Upgrade OEL5.5 to openssh-5.6p1-1.x86_64.rpm
Current Oracle Enterprise Linux 5.5 includes the following ssh packages:
openssh-askpass-4.3p2-41.el5
openssh-4.3p2-41.el5
openssh-clients-4.3p2-41.el5
openssh-server-4.3p2-41.el5
I needed to upgrade ssh because i needed to take advantage of ‘Match’ plus ‘ChrootDirectory’ directives.
ChrootDirectory (appeared in version 4.8p1)
Specifies the pathname of a directory to chroot(2) to after authentication.
Match
Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the
following lines override those set in the global section of the config file, until either another Match line
or the end of the file.
The main objective of my requirement to upgrade is to Chroot some users and limit ssh console access to scp or sftp.
Initially i tried rssh and make_chroot_jail.sh while both worked well i also wanted to try it the openssh way. Using rss and mcj is discussed on the respective links given.
This post will focus on upgrading Openssh to 5.6p1 or later by building an rpm from source.
For whatever reason you also needed to upgrade SSH to the latest version available in openssh.org site ( openssh 5.6p1 as of Jan 17, 2011 ) here are the procedures and steps, and links to 64bit binaries that I built. The reason i built the packages from source is i can’t find any precompiled binaries for OEL 5.5 64bit as of this writing.
1- Make sure you have the required build and development tools installed on your machine
gcc automake autoconf libtool make openssl-devel pam-devel rpm-build
2- Download the latest source package and digital signature from openssh mirror sites.
wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-5.6p1.tar.gz
wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-5.6p1.tar.gz.asc
3- Import and validate the downloaded package ( optional )
wget -O- http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/DJM-GPG-KEY.asc | gpg –import
gpg openssh-5.6p1.tar.gz.asc
4- Extract and setup the build environment ( as root user)
tar zxvf openssh-5.6p1.tar.gz
cp openssh-5.6p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
cp openssh-5.6p1.tar.gz /usr/src/redhat/SOURCES/
5- Remove definitions for gui from spec file (this reduces dependencies required while building)
cd /usr/src/redhat/SPECS/
perl -i.bak -pe ‘s/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/’ openssh.spec
6- Build.
rpmbuild -bb openssh.spec
7- After the successful build there will be 3 rpm
cd /usr/src/redhat/RPMS/`uname -i`
ls -l
openssh-5.6p1-1.x86_64.rpm
openssh-clients-5.6p1-1.x86_64.rpm
openssh-server-5.6p1-1.x86_64.rpm
8- Install the new packages (it may be necessary to remove openssh-askpass before proceeding)
rpm -e openssh-askpass
rpm -Uvh openssh-* –test
rpm -Uvh openssh-*
Troubleshooting:
– if you get errors similar to quoted below, edit the spec file and comment the references to kerberos.
/usr/bin/ld: skipping incompatible /usr/lib/libkrb5.so when searching for -lkrb5
/usr/bin/ld: cannot find -lkrb5
-After installation, service ssh restart throws a warning that initlog is obsolete. I work around this by keeping a copy of the old /etc/init.d/sshd and restoring it after RPM installation. Or patch the /etc/init.d/sshd:
--- contrib/redhat/sshd.init.foo 2005-01-03 17:22:08.326317216 -0500 +++ contrib/redhat/sshd.init 2005-01-03 17:22:20.483469048 -0500 @@ -104,7 +104,7 @@ do_dsa_keygen echo -n $"Starting $prog:" - initlog -c "$SSHD $OPTIONS" && success || failure + $SSHD $OPTIONS && success || failure RETVAL=$? [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd echo
References
http://meshfields.de/sftp-chroot-centos/
http://binblog.info/2009/02/27/packaging-openssh-on-centos/
About this entry
You’re currently reading “Upgrade OEL5.5 to openssh-5.6p1-1.x86_64.rpm,” an entry on Joey Out Of The Box
- Published:
- 2011-Jan-17 @ 8:34 / 8:34 am
- Category:
- General
- Tags:
2 Comments
Jump to comment form | comment rss [?] | trackback uri [?]