• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
sharadchhetri

sharadchhetri

Tutorials On Linux, Unix & Open Source

  • Home
  • Linux Commands
  • Resources
    • Learn Linux
  • My WordPress plugins

How to create OpenSSH rpm package and its upgrade

January 18, 2015 by Sharad Chhetri

In this tutorial we will create rpm package of OpenSSH version 6.7 stable version and will do OpenSSH upgrade. You may be wondering why it is required to create rpm package of OpenSSH version. The answer is because of CVE-2014-2532 .

We recently notified with the CVE-2014-2532 , which is a openssh AcceptEnv environment restriction bypass flaw .

Description of CVE-2014-2532

It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.
Fixed In Version: openssh 6.6

Practical Overview :

1. Creating rpm package from OpenSSH 6.7 tar ball .
2. Upgrading OpenSSH to new version 6.7 .

Precaution while upgrading openssh to new version

1. Take the backup of ssh configuration file that is /etc/ssh
2. Take the backup of pam file that is /etc/pam.d/sshd
3. If working remotely via command line only then install telnet server as a second option for login. (Read the tutorial on how to install telnet server)

Create OpenSSH rpm package

At the time of writing this post we have not found OpenSSH 6.7 version rpm package available from reliable repo. Hence, decided to create our own rpm package.

1. Install required packages for creating OpenSSH rpm package

yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

2. Create directories for building rpm

mkdir -p /usr/src/redhat/{SOURCES,SPECS}

It will create new directories
(a)/usr/src/redhat/
(b)/usr/src/redhat/SOURCES
(c)/usr/src/redhat/SPECS

3. Download latest OpenSSH package inside /usr/src/redhat/SOURCES/
Download link : https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

cd /usr/src/redhat/SOURCES/
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz.asc

4. Extract spec file and move to /usr/src/redhat/SPECS directory.

cd /usr/src/redhat/SOURCES/
tar xfz openssh-6.7p1.tar.gz openssh-6.7p1/contrib/redhat/openssh.spec
mv openssh-6.7p1/contrib/redhat/openssh.spec ../SPECS/

5. Change ownership and group of extracted spec file

chown sshd:sshd /usr/src/redhat/SPECS/openssh.spec

6. By using sed command we will disable the ask-pass and replace the deprecated
BuildPreReq with BuildRequires command in spec file.

sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" /usr/src/redhat/SPECS/openssh.spec

7. Now run rpmbuild command .

cd  /usr/src/redhat/SPECS/
rpmbuild -ba openssh.spec

Actually we got one message after running this command that “error: File /root/rpmbuild/SOURCES/openssh-6.7p1.tar.gz: No such file or directory” .

Hence, we will copy the openssh-6.7p1.tar.gz to /root/rpmbuild/SOURCES/

cp -v /usr/src/redhat/SOURCES/openssh-6.7p1.tar.gz* /root/rpmbuild/SOURCES/

8. Now re-run the command once again. I hope this time, it will be successful.

cd  /usr/src/redhat/SPECS/
rpmbuild -ba openssh.spec

9. You can find the rpm package in /root/rpmbuild/RPMS/x86_64

cd /root/rpmbuild/RPMS/x86_64
ls -lhrt

Below given is reference from our system

[root@localhost x86_64]# ls
openssh-6.7p1-1.x86_64.rpm  openssh-clients-6.7p1-1.x86_64.rpm  openssh-debuginfo-6.7p1-1.x86_64.rpm  openssh-server-6.7p1-1.x86_64.rpm
[root@localhost x86_64]# pwd
/root/rpmbuild/RPMS/x86_64
[root@localhost x86_64]#

Now you have got the rpm files built from Openssh tar ball.

Next Step : Take backup of ssh

This section is very important, we will take backup of ssh. Because when we upgrade the current OpenSSH to new version 6.7 , PAM configuration files related to ssh will be changes.

