openpkg-packages/openssh/openssh.spec

##
##  openssh.spec -- OpenPKG RPM Package Specification
##  Copyright (c) 2000-2006 OpenPKG Foundation e.V. <http://openpkg.net/>
##  Copyright (c) 2000-2006 Ralf S. Engelschall <http://engelschall.com/>
##
##  Permission to use, copy, modify, and distribute this software for
##  any purpose with or without fee is hereby granted, provided that
##  the above copyright notice and this permission notice appear in all
##  copies.
##
##  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
##  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
##  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
##  IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
##  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
##  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
##  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
##  USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
##  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
##  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
##  OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
##  SUCH DAMAGE.
##

#   package versions
%define       V_base        4.3
%define       V_portable    p2
%define       V_watchdog    4.0p1
%define       V_ldap_base   4.3p1
%define       V_ldap_vers   0.3.7
%define       V_connect     1.96

#   package information
Name:         openssh
Summary:      Secure Shell (SSH)
URL:          http://www.openssh.com/
Vendor:       The OpenBSD Project
Packager:     OpenPKG
Distribution: OpenPKG
Class:        CORE
Group:        Security
License:      BSD
Version:      %{V_base}%{V_portable}
Release:      20060603

#   package options
%option       with_fsl          yes
%option       with_connect      no
%option       with_alias        no
%option       with_chroot       no
%option       with_ldap         no
%option       with_pam          no
%option       with_sftplogging  no
%option       with_skey         no
%option       with_watchdog     no
%option       with_wrap         no
%option       with_x11          no
%option       with_trysetpath   no
%option       with_libedit      no

#   list of sources
Source0:      ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1:      rc.openssh
Source2:      fsl.openssh
Source3:      sshd_config
Source4:      ssh_config
Source5:      ssh-askpass
Source6:      ssh-keyman
Source7:      ssh-keyman.1
Source8:      ssh-keyman.pod
Source9:      ftp://ftp.openpkg.org/sources/CPY/VERSIONED/openssh-connect/openssh-connect-%{V_connect}.tar.gz
Patch0:       openssh.patch
Patch1:       openssh.patch.chroot
Patch2:       openssh.patch.alias
Patch3:       http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-%{V_watchdog}-watchdog.patch.tgz
Patch4:       http://www.opendarwin.org/projects/openssh-lpk/files/openssh-lpk-%{V_ldap_base}-%{V_ldap_vers}.patch
Patch5:       openssh.patch.sftplogging
Patch6:       openssh.patch.scpbindir

#   build information
Prefix:       %{l_prefix}
BuildRoot:    %{l_buildroot}
BuildPreReq:  OpenPKG, openpkg >= 20040130, perl
PreReq:       OpenPKG, openpkg >= 20040130
BuildPreReq:  openssl, zlib
PreReq:       openssl, zlib
%if "%{with_pam}" == "yes"
BuildPreReq:  PAM
PreReq:       PAM
%endif
%if "%{with_fsl}" == "yes"
BuildPreReq:  fsl >= 1.2.0
PreReq:       fsl >= 1.2.0
%endif
%if "%{with_skey}" == "yes"
BuildPreReq:  skey
PreReq:       skey
%endif
%if "%{with_x11}" == "yes"
BuildPreReq:  X11
PreReq:       X11
%endif
%if "%{with_ldap}" == "yes"
BuildPreReq:  openldap
PreReq:       openldap
%endif
%if "%{with_wrap}" == "yes"
BuildPreReq:  tcpwrappers
PreReq:       tcpwrappers
%endif
%if "%{with_libedit}" == "yes"
BuildPreReq:  libedit
PreReq:       libedit
%endif
AutoReq:      no
AutoReqProv:  no

%description
    Secure Shell (SSH) is a facility for logging into a remote machine
    and for remotely executing commands on a remote machine. It is
    intended to replace rlogin(1) and rsh(1), and provide secure
    encrypted communications between two untrusted hosts over an
    insecure network. X11 connections and arbitrary TCP/IP ports can
    also be forwarded over the secure channel. OpenSSH is OpenBSD's
    rework of the last free version of SSH, bringing it up to date in
    terms of security and features, as well as removing all patented
    algorithms to separate libraries (OpenSSL).

