Another round of testing calls. (redhat/openssh.spec)

Pekka Savola pekkas at netcore.fi
Thu Oct 25 05:03:19 EST 2001 

On Tue, 23 Oct 2001 mouring at etoh.eviladmin.org wrote:
> Outside the known 'Hang-on-exit' bug and the Solaris 'PAM_TTY_KLUDGE'
> required.  *WHAT* other issues *MUST* be address before 3.0 which is
> approaching fast?

I'm not saying MUST, but I've been trying to suggest a few modifications
(under the OpenSSL_free thread) to contrib/redhat/openssh.spec for some
time now.  I've yet to receive a reply.

Here's a full diff.  It does:

1) As sshd -t is used when restarting sshd with RH scripts now,
sshd_config is better marked with noreplace as all config files should.

2) '--with-ipv4-default' is removed; it's a major release after all.  I
haven't noticed any problems with this (and a lot of Linux distros already
do it, including Red Hat), and if you'd have to run 'sshd -6', IPv4 port
forwarding through mapped addresses won't work.

Caveat: if you haven't patched your tcp_wrappers for IPv6, and IPv6 is
enabled with SSHD, and you have access controls, you won't be let in even
with IPv4 (connections seem to originate from 0.0.0.0 vs.  
::ffff:ipv4addr).  I don't see this as a huge problem, as you have to have
IPv6 enabled.  E.g. RHL72 already has patched tcp_wrappers.

3) Building appears to rely on the existance of openssl >= 0.9.6
(OPENSSL_free function).  Mark the requirement there.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

-------------- next part --------------
Index: contrib/redhat/openssh.spec
===================================================================
RCS file: /cvs/openssh_cvs/contrib/redhat/openssh.spec,v
retrieving revision 1.89
diff -u -r1.89 openssh.spec
--- contrib/redhat/openssh.spec	2001/10/24 05:36:55	1.89
+++ contrib/redhat/openssh.spec	2001/10/24 19:07:22
@@ -52,7 +52,7 @@
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
 Obsoletes: ssh
-BuildPreReq: perl, openssl-devel, tcp_wrappers
+BuildPreReq: perl, openssl-devel >= 0.9.6, tcp_wrappers
 BuildPreReq: /bin/login, /usr/include/security/pam_appl.h
 BuildPreReq: rpm >= 3.0.5
 %if ! %{no_x11_askpass}
@@ -62,9 +62,9 @@
 BuildPreReq: gnome-libs-devel
 %endif
 %if ! %{static_libcrypto}
-PreReq: openssl >= 0.9.5a
+PreReq: openssl >= 0.9.6
 PreReq: openssl = %{exact_openssl_version}
-Requires: openssl >= 0.9.5a
+Requires: openssl >= 0.9.6
 %endif
 Requires: rpm >= 3.0.5
 
@@ -155,7 +155,6 @@
 	--datadir=%{_datadir}/openssh \
 	--with-pam \
 	--with-tcp-wrappers \
-	--with-ipv4-default \
 	--with-rsh=/usr/bin/rsh \
 	--with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin \
 	$EXTRA_OPTS
@@ -264,8 +263,7 @@
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0644,root,root) %{_mandir}/man8/sshd.8*
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
-#%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config
-%attr(0600,root,root) %config %{_sysconfdir}/sshd_config
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config
 %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
 %attr(0755,root,root) %config /etc/rc.d/init.d/sshd

More information about the openssh-unix-dev mailing list