1. Take backup of ssh configuration directory

cd ~
tar -cvzf etc_ssh.tar.gx /etc/ssh

2. Take backup of pam.d/sshd file . (Very very important, do not forget)

cp -p /etc/pam.d/sshd ~/sshd.orig.`date +%F`

Upgrade OpenSSH server to version 6.7

Before upgrading to OpenSSH 6.7 version, it is very very important to take ssh backup(Read above section for SSH backup)

Reason: After upgrade the /etc/pam.d/sshd file parameters is incompatible.

Note: We suggest you to follow this procedure in some test machine.So that you will be aware about the issue which may come after upgrade.

1. To upgrade to OpenSSH version 6.7 , run the below given command .

ls -l /root/rpmbuild/RPMS/x86_64/

rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm

2. Take backup copy of after upgrade sshd pam file

cp -p /etc/pam.d/sshd /root/sshd.afterupgrade 

3. Now restore original sshd pam file inside /etc/pam.d

cp /root/sshd.orig /etc/pam.d/sshd

4. Now edit /etc/ssh/sshd_config file and enable UsePAM . (Read this post for reason)

vi /etc/ssh/sshd_config
..
UsePAM yes
..

5. We will regenerate new ssh keys by removing old keys. (Read this post for reason)

rm /etc/ssh/ssh*key

6. Now restart the ssh service

On CentOS 7 / RHEL 7

systemctl restart sshd

On CentOS 6 / Amazon Linux

service sshd restart

7. Now try to connect from remote machine via ssh .

You can download already made OpenSSH rpm files from our Github repo.
Github Repo URL : https://github.com/sharadchhetri/misc

Share this:

  • Twitter
  • Facebook
  • More
  • Print
  • Email
  • LinkedIn
  • Reddit
  • Tumblr
  • Pinterest
  • Pocket
  • Telegram
  • WhatsApp
  • Mastodon

Related posts:

  1. How to extract RPM package on Linux system
  2. linux command to list the files from rpm package without extracting
  3. Extract single and selected files from RPM package on Linux
  4. How to find installation date and time of rpm package
  5. How to test rpm package before installation
  6. yum : how to find rpm package which has certain command or file
  7. Install Openssh server on Ubuntu Desktop / Server
  8. CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )
  9. Saving every command and its output in log in Unix
  10. Set group password,its use and check which group after newgrp command in linux

Filed Under: Linux Tagged With: ssh

Reader Interactions

Comments

  1. Rob says

    March 11, 2016 at 7:28 pm

    Thanks for the guide, I made it almost, but failed with the following errors:

    error: File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/bin/slogin
    error: File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/share/man/man1/slogin.1*

    Any ideas?

    • sharad chhetri says

      March 12, 2016 at 7:17 am

      Hi Rob,

      Check the spec file. This problem I have not seen when I created this rpm. On quick search, I found this relevant answer as a proof of solution. https://www.redhat.com/archives/seawolf-list/2001-June/msg02324.html .

      Hope it will work for you. Your feedback on solution is much appreciated.

      Regards
      Sharad

      • Rob says

        March 14, 2016 at 5:12 pm

        Hi Sharad,

        Turns out, 7.2 got rid of the symbolic link to slogin, but forgot to update the spec file. I commented out the references in the spec file and was able to get it to build.

        • sharad chhetri says

          March 15, 2016 at 3:30 am

          Hi Rob,

          Thanks for the feedback. Enjoy the rpm building.

          Regards
          Sharad

  2. Andy says

    January 6, 2016 at 12:47 pm

    Hi just wanted to say thanks for this followed your steps and it worked perfectly ๐Ÿ™‚

    • sharad chhetri says

      January 6, 2016 at 3:16 pm

      Hello Andy,

      Wow, I am super duper happy to receive your affirmative feedback on this practical. I actually created this rpm and implemented on more than 50 AWS EC2 instances without any issue.
      I do also believe that yes! after doing some troubleshooting and understanding the error we can overcome from errors.
      I am always happy to assist my blog readers for any issue if my busy time allows me.

