FOSS 8.8.15P20 problem with mail queue monitoring

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
dspillett2021
Posts: 1
Joined: Mon Apr 05, 2021 8:45 pm

Re: FOSS 8.8.15P20 problem with mail queue monitoring

Post by dspillett2021 »

This does not seem to be local to RH/CentOS. I'm seeing the same problem, or one that looks the same, on a recently-upgraded-to-8.8.15 instance running on Ubuntu 16.04. Though there is a slightly different auth related error in mailbox.log:

Code: Select all

Caused by: org.apache.sshd.common.SshException: No more authentication methods available
. The other symptoms reported wrt the queue in the admin UI are the same.

Additionally I have errors in the service status screens, with it reporting nothing is running when all seems fine. I'll dig a little more before reporting more about that as it could be unrelated (a different variety of error trace in mailbox.log).
AlexFrodo
Posts: 1
Joined: Tue Apr 13, 2021 4:50 am

Re: FOSS 8.8.15P20 problem with mail queue monitoring

Post by AlexFrodo »

I apologize, maybe off topic, but I have such a problem.
For some reason, the queue of 200k letters in general from some left mailboxes is filling up.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: FOSS 8.8.15P20 problem with mail queue monitoring

Post by JDunphy »

dspillett2021 wrote:This does not seem to be local to RH/CentOS. I'm seeing the same problem, or one that looks the same, on a recently-upgraded-to-8.8.15 instance running on Ubuntu 16.04. Though there is a slightly different auth related error in mailbox.log:

Code: Select all

Caused by: org.apache.sshd.common.SshException: No more authentication methods available
. The other symptoms reported wrt the queue in the admin UI are the same.
Might be interesting to see what version of sshd you are running with Ubuntu 16.04. The error messages is different if you ware running ssh-dss vs ssh-rsa with the latter being the 'no authenticaion methods available". It appeared that patch 20 required ssh-rsa from what I saw on our machines in addition to an sshd that is version 7 or newer I believe. I didn't do an exhaustive test with sshd so that is only a guess from a quick look at the release notes from openssh.

As an FYI, I did reference this thread when I opened my ticket with Zimbra reporting this problem.

Jim
danci1973
Posts: 7
Joined: Sat Sep 13, 2014 1:07 am

Re: FOSS 8.8.15P20 problem with mail queue monitoring

Post by danci1973 »

I built OpenSSH 7.4p1 RPMs for CentOS 6, which now works for our Zimbra.

If anyone's interested, I can provide binary packages, but it would probably be better if you build them yourself...

For that, you need to get the source RPM from CentOS 7 (https://vault.centos.org/7.9.2009/os/So ... l7.src.rpm) and install the sources, which contain the 'up-stream' OpenSSH sources and a slew of RedHat / CentOS patches and distro specific files. Three of those need minor changes:

Code: Select all

diff -Nur SOURCES-7.4p1-rhel7/openssh-6.6p1-keycat.patch SOURCES-7.4p1-rhel6/openssh-6.6p1-keycat.patch
--- SOURCES-7.4p1-rhel7/openssh-6.6p1-keycat.patch      2019-08-06 15:44:39.000000000 +0200
+++ SOURCES-7.4p1-rhel6/openssh-6.6p1-keycat.patch      2021-04-14 13:44:51.871747204 +0200
@@ -23,7 +23,7 @@
                        PAM_MSG="yes"

                        SSHDLIBS="$SSHDLIBS -lpam"
-+                      KEYCATLIBS="$KEYCATLIBS -lpam"
++                      KEYCATLIBS="$KEYCATLIBS -lpam -lrt"
                        AC_DEFINE([USE_PAM], [1],
                                [Define if you want to enable PAM support])

Code: Select all

diff -Nur SOURCES-7.4p1-rhel7/sshd.init SOURCES-7.4p1-rhel6/sshd.init
--- SOURCES-7.4p1-rhel7/sshd.init       2019-08-06 15:44:39.000000000 +0200
+++ SOURCES-7.4p1-rhel6/sshd.init       2021-04-14 15:50:07.011727608 +0200
@@ -38,8 +38,7 @@
 
 # Some functions to make the below more readable
 SSHD=/usr/sbin/sshd
-XPID_FILE=/var/run/sshd.pid
-PID_FILE=/var/run/sshd-s.pid
+PID_FILE=/var/run/sshd.pid  
 
 runlevel=$(set -- $(runlevel); eval "echo \$$#" )
 
