I built OpenSSH 7.4p1 RPMs for CentOS 6, which now works for our Zimbra.
If anyone's interested, I can provide binary packages, but it would probably be better if you build them yourself...
) and install the sources, which contain the 'up-stream' OpenSSH sources and a slew of RedHat / CentOS patches and distro specific files. Three of those need minor changes:
Code: Select all
--- openssh.spec-orig 2019-08-06 15:44:39.000000000 +0200
+++ openssh.spec 2021-04-14 16:52:02.289724184 +0200
@@ -24,11 +24,17 @@
# Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1
+# Do we want LDAP support
+%define ldap 1
+
# Do we want libedit support
%define libedit 1
-# Do we want LDAP support
-%define ldap 1
+# Do we want NSS tokens support
+%define nss 1
+
+# Whether or not /sbin/nologin exists.
+%define nologin 1
# Whether to build pam_ssh_agent_auth
%if 0%{?!nopam:1}
@@ -39,21 +45,21 @@
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
-%{?skip_gnome_askpass:%global no_gnome_askpass 1}
+%{?skip_gnome_askpass:%define no_gnome_askpass 1}
# Add option to build without GTK2 for older platforms with only GTK+.
# Red Hat Linux <= 7.2 and Red Hat Advanced Server 2.1 are examples.
# rpm -ba|--rebuild --define 'no_gtk2 1'
-%{?no_gtk2:%global gtk2 0}
+%{?no_gtk2:%define gtk2 0}
# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "static_openssl 1"
-%{?static_openssl:%global static_libcrypto 1}
+%{?static_openssl:%define static_libcrypto 1}
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
%define rescue 0
-%{?build_rescue:%global rescue 1}
-%{?build_rescue:%global rescue_rel rescue}
+%{?build_rescue:%define rescue 1}
+%{?build_rescue:%define rescue_rel rescue}
# Turn off some stuff for resuce builds
%if %{rescue}
@@ -62,18 +68,21 @@
%define pam_ssh_agent 0
%endif
-# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 7.4p1
%define openssh_rel 21
%define pam_ssh_agent_ver 0.10.3
-%define pam_ssh_agent_rel 2
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
-#URL1: http://pamsshagentauth.sourceforge.net
+#URL1: http://pamsshauth.sourceforge.net
+#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
+#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
+# This package differs from the upstream OpenSSH tarball in that
+# the ACSS cipher is removed by running openssh-nukeacss.sh in
+# the unpacked source directory.
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pam
@@ -258,7 +267,11 @@
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+%if %{nologin}
Requires: /sbin/nologin
+%endif
+
+Requires: initscripts >= 5.20
%if ! %{no_gnome_askpass}
%if %{gtk2}
@@ -269,18 +282,16 @@
%endif
%endif
-%if %{ldap}
-BuildRequires: openldap-devel
-%endif
BuildRequires: autoconf, automake, perl, zlib-devel
BuildRequires: audit-libs-devel >= 2.0.5
-BuildRequires: util-linux, groff
+BuildRequires: util-linux, groff, man
BuildRequires: pam-devel
BuildRequires: tcp_wrappers-devel
-BuildRequires: fipscheck-devel >= 1.3.0
+BuildRequires: fipscheck-devel
BuildRequires: openssl-devel >= 0.9.8j
-BuildRequires: perl-podlators
-BuildRequires: systemd-devel
+%if %{ldap}
+BuildRequires: openldap-devel
+%endif
%if %{kerberos5}
BuildRequires: krb5-devel
@@ -290,8 +301,11 @@
BuildRequires: libedit-devel ncurses-devel
%endif
+%if %{nss}
+BuildRequires: nss-devel
+%endif
+
%if %{WITH_SELINUX}
-Conflicts: selinux-policy < 3.13.1-92
Requires: libselinux >= 1.27.7
BuildRequires: libselinux-devel >= 1.27.7
Requires: audit-libs >= 1.0.8
@@ -302,25 +316,23 @@
%package clients
Summary: An open source SSH client applications
-Group: Applications/Internet
Requires: openssh = %{version}-%{release}
-Requires: fipscheck-lib%{_isa} >= 1.3.0
+Group: Applications/Internet
%package server
Summary: An open source SSH server daemon
Group: System Environment/Daemons
Requires: openssh = %{version}-%{release}
+Requires(post): chkconfig >= 0.9, /sbin/service
Requires(pre): /usr/sbin/useradd
Requires: pam >= 1.0.1-3
-Requires: fipscheck-lib%{_isa} >= 1.3.0
-Requires(post): systemd-units
-Requires(preun): systemd-units
-Requires(postun): systemd-units
-%package server-sysvinit
-Summary: The SysV initscript to manage the OpenSSH server.
