In this tutorial we will create rpm package of OpenSSH version 6.7 stable version and will do OpenSSH upgrade. You may be wondering why it is required to create rpm package of OpenSSH version. The answer is because of CVE-2014-2532 .

We recently notified with the CVE-2014-2532 , which is a openssh AcceptEnv environment restriction bypass flaw .

Description of CVE-2014-2532

It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.
Fixed In Version: openssh 6.6

Practical Overview :

1. Creating rpm package from OpenSSH 6.7 tar ball .
2. Upgrading OpenSSH to new version 6.7 .

Precaution while upgrading openssh to new version

1. Take the backup of ssh configuration file that is /etc/ssh
2. Take the backup of pam file that is /etc/pam.d/sshd
3. If working remotely via command line only then install telnet server as a second option for login. (Read the tutorial on how to install telnet server)

Create OpenSSH rpm package

At the time of writing this post we have not found OpenSSH 6.7 version rpm package available from reliable repo. Hence, decided to create our own rpm package.

1. Install required packages for creating OpenSSH rpm package

yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

2. Create directories for building rpm

mkdir -p /usr/src/redhat/{SOURCES,SPECS}

It will create new directories
(a)/usr/src/redhat/
(b)/usr/src/redhat/SOURCES
(c)/usr/src/redhat/SPECS

3. Download latest OpenSSH package inside /usr/src/redhat/SOURCES/
Download link : https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

cd /usr/src/redhat/SOURCES/
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz.asc

4. Extract spec file and move to /usr/src/redhat/SPECS directory.

cd /usr/src/redhat/SOURCES/
tar xfz openssh-6.7p1.tar.gz openssh-6.7p1/contrib/redhat/openssh.spec
mv openssh-6.7p1/contrib/redhat/openssh.spec ../SPECS/

5. Change ownership and group of extracted spec file

chown sshd:sshd /usr/src/redhat/SPECS/openssh.spec

6. By using sed command we will disable the ask-pass and replace the deprecated
BuildPreReq with BuildRequires command in spec file.

sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" /usr/src/redhat/SPECS/openssh.spec

7. Now run rpmbuild command .

cd  /usr/src/redhat/SPECS/
rpmbuild -ba openssh.spec

Actually we got one message after running this command that “error: File /root/rpmbuild/SOURCES/openssh-6.7p1.tar.gz: No such file or directory” .

Hence, we will copy the openssh-6.7p1.tar.gz to /root/rpmbuild/SOURCES/

cp -v /usr/src/redhat/SOURCES/openssh-6.7p1.tar.gz* /root/rpmbuild/SOURCES/

8. Now re-run the command once again. I hope this time, it will be successful.

cd  /usr/src/redhat/SPECS/
rpmbuild -ba openssh.spec

9. You can find the rpm package in /root/rpmbuild/RPMS/x86_64

cd /root/rpmbuild/RPMS/x86_64
ls -lhrt

Below given is reference from our system

[root@localhost x86_64]# ls
openssh-6.7p1-1.x86_64.rpm  openssh-clients-6.7p1-1.x86_64.rpm  openssh-debuginfo-6.7p1-1.x86_64.rpm  openssh-server-6.7p1-1.x86_64.rpm
[root@localhost x86_64]# pwd
/root/rpmbuild/RPMS/x86_64
[root@localhost x86_64]#

Now you have got the rpm files built from Openssh tar ball.

Next Step : Take backup of ssh

This section is very important, we will take backup of ssh. Because when we upgrade the current OpenSSH to new version 6.7 , PAM configuration files related to ssh will be changes.

1. Take backup of ssh configuration directory

cd ~
tar -cvzf etc_ssh.tar.gx /etc/ssh

2. Take backup of pam.d/sshd file . (Very very important, do not forget)

cp -p /etc/pam.d/sshd ~/sshd.orig.`date +%F`

Upgrade OpenSSH server to version 6.7

Before upgrading to OpenSSH 6.7 version, it is very very important to take ssh backup(Read above section for SSH backup)

Reason: After upgrade the /etc/pam.d/sshd file parameters is incompatible.

Note: We suggest you to follow this procedure in some test machine.So that you will be aware about the issue which may come after upgrade.

1. To upgrade to OpenSSH version 6.7 , run the below given command .

ls -l /root/rpmbuild/RPMS/x86_64/

rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm

2. Take backup copy of after upgrade sshd pam file

cp -p /etc/pam.d/sshd /root/sshd.afterupgrade 

3. Now restore original sshd pam file inside /etc/pam.d

cp /root/sshd.orig /etc/pam.d/sshd

4. Now edit /etc/ssh/sshd_config file and enable UsePAM . (Read this post for reason)

vi /etc/ssh/sshd_config
..
UsePAM yes
..

5. We will regenerate new ssh keys by removing old keys. (Read this post for reason)

rm /etc/ssh/ssh*key

6. Now restart the ssh service

On CentOS 7 / RHEL 7

systemctl restart sshd

On CentOS 6 / Amazon Linux

service sshd restart

7. Now try to connect from remote machine via ssh .

You can download already made OpenSSH rpm files from our Github repo.
Github Repo URL : https://github.com/sharadchhetri/misc

Read Some More Articles

27 Comments

  1. Hi,

    Thank you for the guide. I have successfully built RPM from the source for Opnessh 7.0p1.

    I am using RHEL6.5 and after upgrading to Openssh 7.0p1 from Openssh5.3p1 not able to login to the machine with any account. I set “UsePAM no”.

    Kindly help.

    Regards,
    Nagaraju R

    1. Hi Nagaraju,

      If you can provide the error on screen that will be helpful.
      You can also debug by using -vvvv param, may get some clue over there . example. ssh -vvvv username@ipaddress

      Regards
      Sharad

  2. aftter doing all the above steps, now i am unable to login via putty
    error msg is access denied

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.