Compile OpenSSH from sources on the remote server running CentOS


Most of us know the approach of the RHEL developers to publishing the latest versions of software in the repositories. Every day new vulnerabilities are being discovered and it really important to keep the software up to date.

What can be done if the latest version of any software is not available in the software repository? The only solution is to compile it from source package.

Usually it is risky, especially with OpenSSH that stands for remote access to the server. If anything goes wrong than you will lose access to your server forever. This is why please make sure to backup all data to local PC before moving forward.

For example the latest version of OpenSSH available for CentOS 5.8 is 4.3 but the latest version available today is v.7-2p2.

This manual was tested with openssh v.6.6p1 this is why I’ll proceed with this version.

Let’s download the available openssh from the repositories and save rpm file locally. This will allow to install it if anything goes wrong:

yum -y install yum-utils.noarch

yumdownloader openssh-server

Next install some dependencies:

yum install gcc make openssl-devel pam-devel screen

Download the source package and uncompres it:

wget ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
tar xvf openssh-6.4*.gz
cd openssh-6.4p1

I used the following configure options:

  • configuration files will be located in /etc/sshd/
  • binaries will be located in /usr/bin/
  • enable ipv4 by default
  • support pam auth

./configure –sysconfdir=/etc/sshd/ –bindir=/usr/bin/ –sbindir=/usr/sbin/ –with-ipv4-default –with-md5-passwords –with-pam

Now we can remove the existing openssh from the server. Please make sure that you have a stable internet connection because starting from this point your active session is the only connection to the server. If it get’s interrupted the server will become unavailable for you:

yum remove openssh-server

Compile and install new openssh:

make
make install

Copy init script and enable autostart:

cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig sshd –add
chkconfig sshd on

Make sure to edit the configuration file with required configuration options (PermitRootLogin, etc.)/etc/sshd/sshd_config.

Comment-out the following line in the init.d script (/etc/init.d/sshd) otherwice it will result into the certificate error:

/etc/ssh/ssh_host_ecdsa_key.pub

Backup the old openssh folder and make a symlink of the new one:

mv /etc/ssh /etc/ssh.bak && ln -s /etc/sshd /etc/ssh

At this point I was looking forward to restarting the ssh daemon however testing environment allowed me to determine that it is better to stop and start it in a separate commands.

When I ran /etc/init.d/sshd restart my session terminated but ssh daemon didn’t start. I could not determine what happened.

Let’s run two commands in screen:

screen
/etc/init.d/sshd stop && /etc/init.d/sshd start

Now you are free to connect to the server:
Screenshot from 2014-02-10 11:56:49

During the compilation you can get the following message:

configure: error: PAM headers not found

Screenshot from 2014-02-10 09:07:03

This can happen if pam-devel is missing:
yum install pam-devel

Share Button

Leave a Reply

You must be logged in to post a comment.