-Group: System Environment/Daemons
-Requires: %{name}-server%{?_isa} = %{version}-%{release}
+%package askpass
+Summary: A passphrase dialog for OpenSSH and X
+Group: Applications/Internet
+Requires: openssh = %{version}-%{release}
+Obsoletes: openssh-askpass-gnome
+Provides: openssh-askpass-gnome
%if %{ldap}
%package ldap
@@ -334,13 +346,6 @@
Requires: openssh = %{version}-%{release}
Group: System Environment/Daemons
-%package askpass
-Summary: A passphrase dialog for OpenSSH and X
-Group: Applications/Internet
-Requires: openssh = %{version}-%{release}
-Obsoletes: openssh-askpass-gnome
-Provides: openssh-askpass-gnome
-
%package cavs
Summary: CAVS tests for FIPS validation
Group: Applications/Internet
@@ -350,7 +355,6 @@
Summary: PAM module for authentication with ssh-agent
Group: System Environment/Base
Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
License: BSD
%description
@@ -378,13 +382,10 @@
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server.
-%description server-sysvinit
+%description askpass
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
-the SysV init script to manage the OpenSSH server when running a legacy
-SysV-compatible init system.
-
-It is not required when the init system used is systemd.
+an X11 passphrase dialog for OpenSSH.
%if %{ldap}
%description ldap
@@ -396,11 +397,6 @@
OpenSSH mls keycat is backend for using the authorized keys in the
openssh in the mls mode.
-%description askpass
-OpenSSH is a free version of SSH (Secure SHell), a program for logging
-into and executing commands on a remote machine. This package contains
-an X11 passphrase dialog for OpenSSH.
-
%description cavs
This package contains test binaries and scripts to make FIPS validation
easier. Now contains CTR and KDF CAVS test driver.
@@ -522,9 +518,9 @@
%endif
autoreconf
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
-autoreconf
-popd
+#pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+#autoreconf
+#popd
%build
# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
@@ -539,12 +535,10 @@
%else
CFLAGS="$CFLAGS -fpic"
%endif
-SAVE_LDFLAGS="$LDFLAGS"
-LDFLAGS="$LDFLAGS -pie -z relro -z now"
-
export CFLAGS
-export LDFLAGS
-
+SAVE_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS -pie"; export LDFLAGS
+LDFLAGS="$LDFLAGS -Wl,-z,relro -Wl,-z,now"; export LDFLAGS
%endif
%if %{kerberos5}
if test -r /etc/profile.d/krb5-devel.sh ; then
@@ -567,19 +561,20 @@
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
--with-tcp-wrappers \
- --with-default-path=/usr/local/bin:/usr/bin \
- --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
+ --with-default-path=/usr/local/bin:/bin:/usr/bin \
+ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
- --enable-vendor-patchlevel="RHEL7-%{openssh_ver}-%{openssh_rel}" \
+ --enable-vendor-patchlevel="FC-%{version}-%{release}" \
--disable-strip \
--without-zlib-version-check \
--with-ssl-engine \
- --with-ipaddr-display \
- --with-systemd \
- --with-ssh1 \
+ --with-authorized-keys-command \
%if %{ldap}
--with-ldap \
%endif
+%if %{nss}
+ --with-nss \
+%endif
%if %{rescue}
--without-pam \
%else
@@ -587,11 +582,6 @@
%endif
%if %{WITH_SELINUX}
--with-selinux --with-audit=linux \
-%ifnarch ppc
- --with-sandbox=seccomp_filter \
-%else
- --with-sandbox=rlimit \
-%endif
%endif
%if %{kerberos5}
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
@@ -633,7 +623,7 @@
%if %{pam_ssh_agent}
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
LDFLAGS="$SAVE_LDFLAGS"
-%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
+%configure --with-selinux --libexecdir=/%{_lib}/security
make
popd
%endif
@@ -643,52 +633,38 @@
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
- fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
+ fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh \
+ fipshmac $RPM_BUILD_ROOT%{_sbindir}/sshd \
%{nil}
-%check
-#to run tests use "--with check"
-%if %{?_with_check:1}%{!?_with_check:0}
-make tests
-%endif
-
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
make install DESTDIR=$RPM_BUILD_ROOT
+%if %{ldap}
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
+%endif
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/sysconfig/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
-install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen
-install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
-install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
-install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
-install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
-install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
-#restore slogin symlink
-pushd $RPM_BUILD_ROOT%{_bindir}
-ln -s ./ssh slogin
-pushd $RPM_BUILD_ROOT%{_mandir}/man1
-ln -s ./ssh.1 slogin.1
-popd; popd;
-
%if ! %{no_gnome_askpass}
