In this tutorial we will create rpm package of OpenSSH version 6.7 stable version and will do OpenSSH upgrade. You may be wondering why it is required to create rpm package of OpenSSH version. The answer is because of CVE-2014-2532 .
We recently notified with the CVE-2014-2532 , which is a openssh AcceptEnv environment restriction bypass flaw .
Description of CVE-2014-2532
It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.
Fixed In Version: openssh 6.6
Practical Overview :
1. Creating rpm package from OpenSSH 6.7 tar ball .
2. Upgrading OpenSSH to new version 6.7 .
Precaution while upgrading openssh to new version
1. Take the backup of ssh configuration file that is /etc/ssh
2. Take the backup of pam file that is /etc/pam.d/sshd
3. If working remotely via command line only then install telnet server as a second option for login. (Read the tutorial on how to install telnet server)
Create OpenSSH rpm package
At the time of writing this post we have not found OpenSSH 6.7 version rpm package available from reliable repo. Hence, decided to create our own rpm package.
1. Install required packages for creating OpenSSH rpm package
yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel
2. Create directories for building rpm
mkdir -p /usr/src/redhat/{SOURCES,SPECS}
It will create new directories
(a)/usr/src/redhat/
(b)/usr/src/redhat/SOURCES
(c)/usr/src/redhat/SPECS
3. Download latest OpenSSH package inside /usr/src/redhat/SOURCES/
Download link : https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
cd /usr/src/redhat/SOURCES/ wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz.asc
4. Extract spec file and move to /usr/src/redhat/SPECS directory.
cd /usr/src/redhat/SOURCES/ tar xfz openssh-6.7p1.tar.gz openssh-6.7p1/contrib/redhat/openssh.spec mv openssh-6.7p1/contrib/redhat/openssh.spec ../SPECS/
5. Change ownership and group of extracted spec file
chown sshd:sshd /usr/src/redhat/SPECS/openssh.spec
6. By using sed command we will disable the ask-pass and replace the deprecated
BuildPreReq with BuildRequires command in spec file.
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec sed -i -e "s/BuildPreReq/BuildRequires/g" /usr/src/redhat/SPECS/openssh.spec
7. Now run rpmbuild command .
cd /usr/src/redhat/SPECS/ rpmbuild -ba openssh.spec
Actually we got one message after running this command that “error: File /root/rpmbuild/SOURCES/openssh-6.7p1.tar.gz: No such file or directory” .
Hence, we will copy the openssh-6.7p1.tar.gz to /root/rpmbuild/SOURCES/
cp -v /usr/src/redhat/SOURCES/openssh-6.7p1.tar.gz* /root/rpmbuild/SOURCES/
8. Now re-run the command once again. I hope this time, it will be successful.
cd /usr/src/redhat/SPECS/ rpmbuild -ba openssh.spec
9. You can find the rpm package in /root/rpmbuild/RPMS/x86_64
cd /root/rpmbuild/RPMS/x86_64 ls -lhrt
Below given is reference from our system
[root@localhost x86_64]# ls openssh-6.7p1-1.x86_64.rpm openssh-clients-6.7p1-1.x86_64.rpm openssh-debuginfo-6.7p1-1.x86_64.rpm openssh-server-6.7p1-1.x86_64.rpm [root@localhost x86_64]# pwd /root/rpmbuild/RPMS/x86_64 [root@localhost x86_64]#
Now you have got the rpm files built from Openssh tar ball.
Next Step : Take backup of ssh
This section is very important, we will take backup of ssh. Because when we upgrade the current OpenSSH to new version 6.7 , PAM configuration files related to ssh will be changes.
1. Take backup of ssh configuration directory
cd ~ tar -cvzf etc_ssh.tar.gx /etc/ssh
2. Take backup of pam.d/sshd file . (Very very important, do not forget)
cp -p /etc/pam.d/sshd ~/sshd.orig.`date +%F`
Upgrade OpenSSH server to version 6.7
Before upgrading to OpenSSH 6.7 version, it is very very important to take ssh backup(Read above section for SSH backup)
Reason: After upgrade the /etc/pam.d/sshd file parameters is incompatible.
