April 6, 2008

Quick and dirty manual compile of OpenSSH on CentOS 5

Filed under: UNIX & Linux — Tags: , , — martin @ 7:58 am

(Update, February 27, 2009 – Please click here, for goodness’ sake: Packaging OpenSSH on CentOS)

I wanted to try the new chroot feature of OpenSSH (see the companion post) but didn’t want to invest in building an OpenSSH RPM. Here are my notes from how I did a quick replacement of the stock SSH packages by a hand-rolled installation:

# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# wget http://ftp.bit.nl/mirror/openssh/openssh-5.0p1.tar.gz
# wget http://ftp.bit.nl/mirror/openssh/openssh-5.0p1.tar.gz.asc
# wget -O- http://ftp.bit.nl/mirror/openssh/DJM-GPG-KEY.asc | gpg --import
# gpg openssh-5.0p1.tar.gz.asc
gpg: Signature made Thu 03 Apr 2008 12:02:00 PM CEST using DSA key ID 86FF9C48
gpg: Good signature from "Damien Miller (Personal Key) <djm@****.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3981 992A 1523 ABA0 79DB  FC66 CE8E CB03 86FF 9C48
# tar zxvf openssh-5.0p1.tar.gz
# cd openssh-5.0p1
# ./configure --prefix=/usr/local --sysconfdir=/etc/openssh --with-md5-passwords --with-pam
# make
# make install
# cp /etc/ssh/* /etc/openssh/
# sed 's/^\(GSSAPI.*\)$/#\1/' < /etc/ssh/sshd_config > /etc/openssh/sshd_config
# sed 's/^ *\(GSSAPI.*\)$/#\1/' < /etc/ssh/ssh_config > /etc/openssh/ssh_config
# cp /etc/pam.d/sshd /etc/pam.d/openssh
# service sshd stop
# yum remove openssh
# ln -s openssh /etc/pam.d/sshd
# /usr/local/sbin/sshd
# echo "echo Starting ssh daemon." >> /etc/rc.local
# echo "/usr/local/sbin/sshd" >> /etc/rc.local

No: I’m not quite conviced that this should go anywhere beyond a test system. 😉 If you have a quick way for building proper OpenSSH replacement RPMs, you’re welcome to share it.


  1. Wonderful and useful instructions!

    To compile PAM support in, I had to install pam-devel for the version of PAM I was running (for example http://rpm.pbone.net/index.php3/stat/4/idpl/5602372/com/pam-devel-0.77-66.23.i386.rpm.html ).

    For the symbolic link for /etc/pam.d/sshd, I ended up using

    ln -s /etc/pam.d/openssh /etc/pam.d/sshd

    Now I can use the new sftp chroot features on my CentOS box. Thanks again!

    Comment by RBucci — August 4, 2008 @ 4:32 pm

  2. I can not restart service sshd
    # /etc/init.d/sshd restart
    -bash: /etc/init.d/sshd: No such file or directory

    please help me !

    Comment by comet — October 4, 2008 @ 5:55 pm

  3. Perhaps I’m missing something, and this comment comes late, but you can build RPMs from the stock openssh tarball by doing the following (as root):

    – extract openssh.spec from openssh-x.x.tar.gz and place it in /usr/src/redhat/SPEC
    – edit as necessary (disable building x11_askpass, etc)
    – place a copy of openssh-x.x.tar.gz in /usr/src/redhat/SOURCES
    – cd /usr/src/redhat/SPEC && rpmbuild -bb openssh.spec

    Doesn’t always run without a hitch, but over the years it generally has for me.


    Comment by Simon — December 15, 2008 @ 11:16 pm

  4. Sounds great, Simon! I’ll definitely give this a try. Thanks!

    Comment by martin — December 16, 2008 @ 6:56 am

  5. […] on chrooted SFTP has turned out to be the most popular article on this blog. What a pity that its “companion article” on building current OpenSSH on CentOS 5 is such a bloody hell of a […]

    Pingback by Packaging OpenSSH on CentOS « #!/bin/blog — February 27, 2009 @ 8:29 am

  6. Very nice Simon!

    Comment by AskApache — April 6, 2010 @ 11:28 pm

  7. In Simons comment above, he mentioned copying openssh.spec to /usr/src/redhat/SPEC – shouldn’t that be /usr/src/redhat/SPECS ?

    Comment by Pancho Cole — January 26, 2011 @ 5:47 pm

  8. […] “Quick and dirty manual compile of OpenSSH on CentOS 5″ (#!/bin/blog; 2008.04.06) – https://binblog.info/2008/04/06/quick-and-dirty-manual-compile-of-openssh-on-centos-5/ […]

    Pingback by SSH, OpenSSH « Eikonal Blog — February 3, 2011 @ 9:39 pm

  9. In more recent versions of rpmbuild, you can use rpm -ta sourcefile.tar.gz to directly build using a SPEC file contained at the top of the sourcefile tarball. You don’t need to do anything else, or even unpack the tarball.

    Comment by ddouthitt — November 3, 2011 @ 11:57 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at WordPress.com.

%d bloggers like this: