Upgrade OEL5.5 to openssh-5.6p1-1.x86_64.rpm

Current Oracle Enterprise Linux 5.5 includes the following ssh packages:

openssh-askpass-4.3p2-41.el5
openssh-4.3p2-41.el5
openssh-clients-4.3p2-41.el5
openssh-server-4.3p2-41.el5

I needed to upgrade ssh because i needed to take advantage of  ‘Match’ plus ‘ChrootDirectory’ directives.

     ChrootDirectory (appeared in version 4.8p1)
             Specifies the pathname of a directory to chroot(2) to after authentication.

     Match  
             Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the
             following lines override those set in the global section of the config file, until either another Match line
             or the end of the file.

The main objective of my requirement to upgrade is to Chroot some users and limit ssh console access to scp or sftp.
Initially i tried rssh and make_chroot_jail.sh while both worked well i also wanted to try it the openssh way.  Using rss and mcj is discussed on the respective links given.

This post will focus on upgrading Openssh to 5.6p1  or later by building an rpm from source.

For whatever reason you also needed to upgrade SSH to the latest version available in openssh.org site ( openssh 5.6p1 as of Jan 17, 2011 ) here are the procedures and steps, and links to 64bit binaries that I built. The reason i built the packages from source is i can’t find any precompiled binaries for OEL 5.5 64bit as of this writing.

1- Make sure you have the required build and development tools installed on your machine
      gcc automake autoconf libtool make openssl-devel pam-devel rpm-build  

2- Download the latest source package and digital signature from openssh mirror sites.
      wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-5.6p1.tar.gz
      wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-5.6p1.tar.gz.asc

3- Import and validate the downloaded package ( optional )
      wget -O- http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/DJM-GPG-KEY.asc | gpg –import
      gpg openssh-5.6p1.tar.gz.asc

4- Extract and setup the build environment ( as root user)
      tar zxvf openssh-5.6p1.tar.gz
      cp openssh-5.6p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
      cp openssh-5.6p1.tar.gz /usr/src/redhat/SOURCES/


5- Remove definitions for gui from spec file (this reduces dependencies required while building)
      cd /usr/src/redhat/SPECS/
        perl -i.bak -pe ‘s/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/’ openssh.spec

6- Build.
        rpmbuild -bb openssh.spec

7- After the successful build there will be 3 rpm
        cd /usr/src/redhat/RPMS/`uname -i`
        ls -l
        openssh-5.6p1-1.x86_64.rpm
        openssh-clients-5.6p1-1.x86_64.rpm
        openssh-server-5.6p1-1.x86_64.rpm

8- Install the new packages (it may be necessary to remove openssh-askpass before proceeding)
        rpm -e openssh-askpass
        rpm -Uvh openssh-* –test
        rpm -Uvh openssh-*

Troubleshooting:

– if you get errors similar to quoted below, edit the spec file and comment the references to kerberos.
     /usr/bin/ld: skipping incompatible /usr/lib/libkrb5.so when searching for -lkrb5
     /usr/bin/ld: cannot find -lkrb5

-After installation, service ssh restart throws a warning that initlog is obsolete. I work around this by keeping a copy of the old /etc/init.d/sshd and restoring it after RPM installation. Or patch the /etc/init.d/sshd:

--- contrib/redhat/sshd.init.foo  2005-01-03 17:22:08.326317216 -0500
+++ contrib/redhat/sshd.init      2005-01-03 17:22:20.483469048 -0500
@@ -104,7 +104,7 @@
        do_dsa_keygen

        echo -n $"Starting $prog:"
-       initlog -c "$SSHD $OPTIONS" && success || failure
+       $SSHD $OPTIONS && success || failure
        RETVAL=$?
        [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
        echo

References
           http://meshfields.de/sftp-chroot-centos/
           http://binblog.info/2009/02/27/packaging-openssh-on-centos/

Advertisements

About this entry