr.patch

# apply RFC3454 stringprep to banners when possible

# https://bugzilla.mindrot.org/show_bug.cgi?id=2058

# slightly changed patch from comment 10

Patch912: openssh-6.6.1p1-utf8-banner.patch

# don't consider a partial success as a failure

# https://bugzilla.mindrot.org/show_bug.cgi?id=2270

Patch913: openssh-6.6.1p1-partial-success.patch

# log when a client requests an interactive session and only sftp is allowed (#1130198)

Patch914: openssh-6.6.1p1-log-sftp-only-connections.patch

# fix parsing of empty options in sshd_conf

# https://bugzilla.mindrot.org/show_bug.cgi?id=2281

Patch915: openssh-6.6.1p1-servconf-parser.patch

# Ignore SIGXFSZ in postauth monitor

# https://bugzilla.mindrot.org/show_bug.cgi?id=2263

Patch916: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch

# log via monitor in chroots without /dev/log (#1083482)

Patch918: openssh-6.6.1p1-log-in-chroot.patch

# MLS labeling according to chosen sensitivity (#1202843)

Patch919: openssh-6.6.1p1-mls-fix-labeling.patch

# sshd test mode show all config values (#1187597)

Patch920: openssh-6.6p1-test-mode-all-values.patch

# Add sftp option to force mode of created files (#1191055)

Patch921: openssh-6.6p1-sftp-force-permission.patch

# TERM env variable is always accepted by sshd, regardless the empty AcceptEnv setting (#1162683)

Patch922: openssh-6.6p1-document-TERM-env.patch

# fix ssh-copy-id on non-sh remote shells (#1201758)

Patch923: openssh-6.6p1-fix-ssh-copy-id-on-non-sh-shell.patch

# fix memory problem (#1223218)

Patch924: openssh-6.6p1-memory-problems.patch

# Enhance AllowGroups documentation in man page (#1150007)

Patch925: openssh-6.6p1-allowGroups-documentation.patch

# authentication limits (MaxAuthTries) bypass [security] (#1246521)

Patch926: openssh-6.6p1-authentication-limits-bypass.patch

# CVE-2015-5352: Security fixes backported from openssh-6.9 (#1247864)

# XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231)

# weakness of agent locking (ssh-add -x) to password guessing (#1238238)

Patch927: openssh-6.6p1-ssh-agent-and-xsecurity-bypass.patch

# provide option GssKexAlgorithms to disable vulnerable groun1 kex

Patch928: openssh-6.6p1-gssKexAlgorithms.patch

# Vulnerabilities published with openssh-7.0 (#1265807):

#  Privilege separation weakness related to PAM support

#  Use-after-free bug related to PAM support

Patch929: openssh-6.6p1-security-7.0.patch

# Disable completely Roaming feature on client (#1298218) (#1298217)

# Mitigates CVE-2016-0777 and CVE-2016-0778

Patch930: openssh-6.6p1-disable-roaming.patch

# CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1316829)

Patch931: openssh-6.6p1-CVE-2016-3115.patch

# CVE-2016-1908: possible fallback from untrusted X11 forwarding (#1298741)

Patch932: openssh-6.6p1-fallback-X11-untrusted.patch

# CVE-2015-8325: privilege escalation via user's PAM environment and UseLogin=yes (#1328012)

Patch933: openssh-6.6p1-CVE-2015-8325.patch

# close ControlPersist background process stderr when not in debug mode (#1335540)

Patch934: openssh-6.6p1-ControlPersist-stderr.patch

# make s390 use /dev/ crypto devices -- ignore closefrom (#1318760)

Patch935: openssh-6.6p1-s390-closefrom.patch

# Default value and proper dump of  AuthenticationMethods (#1237129)

Patch936: openssh-6.6p1-AuthenticationMethods.patch

# ssh-copy-id does not work with LogLevel=quiet (#1349556)

Patch937: openssh-6.6p1-ssh-copy-id-quiet.patch

# expose more information to PAM (#1312304)

Patch938: openssh-6.6p1-expose-auth-information.patch

# Move MAX_DISPLAYS to a configuration option (#1341302)

Patch939: openssh-6.6p1-x11-max-displays.patch

# Add a wildcard option to PermitOpen directive (#1344106)

Patch940: openssh-6.6p1-permitopen-any-host.patch

# Rework capabilities handling for SELinux confined users (#1357859)

Patch941: openssh-6.6p1-chroot-capabilities.patch

# Add systemd stuff so it can track running service (#1381997)

Patch942: openssh-6.6p1-systemd.patch

License: BSD

Group: Applications/Internet

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

Requires: /sbin/nologin