      Regards
      Sharad

  3. soso says

    December 7, 2015 at 9:38 am

    Hi,

    Thank you for the tutorial! Successfully built RPM openssh_7.1p1 (and upgraded).

    But I noticed that when rpmbuild is run, the RPM binaries are built with “gcc -g” (debug flags), do you know how this can be prevented and if it is recommended?

    Thanks,
    soso

    • sharad chhetri says

      December 9, 2015 at 3:19 am

      Thank You Soso,

      I am happy to see many linux users have gone through this tutorial and read my post. For some it was helpful and in some cases they found problem while executing this ‘How To’.
      I believe debug is important for error and troubleshooting purpose. And for any software debug is important part and highly recommended.
      Honestly, I have not tried without gcc-g on rpmbuild . If you have tried on this then share your inputs.

      Regards
      Sharad

  4. Ahmad says

    November 7, 2015 at 5:17 pm

    Hello,

    when i reached the step to install the new rpm i got the following

    [root@RHEL ~]# rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
    error: Failed dependencies:
    openssh = 5.3p1-112.el6_7 is needed by (installed) openssh-askpass-5.3p1-112.el6_7.x86_64

    please advice on how to fix this issue

    Thanks

    • sharad chhetri says

      November 8, 2015 at 3:22 am

      Hello Ahmad,

      It seems it needs dependency packages. I am not sure which OS version you are working on.
      I have already created rpm and placed in my github repo https://github.com/sharadchhetri/misc .
      You can download the rpm from github and try once.

      Regards
      Sharad

      • Ahmad says

        November 8, 2015 at 5:57 am

        Thanks Sharad,

        I have redhat 6.7 as my client pci scan ask for openssh 6.x version

        Regards,
        Ahmad

        • sharad chhetri says

          November 9, 2015 at 4:35 pm

          Hello Ahmad,

          We have done this practical on CentOS 7.x / RHEL 7.x and current AWS EC2 instances.
          I will suggest you to work on some test machine and try to create rpm.

          Have you tried to install rpm which is already available in my github account. Let me know its feedback.

          Regards
          Sharad

  5. Ahmad says

    November 7, 2015 at 1:22 am

    Hello

    I have tried these steps on redhat 6.7 and it failed,

    Please advise

  6. Phil says

    November 6, 2015 at 5:28 pm

    thanks for this guide – extremely helpful. I had to upgrade openssh on an amazon linux EC2 instance to version 6.7 or above and amazon repository only had up to 6.6.1 – i required 6.7 for PCI DSS compliance and your article helped me upgrade to 7.1 without problems, but most importantly I felt safe in the knowledge I could revert (and still connect) should things go wrong. has been a massive help for me . cheers

    • sharad chhetri says

      November 7, 2015 at 5:04 am

      Hello Phile,

      Thanks for giving feedback. It is always safe to take backup and in AWS you can take snapshat of volume or AMI of instance.

      Cheers !

      Regards
      Sharad

  7. Mordik says

    August 22, 2015 at 5:01 pm

    I had already run step 6 the first time.I had also moved your 6.7 version rpms to a custom repo and used yum to update and it fixed the first dependency issue regarding askpass.

    cd /root/rpmbuild/RPMS/x86_64
    ls -lhrt
    -rw-r–r–. 1 root root 403K Aug 20 15:31 openssh-6.7p1-1.x86_64.rpm
    -rw-r–r–. 1 root root 557K Aug 20 15:31 openssh-clients-6.7p1-1.x86_64.rpm
    -rw-r–r–. 1 root root 375K Aug 20 15:31 openssh-server-6.7p1-1.x86_64.rpm
    -rw-r–r–. 1 root root 17K Aug 20 15:31 openssh-debuginfo-6.7p1-1.x86_64.rpm

    As you can see openssh-6.7p1-1 is there first, yet install complains about not finding it.Should I remove its architecture part x86_64? Thank you

  8. Mordik says

    August 21, 2015 at 8:50 pm

    Hi Sharad and thank you for your swift response.

