3 # Uncomment this to turn on verbose mode.
6 include /usr/share/hardening-includes/hardening.make
8 # This has to be exported to make some magic below work.
11 ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
17 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
23 DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
24 DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
26 ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
29 CC := $(DEB_HOST_GNU_TYPE)-gcc
33 DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null)
34 DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null)
36 # Take account of old dpkg-architecture output.
37 ifeq ($(DEB_HOST_ARCH_OS),)
38 DEB_HOST_ARCH_OS := $(subst -gnu,,$(shell dpkg-architecture -qDEB_HOST_GNU_SYSTEM))
39 ifeq ($(DEB_HOST_ARCH_OS),gnu)
40 DEB_HOST_ARCH_OS := hurd
43 ifeq ($(DEB_HOST_ARCH_CPU),)
44 DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_GNU_CPU)
45 ifeq ($(DEB_HOST_ARCH_CPU),x86_64)
46 DEB_HOST_ARCH_CPU := amd64
50 ifneq (,$(findstring :$(DEB_HOST_ARCH_OS):,:linux:knetbsd:))
51 ifneq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:mips:mipsel:))
52 # Apparently this is not implied by -fPIE, at least on the mipsen.
58 # Change the version string to include the Debian version
59 SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//')
61 DISTRIBUTOR := $(shell lsb_release -is 2>/dev/null || echo Debian)
62 ifeq ($(DISTRIBUTOR),Ubuntu)
63 DEFAULT_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games
65 DEFAULT_PATH := /usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
67 SUPERUSER_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
69 # Common path configuration.
70 confflags += --sysconfdir=/etc/ssh
72 # Common build options.
73 confflags += --disable-strip
74 confflags += --with-mantype=doc
75 confflags += --with-4in6
76 confflags += --with-privsep-path=/var/run/sshd
77 confflags += --without-rand-helper
79 # The Hurd needs libcrypt for res_query et al.
80 ifeq ($(DEB_HOST_ARCH_OS),hurd)
81 confflags += --with-libs=-lcrypt
84 # Everything above here is common to the deb and udeb builds.
85 confflags_udeb := $(confflags)
87 # Options specific to the deb build.
88 confflags += --with-tcp-wrappers
89 confflags += --with-pam
90 confflags += --with-libedit
91 confflags += --with-kerberos5=/usr
92 confflags += --with-ssl-engine
93 ifeq ($(DEB_HOST_ARCH_OS),linux)
94 confflags += --with-selinux
97 # The deb build wants xauth; the udeb build doesn't.
98 confflags += --with-xauth=/usr/bin/xauth
99 confflags_udeb += --without-xauth
101 # Default paths. The udeb build has /usr/bin/X11 and /usr/games removed.
102 confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUSER_PATH)
103 confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
106 cflags := $(OPTFLAGS) $(PIC_CFLAGS) $(HARDENING_CFLAGS)
107 cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
108 cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
110 cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
111 confflags += --with-cflags='$(cflags)'
112 confflags_udeb += --with-cflags='$(cflags_udeb)'
115 confflags += --with-ldflags='$(strip -Wl,--as-needed $(PIC_LDFLAGS) $(HARDENING_LDFLAGS))'
116 confflags_udeb += --with-ldflags='-Wl,--as-needed'
121 override_dh_auto_configure:
122 dh_auto_configure -Bbuild-deb -- $(confflags)
123 dh_auto_configure -Bbuild-udeb -- $(confflags_udeb)
125 override_dh_auto_build:
126 # Debian's /var/log/btmp has inappropriate permissions.
127 perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-deb/config.h
128 perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-udeb/config.h
130 # Avoid libnsl linkage. Ugh.
131 perl -pi -e 's/ +-lnsl//' build-udeb/config.status
132 cd build-udeb && ./config.status
134 $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass'
135 $(MAKE) -C build-udeb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen
137 $(MAKE) -C contrib gnome-ssh-askpass2 CC='$(CC) $(OPTFLAGS) -g -Wall -Wl,--as-needed'
139 override_dh_auto_test:
140 ifeq ($(RUN_TESTS),yes)
141 $(MAKE) -C debian/tests
144 override_dh_auto_clean:
145 rm -rf build-deb build-udeb
146 ifeq ($(RUN_TESTS),yes)
147 $(MAKE) -C debian/tests clean
149 $(MAKE) -C contrib clean
150 (cat debian/copyright.head; iconv -f ISO-8859-1 -t UTF-8 LICENCE) \
153 override_dh_auto_install:
154 $(MAKE) -C build-deb DESTDIR=`pwd`/debian/tmp install-nokeys
157 rm -f debian/tmp/etc/ssh/sshd_config
159 dh_install -Nopenssh-client-udeb -Nopenssh-server-udeb --fail-missing
160 dh_install -popenssh-client-udeb -popenssh-server-udeb \
161 --sourcedir=build-udeb
163 install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/openssh/gnome-ssh-askpass
165 install -o root -g root debian/openssh-server.if-up debian/openssh-server/etc/network/if-up.d/openssh-server
166 install -o root -g root -m 644 debian/openssh-server.ufw.profile debian/openssh-server/etc/ufw/applications.d/openssh-server
168 # Remove version control tags to avoid unnecessary conffile
169 # resolution steps for administrators.
170 sed -i '/\$$OpenBSD:/d' \
171 debian/openssh-client/etc/ssh/moduli \
172 debian/openssh-client/etc/ssh/ssh_config
174 override_dh_installdocs:
175 dh_installdocs -Nopenssh-server -Nssh
176 dh_installdocs -popenssh-server -pssh --link-doc=openssh-client
177 # Avoid breaking dh_installexamples later.
178 mkdir -p debian/openssh-server/usr/share/doc/openssh-client
180 override_dh_installinit:
181 dh_installinit -n --name ssh
183 override_dh_installpam:
184 dh_installpam --name sshd
186 override_dh_fixperms:
188 chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign
190 override_dh_installdeb:
192 perl -i debian/substitute-conffile.pl \
193 ETC_SSH_MODULI debian/openssh-client/etc/ssh/moduli \
194 ETC_SSH_SSH_CONFIG debian/openssh-client/etc/ssh/ssh_config \
195 debian/openssh-client/DEBIAN/preinst
196 # Yes, ETC_PAM_D_SSH is meant to be spelled that way, to match the
197 # old configuration file name we need to transfer.
198 perl -i debian/substitute-conffile.pl \
199 ETC_DEFAULT_SSH debian/openssh-server/etc/default/ssh \
200 ETC_INIT_D_SSH debian/openssh-server/etc/init.d/ssh \
201 ETC_PAM_D_SSH debian/openssh-server/etc/pam.d/sshd \
202 debian/openssh-server/DEBIAN/preinst
205 wget -O - http://www.openssh.org/faq.html | \
206 sed 's,\(href="\)\(txt/\|[^":]*\.html\),\1http://www.openssh.org/\2,g' \
209 # You only need to run this immediately after checking out the package from
213 set -e; for patch in $$(quilt series | tac); do \
214 patch -p1 -R --no-backup-if-mismatch <"debian/patches/$$patch"; \