Note: We suggest you to follow this procedure in some test machine.So that you will be aware about the issue which may come after upgrade.
1. To upgrade to OpenSSH version 6.7 , run the below given command .
ls -l /root/rpmbuild/RPMS/x86_64/ rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
2. Take backup copy of after upgrade sshd pam file
cp -p /etc/pam.d/sshd /root/sshd.afterupgrade
3. Now restore original sshd pam file inside /etc/pam.d
cp /root/sshd.orig /etc/pam.d/sshd
4. Now edit /etc/ssh/sshd_config file and enable UsePAM . (Read this post for reason)
vi /etc/ssh/sshd_config .. UsePAM yes ..
5. We will regenerate new ssh keys by removing old keys. (Read this post for reason)
rm /etc/ssh/ssh*key
6. Now restart the ssh service
On CentOS 7 / RHEL 7
systemctl restart sshd
On CentOS 6 / Amazon Linux
service sshd restart
7. Now try to connect from remote machine via ssh .
You can download already made OpenSSH rpm files from our Github repo.
Github Repo URL : https://github.com/sharadchhetri/misc
Hello
I have tried these steps on redhat 6.7 and it failed,
Please advise
thanks for this guide – extremely helpful. I had to upgrade openssh on an amazon linux EC2 instance to version 6.7 or above and amazon repository only had up to 6.6.1 – i required 6.7 for PCI DSS compliance and your article helped me upgrade to 7.1 without problems, but most importantly I felt safe in the knowledge I could revert (and still connect) should things go wrong. has been a massive help for me . cheers
Hello Phile,
Thanks for giving feedback. It is always safe to take backup and in AWS you can take snapshat of volume or AMI of instance.
Cheers !
Regards
Sharad
I had already run step 6 the first time.I had also moved your 6.7 version rpms to a custom repo and used yum to update and it fixed the first dependency issue regarding askpass.
cd /root/rpmbuild/RPMS/x86_64
ls -lhrt
-rw-r–r–. 1 root root 403K Aug 20 15:31 openssh-6.7p1-1.x86_64.rpm
-rw-r–r–. 1 root root 557K Aug 20 15:31 openssh-clients-6.7p1-1.x86_64.rpm
-rw-r–r–. 1 root root 375K Aug 20 15:31 openssh-server-6.7p1-1.x86_64.rpm
-rw-r–r–. 1 root root 17K Aug 20 15:31 openssh-debuginfo-6.7p1-1.x86_64.rpm
As you can see openssh-6.7p1-1 is there first, yet install complains about not finding it.Should I remove its architecture part x86_64? Thank you
Hi Sharad and thank you for your swift response.
I have upgraded from openssh5.3 to 6.1
Because of that dependency issue, I downloaded openssh 6.1 version complained about.Output after running:
rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
warning: /root/rpmbuild/RPMS/x86_64/openssh-6.6p1-1.el6.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID e9bc4ae1: NOKEY
warning: package openssh-clients = 6.6p1-1.el6 was already added, replacing with openssh-clients > 6.7p1-1
warning: package openssh-server = 6.6p1-1.el6 was already added, replacing with openssh-server > 6.7p1-1
error: Failed dependencies:
openssh = 6.7p1-1 is needed by openssh-clients-6.7p1-1.x86_64
openssh = 6.7p1-1 is needed by openssh-server-6.7p1-1.x86_64
Could it be due to step 6 in your tutorial:6. By using sed command we will disable the ask-pass
Hello Mordik,
Yes, you should run the step 6 as BuildPreReq with BuildRequires are deprecated.
Try again.
Regards
Sharad
# rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
error: Failed dependencies:
openssh = 6.6p1-1.el6 is needed by (installed) openssh-askpass-6.6p1-1.el6.x86_64
Hello Mordik,
Can you share the info which OpenSSH version are you trying.
I have created rpm and this can be receive from https://github.com/sharadchhetri/misc.
Regards
Sharad
I have this problem.
$ service sshd restart
Stopping sshd: [ OK ]
lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
Starting sshd: [ OK ]
Hello Dajing,
Try this link https://sharadchhetri.com/2015/01/17/error-not-load-host-key/
Regards
Sharad