In this tutorial we will create rpm package of OpenSSH version 6.7 stable version and will do OpenSSH upgrade. You may be wondering why it is required to create rpm package of OpenSSH version. The answer is because of CVE-2014-2532 .
We recently notified with the CVE-2014-2532 , which is a openssh AcceptEnv environment restriction bypass flaw .
Description of CVE-2014-2532
It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.
Fixed In Version: openssh 6.6
Practical Overview :
1. Creating rpm package from OpenSSH 6.7 tar ball .
2. Upgrading OpenSSH to new version 6.7 .
Precaution while upgrading openssh to new version
1. Take the backup of ssh configuration file that is /etc/ssh
2. Take the backup of pam file that is /etc/pam.d/sshd
3. If working remotely via command line only then install telnet server as a second option for login. (Read the tutorial on how to install telnet server)
Create OpenSSH rpm package
At the time of writing this post we have not found OpenSSH 6.7 version rpm package available from reliable repo. Hence, decided to create our own rpm package.
1. Install required packages for creating OpenSSH rpm package
yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel
2. Create directories for building rpm
mkdir -p /usr/src/redhat/{SOURCES,SPECS}
It will create new directories
(a)/usr/src/redhat/
(b)/usr/src/redhat/SOURCES
(c)/usr/src/redhat/SPECS
3. Download latest OpenSSH package inside /usr/src/redhat/SOURCES/
Download link : https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
cd /usr/src/redhat/SOURCES/ wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz.asc
4. Extract spec file and move to /usr/src/redhat/SPECS directory.
cd /usr/src/redhat/SOURCES/ tar xfz openssh-6.7p1.tar.gz openssh-6.7p1/contrib/redhat/openssh.spec mv openssh-6.7p1/contrib/redhat/openssh.spec ../SPECS/
5. Change ownership and group of extracted spec file
chown sshd:sshd /usr/src/redhat/SPECS/openssh.spec
6. By using sed command we will disable the ask-pass and replace the deprecated
BuildPreReq with BuildRequires command in spec file.
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec sed -i -e "s/BuildPreReq/BuildRequires/g" /usr/src/redhat/SPECS/openssh.spec
7. Now run rpmbuild command .
cd /usr/src/redhat/SPECS/ rpmbuild -ba openssh.spec
Actually we got one message after running this command that “error: File /root/rpmbuild/SOURCES/openssh-6.7p1.tar.gz: No such file or directory” .
Hence, we will copy the openssh-6.7p1.tar.gz to /root/rpmbuild/SOURCES/
cp -v /usr/src/redhat/SOURCES/openssh-6.7p1.tar.gz* /root/rpmbuild/SOURCES/
8. Now re-run the command once again. I hope this time, it will be successful.
cd /usr/src/redhat/SPECS/ rpmbuild -ba openssh.spec
9. You can find the rpm package in /root/rpmbuild/RPMS/x86_64
cd /root/rpmbuild/RPMS/x86_64 ls -lhrt
Below given is reference from our system
[root@localhost x86_64]# ls openssh-6.7p1-1.x86_64.rpm openssh-clients-6.7p1-1.x86_64.rpm openssh-debuginfo-6.7p1-1.x86_64.rpm openssh-server-6.7p1-1.x86_64.rpm [root@localhost x86_64]# pwd /root/rpmbuild/RPMS/x86_64 [root@localhost x86_64]#
Now you have got the rpm files built from Openssh tar ball.
Next Step : Take backup of ssh
This section is very important, we will take backup of ssh. Because when we upgrade the current OpenSSH to new version 6.7 , PAM configuration files related to ssh will be changes.
1. Take backup of ssh configuration directory
cd ~ tar -cvzf etc_ssh.tar.gx /etc/ssh
2. Take backup of pam.d/sshd file . (Very very important, do not forget)
cp -p /etc/pam.d/sshd ~/sshd.orig.`date +%F`
Upgrade OpenSSH server to version 6.7
Before upgrading to OpenSSH 6.7 version, it is very very important to take ssh backup(Read above section for SSH backup)
Reason: After upgrade the /etc/pam.d/sshd file parameters is incompatible.
Note: We suggest you to follow this procedure in some test machine.So that you will be aware about the issue which may come after upgrade.
1. To upgrade to OpenSSH version 6.7 , run the below given command .
ls -l /root/rpmbuild/RPMS/x86_64/ rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
2. Take backup copy of after upgrade sshd pam file
cp -p /etc/pam.d/sshd /root/sshd.afterupgrade
3. Now restore original sshd pam file inside /etc/pam.d
cp /root/sshd.orig /etc/pam.d/sshd
4. Now edit /etc/ssh/sshd_config file and enable UsePAM . (Read this post for reason)
vi /etc/ssh/sshd_config .. UsePAM yes ..
5. We will regenerate new ssh keys by removing old keys. (Read this post for reason)
rm /etc/ssh/ssh*key
6. Now restart the ssh service
On CentOS 7 / RHEL 7
systemctl restart sshd
On CentOS 6 / Amazon Linux
service sshd restart
7. Now try to connect from remote machine via ssh .
You can download already made OpenSSH rpm files from our Github repo.
Github Repo URL : https://github.com/sharadchhetri/misc
Thanks for the guide, I made it almost, but failed with the following errors:
error: File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/bin/slogin
error: File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/share/man/man1/slogin.1*
Any ideas?
Hi Rob,
Check the spec file. This problem I have not seen when I created this rpm. On quick search, I found this relevant answer as a proof of solution. https://www.redhat.com/archives/seawolf-list/2001-June/msg02324.html .
