How to create OpenSSH rpm package and its upgrade

In this tutorial we will create rpm package of OpenSSH version 6.7 stable version and will do OpenSSH upgrade. You may be wondering why it is required to create rpm package of OpenSSH version. The answer is because of CVE-2014-2532 .

We recently notified with the CVE-2014-2532 , which is a openssh AcceptEnv environment restriction bypass flaw .

Description of CVE-2014-2532

It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.
Fixed In Version: openssh 6.6

Practical Overview :

1. Creating rpm package from OpenSSH 6.7 tar ball .
2. Upgrading OpenSSH to new version 6.7 .

Precaution while upgrading openssh to new version

1. Take the backup of ssh configuration file that is /etc/ssh
2. Take the backup of pam file that is /etc/pam.d/sshd
3. If working remotely via command line only then install telnet server as a second option for login. (Read the tutorial on how to install telnet server)

Create OpenSSH rpm package

At the time of writing this post we have not found OpenSSH 6.7 version rpm package available from reliable repo. Hence, decided to create our own rpm package.

1. Install required packages for creating OpenSSH rpm package

yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

2. Create directories for building rpm

mkdir -p /usr/src/redhat/{SOURCES,SPECS}

It will create new directories

3. Download latest OpenSSH package inside /usr/src/redhat/SOURCES/
Download link :

cd /usr/src/redhat/SOURCES/

4. Extract spec file and move to /usr/src/redhat/SPECS directory.

cd /usr/src/redhat/SOURCES/
tar xfz openssh-6.7p1.tar.gz openssh-6.7p1/contrib/redhat/openssh.spec
mv openssh-6.7p1/contrib/redhat/openssh.spec ../SPECS/

5. Change ownership and group of extracted spec file

chown sshd:sshd /usr/src/redhat/SPECS/openssh.spec

6. By using sed command we will disable the ask-pass and replace the deprecated
BuildPreReq with BuildRequires command in spec file.

sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" /usr/src/redhat/SPECS/openssh.spec

7. Now run rpmbuild command .

cd  /usr/src/redhat/SPECS/
rpmbuild -ba openssh.spec

Actually we got one message after running this command that “error: File /root/rpmbuild/SOURCES/openssh-6.7p1.tar.gz: No such file or directory” .

Hence, we will copy the openssh-6.7p1.tar.gz to /root/rpmbuild/SOURCES/

cp -v /usr/src/redhat/SOURCES/openssh-6.7p1.tar.gz* /root/rpmbuild/SOURCES/

8. Now re-run the command once again. I hope this time, it will be successful.

cd  /usr/src/redhat/SPECS/
rpmbuild -ba openssh.spec

9. You can find the rpm package in /root/rpmbuild/RPMS/x86_64

cd /root/rpmbuild/RPMS/x86_64
ls -lhrt

Below given is reference from our system

[root@localhost x86_64]# ls
openssh-6.7p1-1.x86_64.rpm  openssh-clients-6.7p1-1.x86_64.rpm  openssh-debuginfo-6.7p1-1.x86_64.rpm  openssh-server-6.7p1-1.x86_64.rpm
[root@localhost x86_64]# pwd
[root@localhost x86_64]#

Now you have got the rpm files built from Openssh tar ball.

Next Step : Take backup of ssh

This section is very important, we will take backup of ssh. Because when we upgrade the current OpenSSH to new version 6.7 , PAM configuration files related to ssh will be changes.

1. Take backup of ssh configuration directory

cd ~
tar -cvzf etc_ssh.tar.gx /etc/ssh

2. Take backup of pam.d/sshd file . (Very very important, do not forget)

cp -p /etc/pam.d/sshd ~/sshd.orig.`date +%F`

Upgrade OpenSSH server to version 6.7

Before upgrading to OpenSSH 6.7 version, it is very very important to take ssh backup(Read above section for SSH backup)

Reason: After upgrade the /etc/pam.d/sshd file parameters is incompatible.

Note: We suggest you to follow this procedure in some test machine.So that you will be aware about the issue which may come after upgrade.

1. To upgrade to OpenSSH version 6.7 , run the below given command .

ls -l /root/rpmbuild/RPMS/x86_64/

rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm

2. Take backup copy of after upgrade sshd pam file

cp -p /etc/pam.d/sshd /root/sshd.afterupgrade 

3. Now restore original sshd pam file inside /etc/pam.d

cp /root/sshd.orig /etc/pam.d/sshd

4. Now edit /etc/ssh/sshd_config file and enable UsePAM . (Read this post for reason)

vi /etc/ssh/sshd_config
UsePAM yes

5. We will regenerate new ssh keys by removing old keys. (Read this post for reason)

rm /etc/ssh/ssh*key

6. Now restart the ssh service

On CentOS 7 / RHEL 7

systemctl restart sshd

On CentOS 6 / Amazon Linux

service sshd restart

7. Now try to connect from remote machine via ssh .

You can download already made OpenSSH rpm files from our Github repo.
Github Repo URL :

27 thoughts on “How to create OpenSSH rpm package and its upgrade”

  1. Thanks for the guide, I made it almost, but failed with the following errors:

    error: File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/bin/slogin
    error: File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/share/man/man1/slogin.1*

    Any ideas?