@@ -64,35 +63,15 @@
        $SSHD $OPTIONS && success || failure
        RETVAL=$?
        [ $RETVAL -eq 0 ] && touch $lockfile
-       [ $RETVAL -eq 0 ] && cp -f $XPID_FILE $PID_FILE
        echo
        return $RETVAL
 }
  
 stop()
 {
- 
        echo -n $"Stopping $prog: "
-       if [ ! -f "$PID_FILE" ]; then
-               # not running; per LSB standards this is "ok"
-               action $"Stopping $prog: " /bin/true
-               return 0
-       fi
-       PID=`cat "$PID_FILE"`
-       if [ -n "$PID" ]; then
-               /bin/kill "$PID" >/dev/null 2>&1
-               RETVAL=$?
-               if [ $RETVAL -eq 0 ]; then
-                       RETVAL=1
-                       action $"Stopping $prog: " /bin/false
-               else
-                       action $"Stopping $prog: " /bin/true
-               fi
-       else
-                # failed to read pidfile
-               action $"Stopping $prog: " /bin/false
-               RETVAL=4
-       fi
+       killproc -p $PID_FILE $SSHD
+       RETVAL=$?
        # if we are in halt or reboot runlevel kill all running sessions
        # so the TCP connections are closed cleanly
        if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
@@ -101,8 +80,7 @@
            trap TERM
        fi
        [ $RETVAL -eq 0 ] && rm -f $lockfile
-       rm -f "$PID_FILE"
-        return $RETVAL  
+       echo
 }
  
 reload()

Code: Select all

diff -Nur SOURCES-7.4p1-rhel7/sshd.pam SOURCES-7.4p1-rhel6/sshd.pam
--- SOURCES-7.4p1-rhel7/sshd.pam        2019-08-06 15:44:39.000000000 +0200
+++ SOURCES-7.4p1-rhel6/sshd.pam        2021-04-14 14:59:13.273718950 +0200
@@ -1,9 +1,6 @@
 #%PAM-1.0
 auth      required     pam_sepermit.so
-auth       substack     password-auth 
-auth       include      postlogin
-# Used with polkit to reauthorize users in remote sessions
--auth      optional     pam_reauthorize.so prepare
+auth       include      password-auth
 account    required     pam_nologin.so
 account    include      password-auth 
 password   include      password-auth 
@@ -15,6 +12,3 @@
 session    required     pam_namespace.so
 session    optional     pam_keyinit.so force revoke
 session    include      password-auth
-session    include      postlogin
-# Used with polkit to reauthorize users in remote sessions
--session   optional     pam_reauthorize.so prepare
Finally, the SPEC file needs some changes too:

Code: Select all

--- openssh.spec-orig	2019-08-06 15:44:39.000000000 +0200
+++ openssh.spec	2021-04-14 16:52:02.289724184 +0200
@@ -24,11 +24,17 @@
 # Do we want kerberos5 support (1=yes 0=no)
 %define kerberos5 1
 
+# Do we want LDAP support
+%define ldap 1
+
 # Do we want libedit support
 %define libedit 1
 
-# Do we want LDAP support
-%define ldap 1
+# Do we want NSS tokens support
+%define nss 1
+
+# Whether or not /sbin/nologin exists.
+%define nologin 1
 
 # Whether to build pam_ssh_agent_auth
 %if 0%{?!nopam:1}
@@ -39,21 +45,21 @@
 
 # Reserve options to override askpass settings with:
 # rpm -ba|--rebuild --define 'skip_xxx 1'
-%{?skip_gnome_askpass:%global no_gnome_askpass 1}
+%{?skip_gnome_askpass:%define no_gnome_askpass 1}
 
 # Add option to build without GTK2 for older platforms with only GTK+.
 # Red Hat Linux <= 7.2 and Red Hat Advanced Server 2.1 are examples.
 # rpm -ba|--rebuild --define 'no_gtk2 1'
-%{?no_gtk2:%global gtk2 0}
+%{?no_gtk2:%define gtk2 0}
 
 # Options for static OpenSSL link:
 # rpm -ba|--rebuild --define "static_openssl 1"
-%{?static_openssl:%global static_libcrypto 1}
+%{?static_openssl:%define static_libcrypto 1}
 
 # Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
 %define rescue 0
-%{?build_rescue:%global rescue 1}
-%{?build_rescue:%global rescue_rel rescue}
+%{?build_rescue:%define rescue 1}
+%{?build_rescue:%define rescue_rel rescue}
 