Hope it will work for you. Your feedback on solution is much appreciated.
Regards
Sharad
Hi Sharad,
Turns out, 7.2 got rid of the symbolic link to slogin, but forgot to update the spec file. I commented out the references in the spec file and was able to get it to build.
Hi Rob,
Thanks for the feedback. Enjoy the rpm building.
Regards
Sharad
Hi just wanted to say thanks for this followed your steps and it worked perfectly 🙂
Hello Andy,
Wow, I am super duper happy to receive your affirmative feedback on this practical. I actually created this rpm and implemented on more than 50 AWS EC2 instances without any issue.
I do also believe that yes! after doing some troubleshooting and understanding the error we can overcome from errors.
I am always happy to assist my blog readers for any issue if my busy time allows me.
Regards
Sharad
Hi,
Thank you for the tutorial! Successfully built RPM openssh_7.1p1 (and upgraded).
But I noticed that when rpmbuild is run, the RPM binaries are built with “gcc -g” (debug flags), do you know how this can be prevented and if it is recommended?
Thanks,
soso
Thank You Soso,
I am happy to see many linux users have gone through this tutorial and read my post. For some it was helpful and in some cases they found problem while executing this ‘How To’.
I believe debug is important for error and troubleshooting purpose. And for any software debug is important part and highly recommended.
Honestly, I have not tried without gcc-g on rpmbuild . If you have tried on this then share your inputs.
Regards
Sharad
Hello,
when i reached the step to install the new rpm i got the following
[root@RHEL ~]# rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
error: Failed dependencies:
openssh = 5.3p1-112.el6_7 is needed by (installed) openssh-askpass-5.3p1-112.el6_7.x86_64
please advice on how to fix this issue
Thanks
Hello Ahmad,
It seems it needs dependency packages. I am not sure which OS version you are working on.
I have already created rpm and placed in my github repo https://github.com/sharadchhetri/misc .
You can download the rpm from github and try once.
Regards
Sharad
Thanks Sharad,
I have redhat 6.7 as my client pci scan ask for openssh 6.x version
Regards,
Ahmad
Hello Ahmad,
We have done this practical on CentOS 7.x / RHEL 7.x and current AWS EC2 instances.
I will suggest you to work on some test machine and try to create rpm.
Have you tried to install rpm which is already available in my github account. Let me know its feedback.
Regards
Sharad
Hello
I have tried these steps on redhat 6.7 and it failed,
Please advise
thanks for this guide – extremely helpful. I had to upgrade openssh on an amazon linux EC2 instance to version 6.7 or above and amazon repository only had up to 6.6.1 – i required 6.7 for PCI DSS compliance and your article helped me upgrade to 7.1 without problems, but most importantly I felt safe in the knowledge I could revert (and still connect) should things go wrong. has been a massive help for me . cheers
Hello Phile,
Thanks for giving feedback. It is always safe to take backup and in AWS you can take snapshat of volume or AMI of instance.
Cheers !
Regards
Sharad
I had already run step 6 the first time.I had also moved your 6.7 version rpms to a custom repo and used yum to update and it fixed the first dependency issue regarding askpass.
cd /root/rpmbuild/RPMS/x86_64
ls -lhrt
-rw-r–r–. 1 root root 403K Aug 20 15:31 openssh-6.7p1-1.x86_64.rpm
-rw-r–r–. 1 root root 557K Aug 20 15:31 openssh-clients-6.7p1-1.x86_64.rpm
-rw-r–r–. 1 root root 375K Aug 20 15:31 openssh-server-6.7p1-1.x86_64.rpm
-rw-r–r–. 1 root root 17K Aug 20 15:31 openssh-debuginfo-6.7p1-1.x86_64.rpm
As you can see openssh-6.7p1-1 is there first, yet install complains about not finding it.Should I remove its architecture part x86_64? Thank you
Hi Sharad and thank you for your swift response.
I have upgraded from openssh5.3 to 6.1
Because of that dependency issue, I downloaded openssh 6.1 version complained about.Output after running:
rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
warning: /root/rpmbuild/RPMS/x86_64/openssh-6.6p1-1.el6.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID e9bc4ae1: NOKEY
warning: package openssh-clients = 6.6p1-1.el6 was already added, replacing with openssh-clients > 6.7p1-1
warning: package openssh-server = 6.6p1-1.el6 was already added, replacing with openssh-server > 6.7p1-1
error: Failed dependencies:
openssh = 6.7p1-1 is needed by openssh-clients-6.7p1-1.x86_64
openssh = 6.7p1-1 is needed by openssh-server-6.7p1-1.x86_64
Could it be due to step 6 in your tutorial:6. By using sed command we will disable the ask-pass
Hello Mordik,
Yes, you should run the step 6 as BuildPreReq with BuildRequires are deprecated.
Try again.
Regards
Sharad
# rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
error: Failed dependencies:
openssh = 6.6p1-1.el6 is needed by (installed) openssh-askpass-6.6p1-1.el6.x86_64
Hello Mordik,
Can you share the info which OpenSSH version are you trying.
I have created rpm and this can be receive from https://github.com/sharadchhetri/misc.
Regards
Sharad
I have this problem.
$ service sshd restart
Stopping sshd: [ OK ]
lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
Starting sshd: [ OK ]
Hello Dajing,
Try this link https://sharadchhetri.com/2015/01/17/error-not-load-host-key/
Regards
Sharad