February 27, 2009

Packaging OpenSSH on CentOS

Filed under: Security, UNIX & Linux — Tags: , , , , — martin @ 8:29 am

March 30, 2010: It was pointed out to me that Redhat has backported chroot functionality into its OpenSSH 4.3 packages, so these directions may not be neccessary anymore.

My article on chrooted SFTP has turned out to be the most popular article on this blog. What a pity that its “companion article” on building current OpenSSH on CentOS 5 is such a bloody hell of a mess.

Fortunately, reader Simon pointed out a really simple method for building RPMs from current OpenSSH sources in a comment. We had the chance to try this out in a production deployment of chrooted SFTP the other day, and what can I say? It just works(tm)! Thanks a lot, dude! 🙂

# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# yum install rpm-build

It certainly doesn’t hurt to make the GPG check a habit:

# wget http://ftp.bit.nl/mirror/openssh/openssh-5.2p1.tar.gz
# wget http://ftp.bit.nl/mirror/openssh/openssh-5.2p1.tar.gz.asc
# wget -O- http://ftp.bit.nl/mirror/openssh/DJM-GPG-KEY.asc | gpg –-import
# gpg openssh-5.2p1.tar.gz.asc
gpg: Signature made Mon 23 Feb 2009 01:18:28 AM CET using DSA key ID 86FF9C48
gpg: Good signature from "Damien Miller (Personal Key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48

Prepare, build and install the RPM. Disable the building of GUI components in the spec file. We don’t need these on a server:

# tar zxvf openssh-5.2p1.tar.gz
# cp openssh-5.2p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp openssh-5.2p1.tar.gz /usr/src/redhat/SOURCES/
# cd /usr/src/redhat/SPECS
# perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/`uname -i`
# ls -l
-rw-r--r-- 1 root root 275808 Feb 27 08:08 openssh-5.2p1-1.x86_64.rpm
-rw-r--r-- 1 root root 439875 Feb 27 08:08 openssh-clients-5.2p1-1.x86_64.rpm
-rw-r--r-- 1 root root 277714 Feb 27 08:08 openssh-server-5.2p1-1.x86_64.rpm
# rpm -Uvh openssh*rpm
Preparing... ########################################### [100%]
1:openssh ########################################### [ 33%]
2:openssh-clients ########################################### [ 67%]
3:openssh-server ########################################### [100%]
# service sshd restart

The RPM should install cleanly on CentOS 4. On CentOS 5, after installation, service ssh restart throws a warning that initlog is obsolete. I work around this by keeping a copy of the old /etc/init.d/sshd and restoring it after RPM installation.



  1. […] using a somewhat adventurous manually compiled OpenSSH on CentOS 5. (Update, February 27, 2009: See Packaging OpenSSH on CentOS for a more coherent installation method.) I also had a little help from the Debian Administration […]

    Pingback by OpenSSH chrooted SFTP (e.g. for Webhosting) « #!/bin/blog — February 27, 2009 @ 8:37 am

  2. And for those who don’t trust “perl -i.bak -pe ’s/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/’ openssh.spec” – vi /usr/src/redhat/SPECS/openssh.spec does the same job 😉

    Comment by G. — February 27, 2009 @ 11:12 am

  3. nice tutorial, very useful, but openssh comes into kinda non-upgradable, i hope this functionality will be in centos repos soon too 🙂 anyways thanks for your time writing this. 🙂

    Comment by lukash — March 15, 2009 @ 4:42 am

  4. Spot on – thanks. Was poking around trying to get Centos 5.2 to chrooted openssh, messing as a typical Slackware user does … then found this.