 # Turn off some stuff for resuce builds
 %if %{rescue}
@@ -62,18 +68,21 @@
 %define pam_ssh_agent 0
 %endif
 
-# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 7.4p1
 %define openssh_rel 21
 %define pam_ssh_agent_ver 0.10.3
-%define pam_ssh_agent_rel 2
 
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: %{openssh_ver}
 Release: %{openssh_rel}%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
-#URL1: http://pamsshagentauth.sourceforge.net
+#URL1: http://pamsshauth.sourceforge.net
+#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
+#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
+# This package differs from the upstream OpenSSH tarball in that
+# the ACSS cipher is removed by running openssh-nukeacss.sh in
+# the unpacked source directory.
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
 Source2: sshd.pam
@@ -258,7 +267,11 @@
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+%if %{nologin}
 Requires: /sbin/nologin
+%endif
+
+Requires: initscripts >= 5.20
 
 %if ! %{no_gnome_askpass}
 %if %{gtk2}
@@ -269,18 +282,16 @@
 %endif
 %endif
 
-%if %{ldap}
-BuildRequires: openldap-devel
-%endif
 BuildRequires: autoconf, automake, perl, zlib-devel
 BuildRequires: audit-libs-devel >= 2.0.5
-BuildRequires: util-linux, groff
+BuildRequires: util-linux, groff, man
 BuildRequires: pam-devel
 BuildRequires: tcp_wrappers-devel
-BuildRequires: fipscheck-devel >= 1.3.0
+BuildRequires: fipscheck-devel
 BuildRequires: openssl-devel >= 0.9.8j
-BuildRequires: perl-podlators
-BuildRequires: systemd-devel
+%if %{ldap}
+BuildRequires: openldap-devel
+%endif
 
 %if %{kerberos5}
 BuildRequires: krb5-devel
@@ -290,8 +301,11 @@
 BuildRequires: libedit-devel ncurses-devel
 %endif
 
+%if %{nss}
+BuildRequires: nss-devel
+%endif
+
 %if %{WITH_SELINUX}
-Conflicts: selinux-policy < 3.13.1-92
 Requires: libselinux >= 1.27.7
 BuildRequires: libselinux-devel >= 1.27.7
 Requires: audit-libs >= 1.0.8
@@ -302,25 +316,23 @@
 
 %package clients
 Summary: An open source SSH client applications
-Group: Applications/Internet
 Requires: openssh = %{version}-%{release}
-Requires: fipscheck-lib%{_isa} >= 1.3.0
+Group: Applications/Internet
 
 %package server
 Summary: An open source SSH server daemon
 Group: System Environment/Daemons
 Requires: openssh = %{version}-%{release}
+Requires(post): chkconfig >= 0.9, /sbin/service
 Requires(pre): /usr/sbin/useradd
 Requires: pam >= 1.0.1-3
-Requires: fipscheck-lib%{_isa} >= 1.3.0
-Requires(post): systemd-units
-Requires(preun): systemd-units
-Requires(postun): systemd-units
 
-%package server-sysvinit
-Summary: The SysV initscript to manage the OpenSSH server.
-Group: System Environment/Daemons
-Requires: %{name}-server%{?_isa} = %{version}-%{release}
+%package askpass
+Summary: A passphrase dialog for OpenSSH and X
+Group: Applications/Internet
+Requires: openssh = %{version}-%{release}
+Obsoletes: openssh-askpass-gnome
+Provides: openssh-askpass-gnome
 
 %if %{ldap}
 %package ldap
@@ -334,13 +346,6 @@
 Requires: openssh = %{version}-%{release}
 Group: System Environment/Daemons
 
-%package askpass
-Summary: A passphrase dialog for OpenSSH and X
-Group: Applications/Internet
-Requires: openssh = %{version}-%{release}
-Obsoletes: openssh-askpass-gnome
-Provides: openssh-askpass-gnome
-
 %package cavs
 Summary: CAVS tests for FIPS validation
 Group: Applications/Internet
@@ -350,7 +355,6 @@
 Summary: PAM module for authentication with ssh-agent
 Group: System Environment/Base
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
 License: BSD
 
 %description
@@ -378,13 +382,10 @@
 the secure shell daemon (sshd). The sshd daemon allows SSH clients to
 securely connect to your SSH server.
 
-%description server-sysvinit
+%description askpass
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
-the SysV init script to manage the OpenSSH server when running a legacy
-SysV-compatible init system.
-
-It is not required when the init system used is systemd.
+an X11 passphrase dialog for OpenSSH.
 