%track
    prog openssh = {
        version   = %{version}
        url       = ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/
        regex     = openssh-(__VER__)\.tar\.gz
    }
    prog openssh:watchdog = {
        version   = %{V_watchdog}
        url       = http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html
        regex     = HREF=.openssh-(__VER__)-watchdog\.patch\.tgz
    }
    prog openssh:ldap = {
        version   = %{V_ldap_base}-%{V_ldap_vers}
        url       = http://www.opendarwin.org/projects/openssh-lpk/
        regex     = openssh-lpk-(__VER__)\.patch
    }

%prep
    #   unpack and patch distribution
    %setup -q
%if "%{with_connect}" == "yes"
    %setup -q -D -T -a 9
%endif
    %patch -p0 -P 0
    %{l_shtool} subst \
        -e 's;@l_openpkg_release@;%{l_openpkg_release -F "OpenPKG-%s"};' \
        version.h
%if "%{with_chroot}" == "yes"
    %patch -p0 -P 1
%endif
%if "%{with_alias}" == "yes"
    %patch -p0 -P 2
%endif
%if "%{with_watchdog}" == "yes"
    %{l_gzip} -d -c %{SOURCE openssh-%{V_watchdog}-watchdog.patch.tgz} | %{l_tar} xf -
    %{l_patch} -p0 -b <openssh-%{V_watchdog}-watchdog.patch
%endif
%if "%{with_ldap}" == "yes"
    %{l_patch} -p1 -b <%{SOURCE openssh-lpk-%{V_ldap_base}-%{V_ldap_vers}.patch}
%endif
%if "%{with_sftplogging}" == "yes"
    %patch -p0 -P 5
%endif
    sed -e 's;@l_prefix@;%{l_prefix};g' %{SOURCE openssh.patch.scpbindir} | %{l_patch} -p0 -b
    case "%{l_platform -t}" in
        *-darwin* )
            %{l_shtool} subst \
                -e 's;LIBS="-lcrypto $LIBS";LIBS="%{l_prefix}/lib/libcrypto.a $LIBS";' \
                configure
            ;;
    esac

%build
    #   configure package
    cflags=""
    ldflags=""
%if "%{with_chroot}" == "yes"
    cflags="$cflags -DUSE_CHROOT"
%endif
%if "%{with_alias}" == "yes"
    cflags="$cflags -DUSE_ALIAS"
%endif
%if "%{with_pam}" == "yes"
    cflags="$cflags -I`%{l_rc} --query pam_incdir`"
    ldflags="$ldflags -L`%{l_rc} --query pam_libdir`"
%endif
%if "%{with_ldap}" == "yes"
    cflags="$cflags -DLDAP_DEPRECATED"
    ldflags="$ldflags -lldap -llber -lcrypto -lssl"
%endif
    strip="--enable-strip"; %{l_shtool} path strip || strip="--disable-strip"
    CC="%{l_cc}" \
    CFLAGS="%{l_cflags -O} %{l_cppflags} $cflags" \
    LDFLAGS="%{l_ldflags} %{l_fsl_ldflags} $ldflags" \
    LIBS="%{l_fsl_libs}" \
    ./configure \
        --prefix=%{l_prefix} \
        --sbindir=%{l_prefix}/bin \
        --mandir=%{l_prefix}/man \
        --infodir=%{l_prefix}/info \
        --sysconfdir=%{l_prefix}/etc/openssh \
        --libexecdir=%{l_prefix}/libexec/openssh \
        --localstatedir=%{l_prefix}/var/openssh \
        --with-pid-dir=%{l_prefix}/var/openssh \
        --with-ssl-dir=%{l_prefix} \
%if "%{with_skey}" == "yes"
        --with-skey=%{l_prefix} \
%endif
%if "%{with_pam}" == "yes"
        --with-pam \
%else
        --without-pam \
%endif
%if "%{with_x11}" == "yes"
        --with-xauth="`%{l_rc} --query x11_bindir`/xauth" \
%endif
%if "%{with_wrap}" == "yes"
        --with-tcp-wrappers=%{l_prefix} \
%endif
%if "%{with_ldap}" == "yes"
        --with-ldap=%{l_prefix} \
%endif
%if "%{with_libedit}" == "yes"
        --with-libedit=%{l_prefix} \
%endif
        --with-md5-passwords \
        --with-zlib=%{l_prefix} \
        --with-ipv4-default \
        --without-smartcard \
        --without-kerberos4 \
        --disable-suid-ssh \
        --without-rsh \
        --with-mantype=man \
%if "%{with_trysetpath}" == "yes"
        --enable-etc-default-login \
        --with-default-path=%{l_prefix}/bin:/bin:/usr/bin:/usr/local/bin \
        --with-superuser-path=%{l_prefix}/bin:/usr/bin:/sbin:/usr/sbin \
%else
        --disable-etc-default-login \
        --with-default-path=/bin:/usr/bin \
        --with-superuser-path=/bin:/usr/bin:/sbin:/usr/sbin \
%endif
        --with-privsep-user=%{l_nusr} \
        --with-privsep-path=%{l_prefix}/var/openssh/empty \
        $strip