    Comment by Bert — March 16, 2009 @ 1:35 pm

  5. Hi. Very useful stuff. However I seem to have stuck on the rpmbuild stage. All goes well until ..

    gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o -L. -Lopenbsd-compat/ -fstack-protector-all -L/usr/lib -lssh -lopenbsd-compat -lcrypto -lutil -lz -lnsl -lcrypt -lresolv -lresolv -lkrb5 -lk5crypto -lcom_err
    /usr/bin/ld: skipping incompatible /usr/lib/libcrypto.so when searching for -lcrypto
    /usr/bin/ld: skipping incompatible /usr/lib/libcrypto.a when searching for -lcrypto
    /usr/bin/ld: skipping incompatible /usr/lib/libkrb5.so when searching for -lkrb5
    /usr/bin/ld: skipping incompatible /usr/lib/libkrb5.a when searching for -lkrb5
    /usr/bin/ld: skipping incompatible /usr/lib/libkrb5.so when searching for -lkrb5
    /usr/bin/ld: skipping incompatible /usr/lib/libkrb5.a when searching for -lkrb5
    /usr/bin/ld: cannot find -lkrb5
    collect2: ld returned 1 exit status
    make: *** [ssh] Error 1
    error: Bad exit status from /var/tmp/rpm-tmp.62344 (%build)

    I gather these libraries are from openssl. I’m running
    OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
    Centos 5.3

    Should I be trying to upgrade OpenSSL here as well?

    My only access to the server is via SSH, so I’m a little nervous about screwing everything up here: no SSH and I have to jump on a plane to fix the thing …

    Comment by Jim — April 28, 2009 @ 8:59 am

    • Jim,

      Are you trying to make rpm on 64bit? Because I saw those errors on 64bit and it wasnt matter for me to use 64bit or 32bit, I used 32bit. There wasnt any problem on 32 bit.

      if this is 32bit, try to install required lib or devel packages related to krb5.

      also, even though you install all lib and devel packages on 64 bit (both 32 bit and 64 bit packages) still there were problems.

      Comment by Metin Pasaoglu — May 14, 2009 @ 8:52 pm

    • I was able to get around the error by disabling kerberos in the spec file. I don’t user kerberos on that server so it doesn’t matter to me if it’s not compiled in. I was on x64 RHEL 5.3. Looking at the build notes the author of the blog is on x64, too, so who knows?

      Comment by Anonymous — May 22, 2009 @ 8:33 pm

      • disabling kerberos worked for me, too! thanks!

        Comment by Anonymous — July 29, 2009 @ 11:03 pm

    • For anyone else wandering across this in the future, there’s two points here:
      – always make sure you have ALL the dependencies you need
      – apt (for RPM) and (finally; maybe) yum has tools to “just go get me what I need to build this” so you don’t need to think

      Of course, it requires sound and complete dependencies, so anticipate the odd missing dep; more often with the amateur sources.

      Comment by bish — November 24, 2011 @ 5:47 pm

  6. Great article. Worked on the first try under RHEL5 Server.
    Now the hard part will be configuring this new fangled chroot…


    Comment by Stephane Gauthier — May 7, 2009 @ 5:14 pm

  7. Thanks for this article!

    Comment by Alex — May 13, 2009 @ 2:43 pm

  8. […] actualizar openssh en Centos segui los pasoa detallados en esta pagina Packaging OpenSSH on CentOS #!/bin/blog luego de # rpm -Uvh openssh*rpm Me aparece: warning: openssh-askpass-5.2p1-2.fc11.i586.rpm: […]

    Pingback by actualizar openssh en Centos - Foros de CHW — May 13, 2009 @ 6:01 pm

    • I have the same problem, when it was time to install the rpm, system warn me on dependencies… openssh-askpass-5.2p1-2.fc11.i586.rpm

      I think it can be usefull for some peoples to have a solution for this.

      If I find one, I’ll post it… but this is my first experience on Cent OS… so I may find nothing…

      Comment by Sebas — June 30, 2009 @ 1:53 pm

      • Well, here is the exact error :

        error: Failed dependencies:
        openssh = 4.3p2-29.el5 is needed by (installed) openssh-askpass-4.3p2-29.el5.i386

        I tried to only restart the service… it works!

        Comment by Sebas — June 30, 2009 @ 2:08 pm

      • I’m getting a very similar error:

        # rpm -Uvh openssh*rpm
        error: Failed dependencies:
        openssh = 4.3p2-29.el5 is needed by (installed) openssh-askpass-4.3p2-29.el5.x86_64

        I restarted the service and it’s still the old error. what can I do to get this to install?