 %if %{ldap}
 %description ldap
@@ -396,11 +397,6 @@
 OpenSSH mls keycat is backend for using the authorized keys in the
 openssh in the mls mode.
 
-%description askpass
-OpenSSH is a free version of SSH (Secure SHell), a program for logging
-into and executing commands on a remote machine. This package contains
-an X11 passphrase dialog for OpenSSH.
-
 %description cavs
 This package contains test binaries and scripts to make FIPS validation
 easier. Now contains CTR and KDF CAVS test driver.
@@ -522,9 +518,9 @@
 %endif
 
 autoreconf
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
-autoreconf
-popd
+#pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+#autoreconf
+#popd
 
 %build
 # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
@@ -539,12 +535,10 @@
 %else
 CFLAGS="$CFLAGS -fpic"
 %endif
-SAVE_LDFLAGS="$LDFLAGS"
-LDFLAGS="$LDFLAGS -pie -z relro -z now"
-
 export CFLAGS
-export LDFLAGS
-
+SAVE_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS -pie"; export LDFLAGS
+LDFLAGS="$LDFLAGS -Wl,-z,relro -Wl,-z,now"; export LDFLAGS
 %endif
 %if %{kerberos5}
 if test -r /etc/profile.d/krb5-devel.sh ; then
@@ -567,19 +561,20 @@
 	--libexecdir=%{_libexecdir}/openssh \
 	--datadir=%{_datadir}/openssh \
 	--with-tcp-wrappers \
-	--with-default-path=/usr/local/bin:/usr/bin \
-	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
+	--with-default-path=/usr/local/bin:/bin:/usr/bin \
+	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
 	--with-privsep-path=%{_var}/empty/sshd \
-	--enable-vendor-patchlevel="RHEL7-%{openssh_ver}-%{openssh_rel}" \
+	--enable-vendor-patchlevel="FC-%{version}-%{release}" \
 	--disable-strip \
 	--without-zlib-version-check \
 	--with-ssl-engine \
-	--with-ipaddr-display \
-	--with-systemd \
-	--with-ssh1 \
+	--with-authorized-keys-command \
 %if %{ldap}
 	--with-ldap \
 %endif
+%if %{nss}
+	--with-nss \
+%endif
 %if %{rescue}
 	--without-pam \
 %else
@@ -587,11 +582,6 @@
 %endif
 %if %{WITH_SELINUX}
 	--with-selinux --with-audit=linux \
-%ifnarch ppc
-	--with-sandbox=seccomp_filter \
-%else
-	--with-sandbox=rlimit \
-%endif
 %endif
 %if %{kerberos5}
 	--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
@@ -633,7 +623,7 @@
 %if %{pam_ssh_agent}
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 LDFLAGS="$SAVE_LDFLAGS"
-%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
+%configure --with-selinux --libexecdir=/%{_lib}/security
 make
 popd
 %endif
@@ -643,52 +633,38 @@
     %{?__debug_package:%{__debug_install_post}} \
     %{__arch_install_post} \
     %{__os_install_post} \
-    fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
+    fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh \
+    fipshmac $RPM_BUILD_ROOT%{_sbindir}/sshd \
 %{nil}
 
-%check
-#to run tests use "--with check"
-%if %{?_with_check:1}%{!?_with_check:0}
-make tests
-%endif
-
 %install
 rm -rf $RPM_BUILD_ROOT
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
 make install DESTDIR=$RPM_BUILD_ROOT
+%if %{ldap}
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
+%endif
 
 install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/sysconfig/
 install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
 install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
-install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
 install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
 install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
 install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
 install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
 install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen
-install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
-install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
-install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
-install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
-install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 
-#restore slogin symlink
-pushd $RPM_BUILD_ROOT%{_bindir}
-ln -s ./ssh slogin
-pushd $RPM_BUILD_ROOT%{_mandir}/man1
-ln -s ./ssh.1 slogin.1
-popd; popd;
-
 %if ! %{no_gnome_askpass}
 install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
 %endif
 
+rm -f $RPM_BUILD_ROOT%{_datadir}/openssh/Ssh.bin
+
 %if ! %{no_gnome_askpass}
 ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
 install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@@ -702,6 +678,11 @@
 
 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
 
+rm -f README.nss.nss-keys
+%if ! %{nss}
+rm -f README.nss
+%endif
+
 %if %{pam_ssh_agent}
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 make install DESTDIR=$RPM_BUILD_ROOT
@@ -715,48 +696,55 @@
 