%if ! %{no_gnome_askpass}

%if %{gtk2}

BuildRequires: gtk2-devel

BuildRequires: libX11-devel

%else

BuildRequires: gnome-libs-devel

%endif

%endif

%if %{ldap}

BuildRequires: openldap-devel

%endif

BuildRequires: autoconf, automake, perl, zlib-devel

BuildRequires: audit-libs-devel >= 2.0.5

BuildRequires: util-linux, groff

BuildRequires: pam-devel

BuildRequires: tcp_wrappers-devel

BuildRequires: fipscheck-devel >= 1.3.0

BuildRequires: openssl-devel >= 0.9.8j

BuildRequires: perl-podlators

BuildRequires: systemd-devel

%if %{kerberos5}

BuildRequires: krb5-devel

%endif

%if %{libedit}

BuildRequires: libedit-devel ncurses-devel

%endif

%if %{WITH_SELINUX}

Conflicts: selinux-policy < 3.13.1-92

Requires: libselinux >= 1.27.7

BuildRequires: libselinux-devel >= 1.27.7

Requires: audit-libs >= 1.0.8

BuildRequires: audit-libs >= 1.0.8

BuildRequires: libcap-ng-devel

%endif

BuildRequires: xauth

%package clients

Summary: An open source SSH client applications

Group: Applications/Internet

Requires: openssh = %{version}-%{release}

Requires: fipscheck-lib%{_isa} >= 1.3.0

%package server

Summary: An open source SSH server daemon

Group: System Environment/Daemons

Requires: openssh = %{version}-%{release}

Requires(pre): /usr/sbin/useradd

Requires: pam >= 1.0.1-3

Requires: fipscheck-lib%{_isa} >= 1.3.0

Requires(post): systemd-units

Requires(preun): systemd-units

Requires(postun): systemd-units

%package server-sysvinit

Summary: The SysV initscript to manage the OpenSSH server.

Group: System Environment/Daemons

Requires: %{name}-server%{?_isa} = %{version}-%{release}

%if %{ldap}

%package ldap

Summary: A LDAP support for open source SSH server daemon

Requires: openssh = %{version}-%{release}

Group: System Environment/Daemons

%endif

%package keycat

Summary: A mls keycat backend for openssh

Requires: openssh = %{version}-%{release}

Group: System Environment/Daemons

%package askpass

Summary: A passphrase dialog for OpenSSH and X

Group: Applications/Internet

Requires: openssh = %{version}-%{release}

Obsoletes: openssh-askpass-gnome

Provides: openssh-askpass-gnome

%package -n pam_ssh_agent_auth

Summary: PAM module for authentication with ssh-agent

Group: System Environment/Base

Version: %{pam_ssh_agent_ver}

Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}

License: BSD

%description

SSH (Secure SHell) is a program for logging into and executing

commands on a remote machine. SSH is intended to replace rlogin and

rsh, and to provide secure encrypted communications between two

untrusted hosts over an insecure network. X11 connections and

arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH is OpenBSD's version of the last free version of SSH, bringing

it up to date in terms of security and features.

This package includes the core files necessary for both the OpenSSH

client and server. To make this package useful, you should also

install openssh-clients, openssh-server, or both.

%description clients

OpenSSH is a free version of SSH (Secure SHell), a program for logging

into and executing commands on a remote machine. This package includes

the clients necessary to make encrypted connections to SSH servers.

%description server

OpenSSH is a free version of SSH (Secure SHell), a program for logging

into and executing commands on a remote machine. This package contains

the secure shell daemon (sshd). The sshd daemon allows SSH clients to

securely connect to your SSH server.

%description server-sysvinit

OpenSSH is a free version of SSH (Secure SHell), a program for logging

into and executing commands on a remote machine. This package contains

the SysV init script to manage the OpenSSH server when running a legacy

SysV-compatible init system.

It is not required when the init system used is systemd.

%if %{ldap}

%description ldap

OpenSSH LDAP backend is a way how to distribute the authorized tokens

among the servers in the network.

%endif

%description keycat

OpenSSH mls keycat is backend for using the authorized keys in the

openssh in the mls mode.