    • Hello Andy,

      Wow, I am super duper happy to receive your affirmative feedback on this practical. I actually created this rpm and implemented on more than 50 AWS EC2 instances without any issue.
      I do also believe that yes! after doing some troubleshooting and understanding the error we can overcome from errors.
      I am always happy to assist my blog readers for any issue if my busy time allows me.


  2. Hi,

    Thank you for the tutorial! Successfully built RPM openssh_7.1p1 (and upgraded).

    But I noticed that when rpmbuild is run, the RPM binaries are built with “gcc -g” (debug flags), do you know how this can be prevented and if it is recommended?


    • Thank You Soso,

      I am happy to see many linux users have gone through this tutorial and read my post. For some it was helpful and in some cases they found problem while executing this ‘How To’.
      I believe debug is important for error and troubleshooting purpose. And for any software debug is important part and highly recommended.
      Honestly, I have not tried without gcc-g on rpmbuild . If you have tried on this then share your inputs.


  3. Hello,

    when i reached the step to install the new rpm i got the following

    [root@RHEL ~]# rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
    error: Failed dependencies:
    openssh = 5.3p1-112.el6_7 is needed by (installed) openssh-askpass-5.3p1-112.el6_7.x86_64

    please advice on how to fix this issue


        • Hello Ahmad,

          We have done this practical on CentOS 7.x / RHEL 7.x and current AWS EC2 instances.
          I will suggest you to work on some test machine and try to create rpm.

          Have you tried to install rpm which is already available in my github account. Let me know its feedback.


  4. thanks for this guide – extremely helpful. I had to upgrade openssh on an amazon linux EC2 instance to version 6.7 or above and amazon repository only had up to 6.6.1 – i required 6.7 for PCI DSS compliance and your article helped me upgrade to 7.1 without problems, but most importantly I felt safe in the knowledge I could revert (and still connect) should things go wrong. has been a massive help for me . cheers

  5. I had already run step 6 the first time.I had also moved your 6.7 version rpms to a custom repo and used yum to update and it fixed the first dependency issue regarding askpass.

    cd /root/rpmbuild/RPMS/x86_64
    ls -lhrt
    -rw-r–r–. 1 root root 403K Aug 20 15:31 openssh-6.7p1-1.x86_64.rpm
    -rw-r–r–. 1 root root 557K Aug 20 15:31 openssh-clients-6.7p1-1.x86_64.rpm
    -rw-r–r–. 1 root root 375K Aug 20 15:31 openssh-server-6.7p1-1.x86_64.rpm
    -rw-r–r–. 1 root root 17K Aug 20 15:31 openssh-debuginfo-6.7p1-1.x86_64.rpm

    As you can see openssh-6.7p1-1 is there first, yet install complains about not finding it.Should I remove its architecture part x86_64? Thank you

  6. Hi Sharad and thank you for your swift response.

    I have upgraded from openssh5.3 to 6.1

    Because of that dependency issue, I downloaded openssh 6.1 version complained about.Output after running:
    rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm

    warning: /root/rpmbuild/RPMS/x86_64/openssh-6.6p1-1.el6.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID e9bc4ae1: NOKEY
    warning: package openssh-clients = 6.6p1-1.el6 was already added, replacing with openssh-clients > 6.7p1-1
    warning: package openssh-server = 6.6p1-1.el6 was already added, replacing with openssh-server > 6.7p1-1
    error: Failed dependencies:
    openssh = 6.7p1-1 is needed by openssh-clients-6.7p1-1.x86_64
    openssh = 6.7p1-1 is needed by openssh-server-6.7p1-1.x86_64
    Could it be due to step 6 in your tutorial:6. By using sed command we will disable the ask-pass

  7. # rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
    error: Failed dependencies:
    openssh = 6.6p1-1.el6 is needed by (installed) openssh-askpass-6.6p1-1.el6.x86_64

  8. I have this problem.

    $ service sshd restart
    Stopping sshd: [ OK ]
    lstat(/etc/ssh/ failed: No such file or directory
    Starting sshd: [ OK ]

Comments are closed.