 %pre server
 getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
+%if %{nologin}
 getent passwd sshd >/dev/null || \
-  useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
+  useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd  -s /sbin/nologin \
   -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
+%else
+getent passwd sshd >/dev/null || \
+  useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd  -s /sbin/nologin \
+  -s /dev/null -r -d /var/empty/sshd sshd 2> /dev/null || :
+%endif
 
 %post server
-%systemd_post sshd.service sshd.socket
-
-%preun server
-%systemd_preun sshd.service sshd.socket
+/sbin/chkconfig --add sshd
 
 %postun server
-%systemd_postun_with_restart sshd.service
+/sbin/service sshd condrestart > /dev/null 2>&1 || :
+
+%preun server
+if [ "$1" = 0 ]
+then
+	/sbin/service sshd stop > /dev/null 2>&1 || :
+	/sbin/chkconfig --del sshd
+fi
 
 %files
 %defattr(-,root,root)
-%{!?_licensedir:%global license %%doc}
-%license LICENCE
-%doc CREDITS ChangeLog INSTALL OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
+%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL PROTOCOL.agent PROTOCOL.certkeys README* TODO
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
 %if ! %{rescue}
 %attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
-%attr(2111,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
-%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
+%attr(4755,root,root) %{_libexecdir}/openssh/ssh-keysign
 %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
 %endif
 
 %files clients
 %defattr(-,root,root)
 %attr(0755,root,root) %{_bindir}/ssh
-%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
+%attr(0644,root,root) %{_bindir}/.ssh.hmac
 %attr(0644,root,root) %{_mandir}/man1/ssh.1*
 %attr(0755,root,root) %{_bindir}/scp
 %attr(0644,root,root) %{_mandir}/man1/scp.1*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
-%attr(0755,root,root) %{_bindir}/slogin
-%attr(0644,root,root) %{_mandir}/man1/slogin.1*
+#%attr(0755,root,root) %{_bindir}/slogin
+#%attr(0644,root,root) %{_mandir}/man1/slogin.1*
 %attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
 %if ! %{rescue}
-%attr(2111,root,nobody) %{_bindir}/ssh-agent
+%attr(2755,root,nobody) %{_bindir}/ssh-agent
 %attr(0755,root,root) %{_bindir}/ssh-add
 %attr(0755,root,root) %{_bindir}/ssh-keyscan
 %attr(0755,root,root) %{_bindir}/sftp
@@ -774,9 +762,10 @@
 %files server
 %defattr(-,root,root)
 %dir %attr(0711,root,root) %{_var}/empty/sshd
+%doc HOWTO.ssh-keycat
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0755,root,root) %{_sbindir}/sshd-keygen
-%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
+%attr(0644,root,root) %{_sbindir}/.sshd.hmac
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
 %attr(0644,root,root) %{_mandir}/man5/moduli.5*
@@ -785,21 +774,15 @@
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
 %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
 %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
-%attr(0644,root,root) %{_unitdir}/sshd.service
-%attr(0644,root,root) %{_unitdir}/sshd@.service
-%attr(0644,root,root) %{_unitdir}/sshd.socket
-%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
-
-%files server-sysvinit
-%defattr(-,root,root)
 %attr(0755,root,root) /etc/rc.d/init.d/sshd
+#%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
+#%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat
 %endif
 
 %if %{ldap}
 %files ldap
 %defattr(-,root,root)
 %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
-%doc openssh-lpk-openldap.ldif openssh-lpk-sun.ldif
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
 %attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
@@ -812,6 +795,11 @@
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
 %attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat
 
+%files cavs
+%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl
+
 %if ! %{no_gnome_askpass}
 %files askpass
 %defattr(-,root,root)
@@ -820,21 +808,19 @@
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
 %endif
 
-%files cavs
-%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl
-
 %if %{pam_ssh_agent}
 %files -n pam_ssh_agent_auth
 %defattr(-,root,root)
-%{!?_licensedir:%global license %%doc}
-%license pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
-%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
+%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
+%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/LICENSE.OpenSSL
+%attr(0755,root,root) /%{_lib}/security/pam_ssh_agent_auth.so
 %attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
 %endif
 
 %changelog
+* Wed Apr 14 2021 Danilo Godec <danilo.godec@agenda.si> 
+- Adapted the source RPM for building on CentOS 6.10
+
 * Tue Jun 25 2019 Jakub Jelen <jjelen@redhat.com> - 7.4p1-21 + 0.10.3-2
 - Avoid double comma in the default cipher list in FIPS mode (#1722446)
 
Obviously, this is a temporary fix and we'll all have to migrate to a more up-to-date distro eventually.
Post Reply