    #   build package
    %{l_make} %{l_mflags -O}

%if "%{with_connect}" == "yes"
    #   build proxy connect utility
    ( cd openssh-connect
      CC="%{l_cc}" \
      CFLAGS="%{l_cflags -O}" \
      CPPFLAGS="%{l_cppflags}" \
      LDFLAGS="%{l_ldflags}" \
      ./configure \
          --prefix=%{l_prefix}
      %{l_make} %{l_mflags}
    ) || exit $?
%endif

%install
    rm -rf $RPM_BUILD_ROOT

    #   perform standard installation procedure of OpenSSH
    %{l_make} %{l_mflags} install DESTDIR=$RPM_BUILD_ROOT

    #   strip down installation tree
    rm -rf $RPM_BUILD_ROOT%{l_prefix}/share
    rm -f $RPM_BUILD_ROOT%{l_prefix}/bin/slogin
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man1/slogin.1
    strip $RPM_BUILD_ROOT%{l_prefix}/bin/* 2>/dev/null || true
    strip $RPM_BUILD_ROOT%{l_prefix}/libexec/openssh/* 2>/dev/null || true

%if "%{with_connect}" == "yes"
    #   install proxy connect utility
    ( cd openssh-connect
      strip connect 2>/dev/null || true
      %{l_shtool} install -c -m 755 connect \
             $RPM_BUILD_ROOT%{l_prefix}/bin/ssh-connect
    ) || exit $?
%endif

    #   install ssh-askpass wrapper
    %{l_shtool} mkdir -f -p -m 755 \
        $RPM_BUILD_ROOT%{l_prefix}/libexec/openssh
    %{l_shtool} install -c -m 755 %{l_value -s -a} \
        %{SOURCE ssh-askpass} \
        $RPM_BUILD_ROOT%{l_prefix}/libexec/openssh/

    #   make sure the state directory exists
    %{l_shtool} mkdir -f -p -m 755 \
        $RPM_BUILD_ROOT%{l_prefix}/var/openssh \
        $RPM_BUILD_ROOT%{l_prefix}/var/openssh/empty

    #   install addons
    %{l_shtool} mkdir -f -p -m 755 \
        $RPM_BUILD_ROOT%{l_prefix}/bin \
        $RPM_BUILD_ROOT%{l_prefix}/man/man1
    %{l_shtool} install -c -m 755 %{l_value -s -a} \
        %{SOURCE ssh-keyman} \
        $RPM_BUILD_ROOT%{l_prefix}/bin/
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        %{SOURCE ssh-keyman.1} \
        $RPM_BUILD_ROOT%{l_prefix}/man/man1/

    #   install run-command script
    %{l_shtool} mkdir -f -p -m 755 \
        $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d
    %{l_shtool} install -c -m 755 %{l_value -s -a} \
        %{SOURCE rc.openssh} \
        $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/