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
+rm -f $RPM_BUILD_ROOT%{_datadir}/openssh/Ssh.bin
+
%if ! %{no_gnome_askpass}
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@@ -702,6 +678,11 @@
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
+rm -f README.nss.nss-keys
+%if ! %{nss}
+rm -f README.nss
+%endif
+
%if %{pam_ssh_agent}
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
make install DESTDIR=$RPM_BUILD_ROOT
@@ -715,48 +696,55 @@
%pre server
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
+%if %{nologin}
getent passwd sshd >/dev/null || \
- useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
+ useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd -s /sbin/nologin \
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
+%else
+getent passwd sshd >/dev/null || \
+ useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd -s /sbin/nologin \
+ -s /dev/null -r -d /var/empty/sshd sshd 2> /dev/null || :
+%endif
%post server
-%systemd_post sshd.service sshd.socket
-
-%preun server
-%systemd_preun sshd.service sshd.socket
+/sbin/chkconfig --add sshd
%postun server
-%systemd_postun_with_restart sshd.service
+/sbin/service sshd condrestart > /dev/null 2>&1 || :
+
+%preun server
+if [ "$1" = 0 ]
+then
+ /sbin/service sshd stop > /dev/null 2>&1 || :
+ /sbin/chkconfig --del sshd
+fi
%files
%defattr(-,root,root)
-%{!?_licensedir:%global license %%doc}
-%license LICENCE
-%doc CREDITS ChangeLog INSTALL OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
+%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL PROTOCOL.agent PROTOCOL.certkeys README* TODO
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
-%attr(2111,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
-%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
+%attr(4755,root,root) %{_libexecdir}/openssh/ssh-keysign
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%endif
%files clients
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/ssh
-%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
+%attr(0644,root,root) %{_bindir}/.ssh.hmac
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
-%attr(0755,root,root) %{_bindir}/slogin
-%attr(0644,root,root) %{_mandir}/man1/slogin.1*
+#%attr(0755,root,root) %{_bindir}/slogin
+#%attr(0644,root,root) %{_mandir}/man1/slogin.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%if ! %{rescue}
-%attr(2111,root,nobody) %{_bindir}/ssh-agent
+%attr(2755,root,nobody) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
@@ -774,9 +762,10 @@
%files server
%defattr(-,root,root)
%dir %attr(0711,root,root) %{_var}/empty/sshd
+%doc HOWTO.ssh-keycat
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_sbindir}/sshd-keygen
-%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
+%attr(0644,root,root) %{_sbindir}/.sshd.hmac
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
@@ -785,21 +774,15 @@
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
-%attr(0644,root,root) %{_unitdir}/sshd.service
-%attr(0644,root,root) %{_unitdir}/sshd@.service
-%attr(0644,root,root) %{_unitdir}/sshd.socket
-%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
-
-%files server-sysvinit
-%defattr(-,root,root)
%attr(0755,root,root) /etc/rc.d/init.d/sshd
+#%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
+#%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat
%endif
%if %{ldap}
%files ldap
%defattr(-,root,root)
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
-%doc openssh-lpk-openldap.ldif openssh-lpk-sun.ldif
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
@@ -812,6 +795,11 @@
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat
+%files cavs
+%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl
+
%if ! %{no_gnome_askpass}
%files askpass
%defattr(-,root,root)
@@ -820,21 +808,19 @@
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
%endif
-%files cavs
-%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl
-
%if %{pam_ssh_agent}
%files -n pam_ssh_agent_auth
%defattr(-,root,root)
-%{!?_licensedir:%global license %%doc}
-%license pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
-%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
+%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
+%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/LICENSE.OpenSSL
+%attr(0755,root,root) /%{_lib}/security/pam_ssh_agent_auth.so
%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
%endif
%changelog
+* Wed Apr 14 2021 Danilo Godec <danilo.godec@agenda.si>
+- Adapted the source RPM for building on CentOS 6.10
+
* Tue Jun 25 2019 Jakub Jelen <jjelen@redhat.com> - 7.4p1-21 + 0.10.3-2
- Avoid double comma in the default cipher list in FIPS mode (#1722446)
Obviously, this is a temporary fix and we'll all have to migrate to a more up-to-date distro eventually.