%description askpass

OpenSSH is a free version of SSH (Secure SHell), a program for logging

into and executing commands on a remote machine. This package contains

an X11 passphrase dialog for OpenSSH.

%description -n pam_ssh_agent_auth

This package contains a PAM module which can be used to authenticate

users using ssh keys stored in a ssh-agent. Through the use of the

forwarding of ssh-agent connection it also allows to authenticate with

remote ssh-agent instance.

The module is most useful for su and sudo service stacks.

%prep

%setup -q -a 4 -n openssh-6.6p1

#Do not enable by default

%if 0

%patch0 -p1 -b .wIm

%endif

%patch101 -p1 -b .fingerprint

%patch103 -p1 -b .packet

%if %{pam_ssh_agent}

pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}

%patch300 -p1 -b .psaa-build

%patch301 -p1 -b .psaa-seteuid

%patch302 -p1 -b .psaa-visibility

%patch303 -p1 -b .psaa-xfree

%patch304 -p2 -b .psaa-command

# Remove duplicate headers

rm -f $(cat %{SOURCE5})

popd

%endif

%if %{WITH_SELINUX}

%patch400 -p1 -b .role-mls

%patch404 -p1 -b .privsep-selinux

%endif

%if %{ldap}

%patch501 -p1 -b .ldap

%endif

%patch502 -p1 -b .keycat

%patch601 -p1 -b .ip-opts

%patch604 -p1 -b .keyperm

%patch606 -p1 -b .ipv6man

%patch607 -p1 -b .sigpipe

%patch608 -p1 -b .askpass-ld

%patch609 -p1 -b .x11

# 

# drop? %patch701 -p1 -b .exit-deadlock

%patch702 -p1 -b .progress

%patch703 -p1 -b .grab-info

# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842

# probably not needed anymore %patch704 -p1 -b .edns

%patch706 -p1 -b .localdomain

%patch707 -p1 -b .redhat

%patch708 -p1 -b .entropy

%patch709 -p1 -b .vendor

%patch711 -p1 -b .log-usepam-no

%patch712 -p1 -b .evp-ctr

%patch713 -p1 -b .ctr-cavs

# 

%patch800 -p1 -b .gsskex

%patch801 -p1 -b .force_krb

# 

%patch900 -p1 -b .canohost

%patch901 -p1 -b .kuserok

%patch902 -p1 -b .ccache_name

%patch905 -p1 -b .legacy-ssh-copy-id

%patch906 -p1 -b .fromto-remote

%patch907 -p1 -b .CLOCK_BOOTTIME

%patch908 -p1 -b .CVE-2014-2653

%patch909 -p1 -b .6.6.1

%patch910 -p1 -b .NI_MAXHOST

%patch911 -p1 -b .set_remote_ipaddr

%patch912 -p1 -b .utf8-banner

%patch913 -p1 -b .partial-success

%patch914 -p1 -b .log-sftp-only

%patch915 -p1 -b .servconf

%patch916 -p1 -b .SIGXFSZ

%patch918 -p1 -b .log-in-chroot

%patch919 -p1 -b .mls-labels

%patch802 -p1 -b .GSSAPIEnablek5users

%patch803 -p1 -b .k5login

%patch920 -p1 -b .sshd-t

%patch921 -p1 -b .sftp-force-mode

%patch922 -p1 -b .term

%patch923 -p1 -b .ssh-copy-id

%patch924 -p1 -b .memory-problems

%patch925 -p1 -b .allowGroups

%patch926 -p1 -b .kbd

%patch927 -p1 -b .xsecurity

%patch928 -p1 -b .gsskexalg

%patch929 -p1 -b .security7

%patch930 -p1 -b .roaming

%patch931 -p1 -b .xauth

%patch932 -p1 -b .untrusted

%patch933 -p1 -b .uselogin

%patch934 -p1 -b .stderr

%patch935 -p1 -b .s390

%patch936 -p1 -b .auth_meth

%patch937 -p1 -b .quiet

%patch938 -p1 -b .expose-auth

%patch939 -p1 -b .x11max

%patch940 -p1 -b .permitopen

%patch941 -p1 -b .chroot-cap

%patch942 -p1 -b .patch

%patch200 -p1 -b .audit

%patch201 -p1 -b .audit-fps

%patch202 -p1 -b .audit-race

%patch700 -p1 -b .fips

%patch100 -p1 -b .coverity

%if 0

# Nothing here yet

%endif

autoreconf

pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}

autoreconf

popd

%build

# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth

# and it makes the ssh build more clean and even optimized better

CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS

%if %{rescue}

CFLAGS="$CFLAGS -Os"