    #   install reasonable ssh server and client configuration files
    %{l_shtool} mkdir -f -p -m 755 \
        $RPM_BUILD_ROOT%{l_prefix}/etc/openssh
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        -e 's;@l_x11forwarding@;%{with_x11};' \
        %{SOURCE sshd_config} \
        $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        %{SOURCE ssh_config} \
        $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/

    #   install OSSP fsl configuration
    %{l_shtool} mkdir -f -p -m 755 \
        $RPM_BUILD_ROOT%{l_prefix}/etc/fsl
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        %{SOURCE fsl.openssh} \
        $RPM_BUILD_ROOT%{l_prefix}/etc/fsl/

    #   determine installation files
    %{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \
        %{l_files_std} \
        '%not %dir %{l_prefix}/etc/fsl' \
        '%config %{l_prefix}/etc/fsl/fsl.openssh' \
        '%config %{l_prefix}/etc/openssh/*' \
        '%attr(4711,%{l_susr},%{l_mgrp}) %{l_prefix}/libexec/openssh/ssh-keysign' \
        '%dir %attr(700,%{l_susr},%{l_mgrp}) %{l_prefix}/var/openssh/empty'

%files -f files

%clean
    rm -rf $RPM_BUILD_ROOT

%post
    #   generate server RSA1 (SSH1) key
    if [ ! -f "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_key" -o \
         ! -s "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_key" ]; then
        $RPM_INSTALL_PREFIX/bin/ssh-keygen -t rsa1 -b 2048 \
            -f $RPM_INSTALL_PREFIX/etc/openssh/ssh_host_key \
            -N '' -C `hostname` 1>&2
    fi

    #   generate server RSA (SSH2) key
    if [ ! -f "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_rsa_key" -o \
         ! -s "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_rsa_key" ]; then
        $RPM_INSTALL_PREFIX/bin/ssh-keygen -t rsa -b 2048 \
            -f $RPM_INSTALL_PREFIX/etc/openssh/ssh_host_rsa_key \
            -N '' -C `hostname` 1>&2
    fi

    #   generate server DSA (SSH2) key
    if [ ! -f "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_dsa_key" -o \
         ! -s "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_dsa_key" ]; then
        $RPM_INSTALL_PREFIX/bin/ssh-keygen -t dsa -b 2048 \
            -f $RPM_INSTALL_PREFIX/etc/openssh/ssh_host_dsa_key \
            -N '' -C `hostname` 1>&2
    fi

%if "%{with_pam}" == "yes"
    #   add PAM configuration entry
    if [ $1 -eq 1 ]; then
        $RPM_INSTALL_PREFIX/sbin/pamtool --add --smart --name=openssh
    fi
%endif

    #   on install, warn about PATH issues
    if [ $1 -eq 1 ]; then
        ( echo "Make sure sshd users have the proper PATH set to find"
          echo "utilities like scp, sftp-server, rsync, cvs, svn etc."
%if "%{with_trysetpath}" == "yes"
          echo "This package tries to set the PATH for users and"
          echo "root properly. The success of this attempt is platform"
          echo "specific and out of OpenPKG scope. Please verify"
          echo "whether it works as expected."
%endif
        ) | %{l_rpmtool} msg -b -t warn
    fi

    #   after upgrade, restart service
    [ $1 -eq 2 ] || exit 0
    eval `%{l_rc} openssh status 2>/dev/null`
    [ ".$openssh_active" = .yes ] && %{l_rc} openssh restart
    exit 0

%preun
    #   before erase, stop service and remove log files
    [ $1 -eq 0 ] || exit 0
    %{l_rc} openssh stop 2>/dev/null
    rm -f $RPM_INSTALL_PREFIX/var/openssh/openssh.log* >/dev/null 2>&1 || true
%if "%{with_pam}" == "yes"
    #   remove PAM configuration entry
    $RPM_INSTALL_PREFIX/sbin/pamtool --remove --smart --name=openssh
%endif
    exit 0