        Comment by benny — January 4, 2010 @ 7:21 pm

      • nevermind, I looked into what askpass was and decided I didn’t need it so I “yum remove”ed it and everything is now good 😀 (note: i had to diff the old and new _config files and set a few other things)

        Comment by benny — January 4, 2010 @ 8:03 pm

      • The problem is a reverse dependency from the installed openssh-askpass package on the OLD openssh you’re replacing. This is pretty common if you’ve overlooked a (non-build) dependency — and since we’re not all the Rain Man, we’ll all miss one here and there.

        Build a custom openssh52-askpass package to go with your openssh52 package. It’s like the php/mysql dependency.

        Comment by Bish — December 30, 2011 @ 10:03 pm

  9. Great article. Built on Centos5.3 with no problem, error etc.
    Thank you.

    Comment by jason — June 26, 2009 @ 11:55 pm

  10. Thanks, helpful article. I had to upgrade my zlib to 1.2.3 first which was also a painless procedure except for actually finding a SPRM for zlib. A bit of googling got me that though. This was on a CentOS 4 system for the record.

    Comment by Jim — July 7, 2009 @ 11:30 pm

    • Funny, I ran into the same thing yesterday night. Are you preparing yourself for the rumoured OpenSSH vulnerability, too? 🙂

      Just for the record, I assumed that the RHEL zlib has a backported patch and added “–without-zlib-version-check” to the specfile.

      Comment by martin — July 8, 2009 @ 6:46 am

  11. Just a FYI… you really shouldn’t ever build software as root. Other than that, great guide.

    Comment by cnolan — July 8, 2009 @ 3:49 pm

    • @ cnolan – I took your advice and created a subuser (called admin) and su – in as root as necessary but when running any commands as Admin, I am unable to run ANY installs (permissions invalid). How do you suggest getting around this?

      Comment by John M — June 8, 2010 @ 12:59 am

      • You can build the RPM as non-root (provided you have your build environment configured correctly), but for installing the RPM, you always need to have root privileges.

        Comment by martin — June 8, 2010 @ 6:22 am

  12. This worked great (on CentOS 5.3), except it doesn’t install under CentOS 4 which was the purpose I am testing it. I am building under CentOS 5 and deploying under CentOS 4.4 and 4.7. I would assume I need to included possible dependencies for other glibc versions (I just don’t know how to), because here is the output I get under CentOS 4.

    error: Failed dependencies:
    libc.so.6(GLIBC_2.4)(64bit) is needed by openssh-5.2p1-1.x86_64
    libcrypto.so.6()(64bit) is needed by openssh-5.2p1-1.x86_64
    rtld(GNU_HASH) is needed by openssh-5.2p1-1.x86_64
    libc.so.6(GLIBC_2.4)(64bit) is needed by openssh-clients-5.2p1-1.x86_64
    libcrypto.so.6()(64bit) is needed by openssh-clients-5.2p1-1.x86_64
    rtld(GNU_HASH) is needed by openssh-clients-5.2p1-1.x86_64
    libc.so.6(GLIBC_2.4)(64bit) is needed by openssh-server-5.2p1-1.x86_64
    libcrypto.so.6()(64bit) is needed by openssh-server-5.2p1-1.x86_64
    libpam.so.0(LIBPAM_1.0)(64bit) is needed by openssh-server-5.2p1-1.x86_64
    rtld(GNU_HASH) is needed by openssh-server-5.2p1-1.x86_64

    CentOS 4 has included libraries for glibc-2.3 NOT glibc-2.4


    Comment by sean — September 15, 2009 @ 12:42 am

    • This is a simple dependency message, and makes me think you built it on RHEL5 for a REHL4 environment. This is a big mistake, and I’m surprised if it works. You need to build on an exemplar of the environment where you’ll be using it. Any RHEL4 box will do.

      Building for RHEL4 may require more porting effort than mere packaging work. You may need to develop patches so it fits the environment. Since you’ll be back-porting every 1-2 months, forever, you’ll want to do the complete work up-front now, to reduce the guesswork later.

