[openssh] add -fips subpackages that contains the FIPS module files
plautrba
plautrba at fedoraproject.org
Wed Aug 28 19:28:29 UTC 2013
commit 227f4f76284c66e5f93c9bbb466143f50a0668cf
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Wed Aug 28 19:37:08 2013 +0200
add -fips subpackages that contains the FIPS module files
openssh-clients-fips.conf | 1 +
openssh-server-fips.conf | 1 +
openssh.spec | 55 ++++++++++++++++++++++++++++++++++++++++++--
3 files changed, 54 insertions(+), 3 deletions(-)
---
diff --git a/openssh-clients-fips.conf b/openssh-clients-fips.conf
new file mode 100644
index 0000000..1884348
--- /dev/null
+++ b/openssh-clients-fips.conf
@@ -0,0 +1 @@
+-b /usr/bin/ssh
diff --git a/openssh-server-fips.conf b/openssh-server-fips.conf
new file mode 100644
index 0000000..52abdf4
--- /dev/null
+++ b/openssh-server-fips.conf
@@ -0,0 +1 @@
+-b /usr/sbin/sshd
diff --git a/openssh.spec b/openssh.spec
index 02081b7..19d23e5 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -87,6 +87,8 @@ Source10: sshd.socket
Source11: sshd.service
Source12: sshd-keygen.service
Source13: sshd-keygen
+Source14: openssh-clients-fips.conf
+Source15: openssh-server-fips.conf
# Internal debug
Patch0: openssh-5.9p1-wIm.patch
@@ -235,6 +237,11 @@ BuildRequires: xauth
Summary: An open source SSH client applications
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
+
+%package clients-fips
+Summary: The FIPS module package for SSH client
+Group: Applications/Internet
+Requires: openssh-clients = %{version}-%{release}
Requires: fipscheck-lib%{_isa} >= 1.3.0
%package server
@@ -243,11 +250,16 @@ Group: System Environment/Daemons
Requires: openssh = %{version}-%{release}
Requires(pre): /usr/sbin/useradd
Requires: pam >= 1.0.1-3
-Requires: fipscheck-lib%{_isa} >= 1.3.0
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
+%package server-fips
+Summary: The FIPS module package for SSH server daemon
+Group: System Environment/Daemons
+Requires: openssh-server = %{version}-%{release}
+Requires: fipscheck-lib%{_isa} >= 1.3.0
+
# Not yet ready
# %package server-ondemand
# Summary: Systemd unit file to run an ondemand OpenSSH server
@@ -304,12 +316,24 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.
+%description clients-fips
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package includes
+the files that complete the installation of the OpenSSH client FIPS
+module.
+
%description server
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server.
+%description server-fips
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+the files that complete the installation of the OpenSSH server FIPS
+module.
+
%description server-sysvinit
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
@@ -591,6 +615,13 @@ pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
make install DESTDIR=$RPM_BUILD_ROOT
popd
%endif
+
+#install prelink blacklists
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d
+install -m644 %{SOURCE14} %{SOURCE15} \
+ $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/
+
+
%clean
rm -rf $RPM_BUILD_ROOT
@@ -603,9 +634,15 @@ getent passwd sshd >/dev/null || \
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
+%post clients-fips
+prelink -u %{_bindir}/ssh 2>/dev/null || :
+
%post server
%systemd_post sshd.service sshd.socket
+%post server-fips
+prelink -u %{_sbindir}/sshd 2>/dev/null || :
+
%preun server
%systemd_preun sshd.service sshd.socket
@@ -641,7 +678,6 @@ getent passwd sshd >/dev/null || \
%files clients
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/ssh
-%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
@@ -664,13 +700,19 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%endif
+%files clients-fips
+%defattr(-,root,root)
+%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
+# We don't want to depend on prelink for this directory
+%dir %{_sysconfdir}/prelink.conf.d
+%{_sysconfdir}/prelink.conf.d/openssh-clients-fips.conf
+
%if ! %{rescue}
%files server
%defattr(-,root,root)
%dir %attr(0711,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_sbindir}/sshd-keygen
-%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
@@ -684,6 +726,13 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
+%files server-fips
+%defattr(-,root,root)
+%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
+# We don't want to depend on prelink for this directory
+%dir %{_sysconfdir}/prelink.conf.d
+%{_sysconfdir}/prelink.conf.d/openssh-server-fips.conf
+
%files server-sysvinit
%defattr(-,root,root)
%attr(0755,root,root) /etc/rc.d/init.d/sshd
More information about the scm-commits
mailing list