%endif

%if %{pie}

%ifarch s390 s390x sparc sparcv9 sparc64

CFLAGS="$CFLAGS -fPIC"

%else

CFLAGS="$CFLAGS -fpic"

%endif

SAVE_LDFLAGS="$LDFLAGS"

LDFLAGS="$LDFLAGS -pie -z relro -z now"

export CFLAGS

export LDFLAGS

%endif

%if %{kerberos5}

if test -r /etc/profile.d/krb5-devel.sh ; then

        source /etc/profile.d/krb5-devel.sh

fi

krb5_prefix=`krb5-config --prefix`

if test "$krb5_prefix" != "%{_prefix}" ; then

	CPPFLAGS="$CPPFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"; export CPPFLAGS

	CFLAGS="$CFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"

	LDFLAGS="$LDFLAGS -L${krb5_prefix}/%{_lib}"; export LDFLAGS

else

	krb5_prefix=

	CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS

	CFLAGS="$CFLAGS -I%{_includedir}/gssapi"

fi

%endif

%configure \

	--sysconfdir=%{_sysconfdir}/ssh \

	--libexecdir=%{_libexecdir}/openssh \

	--datadir=%{_datadir}/openssh \

	--with-tcp-wrappers \

	--with-default-path=/usr/local/bin:/usr/bin \

	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \

	--with-privsep-path=%{_var}/empty/sshd \

	--enable-vendor-patchlevel="RHEL7-%{openssh_ver}-%{openssh_rel}" \

	--disable-strip \

	--without-zlib-version-check \

	--with-ssl-engine \

	--with-ipaddr-display \

	--with-systemd \

%if %{ldap}

	--with-ldap \

%endif

%if %{rescue}

	--without-pam \

%else

	--with-pam \

%endif

%if %{WITH_SELINUX}

	--with-selinux --with-audit=linux \

%if 0

#seccomp_filter cannot be build right now

	--with-sandbox=seccomp_filter \

%else

	--with-sandbox=rlimit \

%endif

%endif

%if %{kerberos5}

	--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \

%else

	--without-kerberos5 \

%endif

%if %{libedit}

	--with-libedit

%else

	--without-libedit

%endif

%if %{static_libcrypto}

perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile

%endif

make

# Define a variable to toggle gnome1/gtk2 building.  This is necessary

# because RPM doesn't handle nested %if statements.

%if %{gtk2}

	gtk2=yes

%else

	gtk2=no

%endif

%if ! %{no_gnome_askpass}

pushd contrib

if [ $gtk2 = yes ] ; then

	make gnome-ssh-askpass2

	mv gnome-ssh-askpass2 gnome-ssh-askpass

else

	make gnome-ssh-askpass1

	mv gnome-ssh-askpass1 gnome-ssh-askpass

fi

popd

%endif

%if %{pam_ssh_agent}

pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}

LDFLAGS="$SAVE_LDFLAGS"

%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man

make

popd

%endif

# Add generation of HMAC checksums of the final stripped binaries

%define __spec_install_post \

    %{?__debug_package:%{__debug_install_post}} \

    %{__arch_install_post} \

    %{__os_install_post} \

    fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \

%{nil}

%check

#to run tests use "--with check"

%if %{?_with_check:1}%{!?_with_check:0}

make tests

%endif

%install

rm -rf $RPM_BUILD_ROOT

mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh

mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh

mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd

make install DESTDIR=$RPM_BUILD_ROOT

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf

install -d $RPM_BUILD_ROOT/etc/pam.d/

install -d $RPM_BUILD_ROOT/etc/sysconfig/

install -d $RPM_BUILD_ROOT/etc/rc.d/init.d

install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh

install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck

install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd

install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat

install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd

install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd

install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen

install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}

install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service

install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket

install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service

install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service

install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/

install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/

%if ! %{no_gnome_askpass}

install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass

%endif

%if ! %{no_gnome_askpass}

ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass

install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/

install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/

install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/

%endif

%if %{no_gnome_askpass}

rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*

%endif

perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*

%if %{pam_ssh_agent}

pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}

make install DESTDIR=$RPM_BUILD_ROOT

popd

%endif

%clean

rm -rf $RPM_BUILD_ROOT

%pre

getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :

%pre server