      Comment by Bish — December 30, 2011 @ 10:10 pm

  13. Thanks for this article! – I followed this process on CentOS 5.3 i386 to get ChrootDirectory working for SFTP. Worked perfectly the first time. This will at least hold me over until some official RH RPMS with OpenSSH 4.8pm+ come out.

    Comment by Nick White — September 15, 2009 @ 3:34 pm

    • Anybody want to share their RPM? (a good one of course)

      Comment by Doug — September 24, 2009 @ 9:25 pm

      • Doug, e-mail me at nick,at,aryfi.com, and I can send you the RPMS my system built.

        Comment by Nick White — September 24, 2009 @ 9:45 pm

  14. Instead of reverting back to an old version of /etc/init.d/sshd, just fix
    the line that references initlog in the start() function:

    initlog -c “$SSHD $OPTIONS” && success || failure

    $SSHD $OPTIONS && success || failure

    Comment by Cris — October 18, 2009 @ 6:06 pm

    • This solution works for me.
      And the comment 15 is the same but more complicated.

      Comment by Cesar — November 10, 2009 @ 6:13 pm

  15. I added this before the “cd /usr/src/redhat/SPECS” to solve the initlog issue in the .rpm file

    cd /usr/src/redhat/SOURCES/
    tar zxvf openssh-5.*.tar.gz
    cp /etc/rc.d/init.d/sshd /usr/src/redhat/SOURCES/openssh-*/contrib/redhat/sshd.init
    rm openssh-5.*.tar.gz
    tar -czvf openssh-5.3p1.tar.gz openssh-5.3p1
    rm -Rf openssh-5.3p1

    Comment by Mark — October 21, 2009 @ 9:48 pm

    • Are you rebuiliding and repacking the upstream source package? That’s a really bad idea. The full reason not to is rooted in the RPM build methodology and pristine sources but in our case it’s just a maintainability risk.

      I recommend you create and ship a simple patch of the init-file changes in your custom package alongside the pristine source, as it’ll prevent you from overlooking it in a month or two when you repeat the process.

      Comment by Bish — December 30, 2011 @ 10:22 pm

  16. The path has changed on the ftp site. The files are now located in http://ftp.bit.nl/mirror/openssh/portable/

    Comment by Aaron — October 30, 2009 @ 3:16 pm

  17. Also, if you guys need to add umask functionality you can add sftpfilecontrol.sourceforge.net to the source before compiling. Worked great for me!
    [Ed.: Updated address “sourcefourge”.]

    Comment by Mark — December 4, 2009 @ 3:33 am

  18. To get proper syslog accounting, replace in AUTH for AUTHPRIV in your sshd config file

    Comment by Eduardo Roldan — February 11, 2010 @ 1:36 am

  19. Hi, thanks for the instructions but I can’t get past rpmbuild, the following error message pops up:

    /usr/src/redhat/SPECS # rpmbuild -bb openssh.spec
    error: parse error in expression
    error: /usr/src/redhat/SPECS/openssh.spec:77: parseExpressionBoolean returns -1
    error: Group field must be present in package: (main package)
    error: License field must be present in package: (main package)

    I am using the openssh-5.4p1 sources on CentOS release 5.4 and have followed the instructions closely, any ideas on how to solve this?

    Many thanks!

    Comment by Hamza — April 4, 2010 @ 12:14 am

  20. @Hamza

    I had the same issue with 5.4p1 on RHEL 5.3. I solved it by commenting out the following, beginning at line 77 in openssh.spec:

    #%if ! %{skip_x11_askpass}
    #Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{ave

    Comment by Chris — April 6, 2010 @ 9:57 pm

    • Hey Chris,

      With those lines commented out I was able to complete the instructions, Many thanks!


      Comment by Hamza — April 12, 2010 @ 6:32 pm

    • Chris’s comment above worked here as well.
      I also had to run this before I could get it to finish building:

      mkdir -p /usr/src/redhat/{BUILD,RPMS,SOURCES,SPECS,SRPMS}

      Not sure why, but I did not have these directories.

