In this tutorial we will create rpm package of OpenSSH version 6.7 stable version and will do OpenSSH upgrade. You may be wondering why it is required to create rpm package of OpenSSH version. The answer is because of CVE-2014-2532 .
We recently notified with the CVE-2014-2532 , which is a openssh AcceptEnv environment restriction bypass flaw .
Description of CVE-2014-2532
It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.
Fixed In Version: openssh 6.6
Practical Overview :
1. Creating rpm package from OpenSSH 6.7 tar ball .
2. Upgrading OpenSSH to new version 6.7 .
Precaution while upgrading openssh to new version
1. Take the backup of ssh configuration file that is /etc/ssh
2. Take the backup of pam file that is /etc/pam.d/sshd
3. If working remotely via command line only then install telnet server as a second option for login. (Read the tutorial on how to install telnet server)
Create OpenSSH rpm package
At the time of writing this post we have not found OpenSSH 6.7 version rpm package available from reliable repo. Hence, decided to create our own rpm package.
1. Install required packages for creating OpenSSH rpm package
yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel
2. Create directories for building rpm
mkdir -p /usr/src/redhat/{SOURCES,SPECS}
It will create new directories
(a)/usr/src/redhat/
(b)/usr/src/redhat/SOURCES
(c)/usr/src/redhat/SPECS
3. Download latest OpenSSH package inside /usr/src/redhat/SOURCES/
Download link : https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
cd /usr/src/redhat/SOURCES/ wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz.asc
4. Extract spec file and move to /usr/src/redhat/SPECS directory.
cd /usr/src/redhat/SOURCES/ tar xfz openssh-6.7p1.tar.gz openssh-6.7p1/contrib/redhat/openssh.spec mv openssh-6.7p1/contrib/redhat/openssh.spec ../SPECS/
5. Change ownership and group of extracted spec file
chown sshd:sshd /usr/src/redhat/SPECS/openssh.spec
6. By using sed command we will disable the ask-pass and replace the deprecated
BuildPreReq with BuildRequires command in spec file.
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec sed -i -e "s/BuildPreReq/BuildRequires/g" /usr/src/redhat/SPECS/openssh.spec
7. Now run rpmbuild command .
cd /usr/src/redhat/SPECS/ rpmbuild -ba openssh.spec
Actually we got one message after running this command that “error: File /root/rpmbuild/SOURCES/openssh-6.7p1.tar.gz: No such file or directory” .
Hence, we will copy the openssh-6.7p1.tar.gz to /root/rpmbuild/SOURCES/
cp -v /usr/src/redhat/SOURCES/openssh-6.7p1.tar.gz* /root/rpmbuild/SOURCES/
8. Now re-run the command once again. I hope this time, it will be successful.
cd /usr/src/redhat/SPECS/ rpmbuild -ba openssh.spec
9. You can find the rpm package in /root/rpmbuild/RPMS/x86_64
cd /root/rpmbuild/RPMS/x86_64 ls -lhrt
Below given is reference from our system
[root@localhost x86_64]# ls openssh-6.7p1-1.x86_64.rpm openssh-clients-6.7p1-1.x86_64.rpm openssh-debuginfo-6.7p1-1.x86_64.rpm openssh-server-6.7p1-1.x86_64.rpm [root@localhost x86_64]# pwd /root/rpmbuild/RPMS/x86_64 [root@localhost x86_64]#
Now you have got the rpm files built from Openssh tar ball.
Next Step : Take backup of ssh
This section is very important, we will take backup of ssh. Because when we upgrade the current OpenSSH to new version 6.7 , PAM configuration files related to ssh will be changes.
1. Take backup of ssh configuration directory
cd ~ tar -cvzf etc_ssh.tar.gx /etc/ssh
2. Take backup of pam.d/sshd file . (Very very important, do not forget)
cp -p /etc/pam.d/sshd ~/sshd.orig.`date +%F`
Upgrade OpenSSH server to version 6.7
Before upgrading to OpenSSH 6.7 version, it is very very important to take ssh backup(Read above section for SSH backup)
Reason: After upgrade the /etc/pam.d/sshd file parameters is incompatible.
Note: We suggest you to follow this procedure in some test machine.So that you will be aware about the issue which may come after upgrade.
1. To upgrade to OpenSSH version 6.7 , run the below given command .
ls -l /root/rpmbuild/RPMS/x86_64/ rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
2. Take backup copy of after upgrade sshd pam file
cp -p /etc/pam.d/sshd /root/sshd.afterupgrade
3. Now restore original sshd pam file inside /etc/pam.d
cp /root/sshd.orig /etc/pam.d/sshd
4. Now edit /etc/ssh/sshd_config file and enable UsePAM . (Read this post for reason)
vi /etc/ssh/sshd_config .. UsePAM yes ..
5. We will regenerate new ssh keys by removing old keys. (Read this post for reason)
rm /etc/ssh/ssh*key
6. Now restart the ssh service
On CentOS 7 / RHEL 7
systemctl restart sshd
On CentOS 6 / Amazon Linux
service sshd restart
7. Now try to connect from remote machine via ssh .
You can download already made OpenSSH rpm files from our Github repo.
Github Repo URL : https://github.com/sharadchhetri/misc
Hi,
Thank you for the guide. I have successfully built RPM from the source for Opnessh 7.0p1.
I am using RHEL6.5 and after upgrading to Openssh 7.0p1 from Openssh5.3p1 not able to login to the machine with any account. I set “UsePAM no”.
Kindly help.
Regards,
Nagaraju R
Hi Nagaraju,
If you can provide the error on screen that will be helpful.
You can also debug by using -vvvv param, may get some clue over there . example. ssh -vvvv username@ipaddress
Regards
Sharad
aftter doing all the above steps, now i am unable to login via putty
error msg is access denied
Hello Naveen,
I hope you have tested this in staging/test machine.
Could you elaborate which OS and openssh version are you using ?
Regards
Sharad
hey got an error with “slogin missing”