    I have upgraded from openssh5.3 to 6.1

    Because of that dependency issue, I downloaded openssh 6.1 version complained about.Output after running:
    rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm

    warning: /root/rpmbuild/RPMS/x86_64/openssh-6.6p1-1.el6.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID e9bc4ae1: NOKEY
    warning: package openssh-clients = 6.6p1-1.el6 was already added, replacing with openssh-clients > 6.7p1-1
    warning: package openssh-server = 6.6p1-1.el6 was already added, replacing with openssh-server > 6.7p1-1
    error: Failed dependencies:
    openssh = 6.7p1-1 is needed by openssh-clients-6.7p1-1.x86_64
    openssh = 6.7p1-1 is needed by openssh-server-6.7p1-1.x86_64
    Could it be due to step 6 in your tutorial:6. By using sed command we will disable the ask-pass

    • sharad chhetri says

      August 22, 2015 at 1:57 am

      Hello Mordik,

      Yes, you should run the step 6 as BuildPreReq with BuildRequires are deprecated.
      Try again.

      Regards
      Sharad

  9. Mordik says

    August 20, 2015 at 7:42 pm

    # rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
    error: Failed dependencies:
    openssh = 6.6p1-1.el6 is needed by (installed) openssh-askpass-6.6p1-1.el6.x86_64

    • sharad chhetri says

      August 21, 2015 at 2:20 am

      Hello Mordik,

      Can you share the info which OpenSSH version are you trying.
      I have created rpm and this can be receive from https://github.com/sharadchhetri/misc.

      Regards
      Sharad

  10. dajjng says

    March 11, 2015 at 1:57 am

    I have this problem.

    $ service sshd restart
    Stopping sshd: [ OK ]
    lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
    Starting sshd: [ OK ]

    • sharad chhetri says

      March 11, 2015 at 2:36 am

      Hello Dajing,

      Try this link https://sharadchhetri.com/2015/01/17/error-not-load-host-key/

      Regards
      Sharad

Newer Comments »

Primary Sidebar

Our Social Media Presence

  • Facebook
  • GitHub
  • Twitter

Linux Command

What is Linux Internal And External Command

Linux Basic Commands With Examples For Every Beginner

tr command to convert lines to space , tab and vertical tab

smbpasswd command not found on CentOS 7 and RHEL 7

Solution : semanage command not found

Unix / Linux : How to print duplicate lines from file

More Posts from this Category

You Might Like These Articles!

simplecodesyntax wordpress plugin

SimpleCodeSyntax : My Another WordPress Plugin

Install Nginx

How To Install Nginx On Ubuntu 22.04 LTS

Install Latest Git package in Ubuntu Operating System

How To Always Install Latest Git Package In Ubuntu Operating System

Bash script for installing VirtualBox on Ubuntu 22.04 LTS Desktop

Install VirtualBox On Ubuntu 22.04 LTS Desktop (Bash Script)

libfuse

dlopen(): error loading libfuse.so.2 – Got Error On Ubuntu

Failed to open/create the internal network

VirtualBox Error: Failed to open/create the internal network

Always Useful Tips And Tricks

Learn Linux Date Command With Examples

Forward all incoming emails to other SMTP server or gateway

The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form

Non interactive ,without typing password do ssh to Server : By sshpass

How to see system load average in terminal with graphical representation

How to add/install Ubuntu fonts in CentOS/Red Hat Linux

Change default editor of crontab in Ubuntu

Explore 90+ Article On "Linux Tips And Tricks"

Copyright © 2023 ยท
The material in this site cannot be republished either online or offline, without our permission.
Proudly Blogging From Bharat.

  • Contact
  • About Me
  • My WordPress plugins
  • Privacy Policy