      Comment by dreaken667 — April 22, 2010 @ 8:02 pm

      • > not sure why

        It’s normal. In most cases, too, building as root isn’t really recommended. There’s a simple three-line rc-file (.rpmmacros) you can place in your homedir to enable you to build as a regular user — you can even have it create the dirs as required.

        If there’s enough interested and if google’s not your friend I can throw one up.

        Comment by Bish — December 30, 2011 @ 10:25 pm

  21. […] https://binblog.info/2009/02/27/packaging-openssh-on-centos/ This entry was posted in Uncategorized. Bookmark the permalink. ← My Share […]

    Pingback by Packaging OpenSSH on CentOS | My Share Of IT — August 11, 2010 @ 6:48 am

  22. […] and rpmforge with no such) 2) build your own rpm package using the following fantastic guide https://binblog.info/2009/02/27/packa…ssh-on-centos/ and while your there checkout this article which discusses precisely this topic […]

    Pingback by Sftp server — December 3, 2010 @ 2:44 pm

  23. This tutorial was invaluable. One quick bug/quirk though. . . I usually restart services by typing:

    /etc/init.d/servicename restart

    instead of

    service servicename restart

    Once I have installed openssh (5.6) per the instructions above, this behaves in a very quirky way. I can use /etc/init.d/sshd stop and start fine. But restart causes the sshd server to enter a broken state and refuse connections despite both steps showing as “OK”. . . a subsequent start command restores functionality. But still, it’s odd. a status check after a /etc/init.d/sshd restart command shows: “sshd dead but subsys locked”

    using “service sshd restart” also causes the problem. Though, not every time like /etc/init.d/sshd does.

    This happens with or without the fix to the initlog deprecation applied per the instructions in comment 14.

    Anyways. . . I guess I can remember not to use restart and just manually stop and start. But. . . well. . . sure is odd.

    Comment by Hurin — December 31, 2010 @ 6:57 am

    • /var/log/messages shows that it’s unable to bind to any address:

      Dec 30 22:16:39 localhost sshd[2785]: error: Bind to port 22 on failed: Address already in use.
      Dec 30 22:16:39 localhost sshd[2785]: fatal: Cannot bind any address.
      Dec 30 22:16:39 localhost sshd[2142]: Received signal 15; terminating.

      Again, just a simple “start” will restore things back to working order. But someone might do a “restart” and leave their ssh daemon in a broken state for quite some time if they aren’t aware of this issue (assuming this isn’t just isolated to me and my testing environment here on a virtualbox centOS 64-bit).

      Comment by Hurin — December 31, 2010 @ 7:43 am

      • Alright. Hopefully my final note on this. It really looked like sometimes the start command was getting in there before the stop command had finished. Hence the address conflict. So I decided to compare the pre-and-post-openssh upgrade init.d scripts. I’m not a big fan of just putting the old /etc/init.d/sshd file back on the system since I’m not savvy enough to determine if there’s anything important going on in the new one that I’d lose by replacing it. But, I think I was able to isolate the portions of the old script that would fix this issue. First, the old script appears to determing the runlevel and establish it as a variable. So, I first I copied this line:

        runlevel=$(set — $(runlevel); eval “echo \$$#” )

        from the old file and placed it in the new one right above the line that begins with “do_rsa1_keygen”. . . right around line 30-32 in the new script file.

        Then, I just lifted the old “stop” function from the old file and overwrote the newer stop function (which was much shorter/simpler).

        So, replace everything in the new script file between:

        . . . lots of code. . .

        with this instead:

        echo -n $”Stopping $prog: ”
        if [ -n “`pidfileofproc $SSHD`” ] ; then
        killproc $SSHD
        failure $”Stopping $prog”
        # if we are in halt or reboot runlevel kill all running sessions
        # so the TCP connections are closed cleanly
        if [ “x$runlevel” = x0 -o “x$runlevel” = x6 ] ; then
        killall $prog 2>/dev/null
        [ “$RETVAL” = 0 ] && rm -f /var/lock/subsys/sshd

        With those isolated changes carried over from the old init.d script to the new one, I can now issue restart commands to sshd with absolutely no trouble.

