pantz.org banner
Install OpenSSH from source on CentOS 4.5
Posted on 09-18-2007 15:13:00 UTC | Updated on 09-18-2007 15:13:00 UTC
Section: /software/ssh/ | Permanent Link

This is an install of OpenSSH from source on CentOS 4.5. It is not so much of an upgrade as it is a seperate install. SSH is your gateway into your machine. It is the access point for your machine over the network. Therefore it needs one of the most secure parts of your system. When a vulnerability comes out for it you have to update it ASAP. Problem is most distros don't make haste in getting packages out that update it. So your stuck with updating it yourself. So that rpm or deb package you installed is useless now that is vulnerable.

So what we are going to do is compile and install our own OpenSSH in the /opt tree (or wherever you want). Then whenever OpenSSL, OpenSSH, or Zlib have a security problem we can just quickly patch, recompile, and install a new version of any of them. No dependence on the distro's packages and their slower response times. The install below is what versions of the packages where avaliable at the time so change those accordingly.

First we download and install zlib. It does not seem to change version much so you might not need to do this each time.

cd /tmp
mkdir -p /opt/zlib
mkdir zlib1.23
cd zlib1.23/
wget http://www.zlib.net/zlib123.zip
unzip zlib123.zip
make
make install prefix=/opt/zlib/

Next we download and install OpenSSL.

cd /tmp
mkdir -p /opt/openssl
wget http://www.openssl.org/source/openssl-0.9.8e.tar.gz
tar xvzf openssl-0.9.8e.tar.gz
cd openssl-0.9.8e
./config --prefix=/opt/openssl --openssldir=/opt/openssl
make
make test
make install

Now we download and install OpenSSH. This version is for linux so it will come from the portable code base. In the configure section we are pointing to the OpenSSL and zlib installs we did above. You also want to check to see where your xauth file is and put that path in accordingly. I just did the command "which xauth" and got the path but you might need to do a "find / -name xauth" to find it.

cd /tmp
mkdir -p /opt/openssh
wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.7p1.tar.gz
tar xvzf openssh-4.7p1.tar.gz
cd openssh-4.7p1
./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl --with-xauth=/usr/X11R6/bin/xauth --with-zlib=/opt/zlib
make
make install

We are going to use the SSHD init.d script to start and stop our version of SSH. This script comes with CentOS 4.5. To use it we need to change some paths. Check /etc/init.d/sshd make sure these point to /opt/openssh.

# Some functions to make the below more readable
KEYGEN=/opt/openssh/bin/ssh-keygen
SSHD=/opt/openssh/sbin/sshd
RSA1_KEY=/opt/openssh/etc/ssh_host_key
RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key
DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key

Then restart SSH.

/etc/init.d/sshd restart

Check with telnet that your SSH is giving out the right version number of the one you just installed. You can do this by telnetting to your OpenSSH server.

telnet localhost 22

We should get a response with "OpenSSH_4.7" in the title. The same version that was just installed.

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-2.0-OpenSSH_4.7

Reddit!

Related stories


RSS Feed RSS feed logo

About


3com

3ware

alsa

alsactl

alsamixer

amd

android

apache

areca

arm

ati

auditd

awk

badblocks

bash

bind

bios

bonnie

cable

carp

cat5

cdrom

cellphone

centos

chart

chrome

chromebook

cifs

cisco

cloudera

comcast

commands

comodo

compiz-fusion

corsair

cpufreq

cpufrequtils

cpuspeed

cron

crontab

crossover

cu

cups

cvs

database

dbus

dd

dd_rescue

ddclient

debian

decimal

dhclient

dhcp

diagnostic

diskexplorer

disks

dkim

dns

dos

dovecot

drac

dsniff

dvdauthor

e-mail

echo

editor

emerald

ethernet

expect

ext3

ext4

fat32

fedora

fetchmail

fiber

filesystems

firefox

firewall

flac

flexlm

floppy

flowtools

fonts

format

freebsd

ftp

gdm

gmail

gnome

google

greasemonkey

greylisting

growisofs

grub

hacking

hadoop

harddrive

hba

hex

hfsc

html

html5

http

https

hulu

idl

ie

ilo

intel

ios

iperf

ipmi

iptables

ipv6

irix

javascript

kde

kernel

kickstart

kmail

kprinter

krecord

kubuntu

kvm

lame

ldap

linux

logfile

lp

lpq

lpr

maradns

matlab

memory

mencoder

mhdd

mkinitrd

mkisofs

moinmoin

motherboard

mouse

movemail

mplayer

multitail

mutt

myodbc

mysql

mythtv

nagios

nameserver

netflix

netflow

nginx

nic

ntfs

ntp

nvidia

odbc

openbsd

openntpd

openoffice

openssh

openssl

openvpn

opteron

parted

partimage

patch

perl

pf

pfflowd

pfsync

photorec

php

pop3

pop3s

ports

postfix

power

procmail

proftpd

proxy

pulseaudio

putty

pxe

python

qemu

r-studio

raid

recovery

redhat

router

rpc

rsync

ruby

saltstack

samba

schedule

screen

scsi

seagate

seatools

sed

sendmail

sgi

shell

siw

smtp

snort

solaris

soundcard

sox

spam

spamd

spf

spotify

sql

sqlite

squid

srs

ssh

ssh.com

ssl

su

subnet

subversion

sudo

sun

supermicro

switches

symbols

syslinux

syslog

systemd

systemrescuecd

t1

tcpip

tcpwrappers

telnet

terminal

testdisk

tftp

thttpd

thunderbird

timezone

ting

tls

tools

tr

trac

tuning

tunnel

ubuntu

unbound

vi

vpn

wget

wiki

windows

windowsxp

wireless

wpa_supplicant

x

xauth

xfree86

xfs

xinearama

xmms

youtube

zdump

zeromq

zic

zlib