        Comment by Hurin — December 31, 2010 @ 9:02 am

      • Thanks for your submission. I wonder if it’s possible to submit changes like this upstream. (I haven’t tried myself, just thinking about it.)

        Comment by martin — December 31, 2010 @ 9:28 am

      • For what it’s worth, I was curious if other linux distros with openssh 5.x built in would exhibit similar behavior. Some googling showed one guy on Ubuntu having the issue above. However, I installed fedora 14 on a virtual machine and found that they have the same “stop()” function applied to their init.d script as I recommend above (except they also throw in an additional non-critical line). So, it looks like the init.d/sshd script included with openssh is perhaps just too simple and other distros (at least Fedora) are taking it upon themselves to fix it up. Anyways, I think I’m now ready to start moving this onto a real server for testing before moving it into production. Thanks again for this great write-up! I needed both chrootdirectory jailing as well as group matching. . . and this procedure seems to be working great (I may follow up later with some tips on configuring pam (without getting deprecation errors) so that ssh logins appear in /var/log/secure, etc.).

        Comment by Hurin — December 31, 2010 @ 10:07 am

  24. […] not really usable on a server. I must credit some of these steps to someone else on the interwebs: https://binblog.info/2009/02/27/packaging-openssh-on-centos/ I found perl -i.bak -pe ‘s/^(%define no_(gnome|x11)_askpass)s+0$/$1 1/’ openssh.spec […]

    Pingback by » SFTP with chroot jail on CentOS — January 21, 2011 @ 1:51 pm

  25. […] RPM creation was taken from the following site and works […]

    Pingback by Installing OpenSSH 5.8 Centos 5.5 « The Survival Guides's Blog — May 20, 2011 @ 1:48 pm

  26. Hi,
    as centos 6 has been out for a wail do you have any guidance for it because i’m not finding the /usr/src/redhat/SPECS/ directory.

    Comment by Edmond — October 28, 2011 @ 11:19 pm

  27. You need to install rpm-build in order to have that directory show up. It may also have become generic (I can’t remember right now); if the installing rpm-build doesn’t do it, try doing this:

    ls -ld /usr/src/*/SPECS

    This will show you if the redhat directory has been renamed.

    You could also try:

    rpm -ql rpm-build

    This will show you the directories that rpm-build installed and/or manages (among other things).

    Comment by ddouthitt — November 4, 2011 @ 12:28 am

    • Hi ddouthitt,
      on a clean centos 6 minimal install i have done following:
      installed packges that the guid describes in the begging:

      yum install gcc openssl-devel pam-devel rpm-build

      #cat /var/log/yum.log
      Nov 14 02:56:23 Installed: 1:pkgconfig-0.23-9.1.el6.x86_64
      Nov 14 02:56:23 Installed: elfutils-libs-0.148-1.el6.x86_64
      Nov 14 02:56:23 Installed: elfutils-0.148-1.el6.x86_64
      Nov 14 02:56:23 Installed: patch-2.6-6.el6.x86_64
      Nov 14 02:56:24 Installed: ppl-0.10.2-11.el6.x86_64
      Nov 14 02:56:24 Installed: cloog-ppl-0.15.7-1.2.el6.x86_64
      Nov 14 02:56:24 Installed: libgomp-4.4.4-13.el6.x86_64
      Nov 14 02:56:24 Installed: file-5.04-6.el6.x86_64
      Nov 14 02:56:24 Installed: mpfr-2.4.1-6.el6.x86_64
      Nov 14 02:56:25 Installed: cpp-4.4.4-13.el6.x86_64
      Nov 14 02:56:25 Installed: unzip-6.0-1.el6.x86_64
      Nov 14 02:56:25 Installed: libsepol-devel-2.0.41-3.el6.x86_64
      Nov 14 02:56:25 Installed: libselinux-devel-2.0.94-2.el6.x86_64
      Nov 14 02:56:25 Installed: zlib-devel-1.2.3-25.el6.x86_64
      Nov 14 02:56:25 Installed: libcom_err-devel-1.41.12-3.el6.x86_64
      Nov 14 02:56:27 Installed: kernel-headers-2.6.32-71.29.1.el6.x86_64
      Nov 14 02:56:28 Installed: glibc-headers-2.12-1.7.el6_0.5.x86_64
      Nov 14 02:56:28 Installed: glibc-devel-2.12-1.7.el6_0.5.x86_64
      Nov 14 02:56:28 Installed: keyutils-libs-devel-1.4-1.el6.x86_64
      Nov 14 02:56:29 Installed: krb5-devel-1.8.2-3.el6_0.7.x86_64
      Nov 14 02:56:30 Installed: gcc-4.4.4-13.el6.x86_64
      Nov 14 02:56:30 Installed: rpm-build-4.8.0-12.el6.x86_64
      Nov 14 02:56:32 Installed: openssl-devel-1.0.0-4.el6_0.2.x86_64
      Nov 14 02:56:32 Installed: pam-devel-1.1.1-4.el6_0.1.x86_64

      [root@cent6-node1 tmp]# ls -ld /usr/src/*/SPECS
      ls: cannot access /usr/src/*/SPECS: No such file or directory
      [root@cent6-node1 tmp]# rpm -ql rpm-build
      [root@cent6-node1 tmp]#

      Do you have any clue?

      Comment by Edmond — November 14, 2011 @ 2:07 am

  28. I am on RHEL 5.7. I followed the instructions given above to upgrade to openssh-5.9p1.

    When I restart the sshd service I get the following error.

    /etc/init.d/sshd restart
    Stopping sshd: [ OK ]
    ssh-keygen: generating new host keys: ECDSA unknown key type (null)
    lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
    Starting sshd: [ OK ]

    Has anyone encountered this? If yes how did you solve it.
    Thanks a Lot

    Comment by su ven — December 28, 2011 @ 5:44 pm

    • I’m at a conference and can’t dive too deeply into this, but the error likely occurs because the underlying OpenSSL doesn’t support the ECDSA algorithm, hence the error when OpenSSH tries to use it. The configure script does not have an option to disable ECDSA, so the first workaround that comes to mind would be to kick out the respective invocation of ssh-keygen from /etc/init.d/sshd (search for ecdsa) and also to comment out the ECDSA host key in /etc/ssh/sshd_config. Looks like compatibility of OpenSSH with RHEL 5 has just died.

      Comment by martin — December 28, 2011 @ 6:05 pm

      • I commented out one line pertaining to ecdsa in /etc/init.d/sshd. That took one error message away.

        But still getting this message

        Stopping sshd: [ OK ]
        ssh-keygen: generating new host keys: ECDSA unknown key type (null)
        Starting sshd: [ OK ]

        Can’t figure out where this could be pulling for. No trace of ecdsa in /etc/ssh/sshd_config.

        Comment by su ven — December 29, 2011 @ 11:05 am

      • The message comes from ssh-keygen -A in line 41 of the init script. I have no idea how to work around this and consider it purely cosmetic.

        Comment by martin — January 2, 2012 @ 10:29 am

    • I am troubled with the same error, too.
      It was not a basic solution, but made ssh_host_ecdsa_key, ssh_host_ecdsa_key.pub in less than /etc/ssh by touch command.

      Comment by jrsyo — January 7, 2012 @ 10:19 am

      • Now that’s a hack. 😉

        Comment by martin — January 7, 2012 @ 10:35 am

  29. Hi,

    First of all a big thanks to your for this howto. It is a very useful guidance.
    When using the rpm what was compiled and build as above I get in a situation that if i put the first time the password wrong even if the second time it’s okay i’m not able to login. Does anyone of you have encountered this situation?

    Thank you.

    Comment by Edmond — February 12, 2013 @ 10:07 am

    • I’ve seen something like that but it had more to do with PAM (hint: use_first_pass) than openssh. Please consider using a general support forum for this question, and you may find it solved very quickly.

      Comment by Bish — February 12, 2013 @ 1:01 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: