Upgrading OpenSSH on CentOS and AlmaLinux

4.4/5 - (26 votes)

Note: This is an update from our 2011 post.

If you’ve taken a peek at your PCI scan results lately, you may have noticed that your scan provider is now requiring OpenSSH 6.6 or higher due to CVE-2014-2532 – a version that is not currently available in the CentOS 5 or 6 repositories. A Yum update isn’t going to help you much there.

You can, however, easily compile your own RPM and manually upgrade OpenSSH. The commands below are the ones I used to install version 7.1 (the latest stable at the time of this post), but can essentially be used for any compatible version.

First, download the OpenSSH source tarball from the vendor and unpack it. You can find the tarballs at http://www.openssh.com/portable.html

cd /usr/src

wget http://mirror.jmu.edu/pub/OpenBSD/OpenSSH/portable/openssh-7.2p2.tar.gz

tar -xvzf openssh-7.2p2.tar.gz

You may need to install a few things for the RPM build to work:

yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

Copy the spec file and tarball. For CentOS 5:

mkdir -p /usr/src/redhat/{SOURCES,SPECS}

cp ./openssh-7.2p2/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/

cp openssh-7.2p2.tar.gz /usr/src/redhat/SOURCES/

cd /usr/src/redhat/SPECS

For CentOS 6, 7, and 8 (AlmaLinux)

mkdir -p /root/rpmbuild/{SOURCES,SPECS}

cp ./openssh-7.2p2/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/

cp openssh-7.2p2.tar.gz /root/rpmbuild/SOURCES/

cd /root/rpmbuild/SPECS

Do a little magic:

sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec

…and build your RPM:

rpmbuild -bb openssh.spec

Now if you go back into /usr/src/redhat/RPMS/<arch> or /root/rpmbuild/RPMS/<arch>, you should see three RPMs. Go ahead and install them:

rpm -Uvh *.rpm

To verify the installed version, just type ‘ssh -v localhost’ and you should see the banner come up, indicating the new version.

*IMPORTANT! You may want to open a new SSH session to your server before exiting, to make sure everything is working! If you have a problem, simply:

yum downgrade openssh-server

78 Comments

  1. Andrew Reply

    Just a point of contention – Since this is a site related to administrating a cPanel server, it should be noted that upgrading OpenSSH via source on a cPanel server has the potential for Bad Things™ to happen. These instructions will surely work on a standard, vanilla, install. However in my experience as a System Administrator, this needs to be approached with a grain of salt and a healthy dose of caution.

  2. Andrew Reply

    I just realized that this in the end is an RPM, but my point still stands – cPanel looks for specific versions of service software.

  3. Vanessa Reply

    OpenSSH is actually not a service managed by cPanel – while cPanel does do basic things like managing key/pass auth and generating SSH keys, it does not manage OpenSSH itself – OpenSSH is present on the server before cPanel is even installed.

    While we of course agree that outside RPM updates on cPanel servers should be done cautiously, our expertise is in studying these matters to determine what upgrades can be done safely. This particular matter was previously discussed with a cpanel developer prior to us posting it on our website.

  4. Mig Reply

    Hello,

    Thanks for the useful post. There seems to be an error on the perl line though:

    -bash: syntax error near unexpected token `(‘

    I’m sure I will get the bottom of that, but it’s still good to know.

    Have a nice day,
    mig

  5. Kenneth Reply

    Nice article Vanessa.

    cPanel & WHM doesn’t look for a specific version of the SSH daemon. As Vanessa stated only very basic management and functionality is performed for SSHd. Restarts, disabling of reverse DNS lookups, up|down status and a hidden failsafe configuration reset are about the extent of what happens.

    However, cPanel & WHM support cannot help you with your custom SSHd replacement 🙂

  6. Robert Reply

    Hi Vanessa,
    What exactly are you doing in your perl RE line? Are you turning off gnome and x11 or removing password requirements? I want to make sure that’s what I want to do before doing it.
    Thanks,
    Robert

  7. shez Reply

    Hi vaneesa

    Thanks for wonderful post, but i followed all the steps in centos 5.6 but as i reached SPEC# rpmbuild -bb openssh.spec at the end of build it gives following error…..

    configure error: pam header not found
    error: Bad exit status from /var/tmp/rpm-tmp
    .28252(%build)

    RPM build Error: bad exit status from /var/tmp/rpm-tmp.28252(%build)

    any idea how to resolve this issue?? Thanks

  8. Victor Reply

    Sorry, a bit of a newbie question. I don’t see anything in the /usr/src/redhat/RPMS/i686 folder. I have arch i686. This is what I see:
    [/usr/src/redhat/RPMS/i686]# ls -al
    total 8
    drwxr-xr-x 2 root root 4096 Sep 8 2010 ./
    drwxr-xr-x 9 root root 4096 Jul 13 03:50 ../

    Thanks,
    Victor

  9. Chris Reply

    To fix the “-bash: syntax error near unexpected token `(‘” just copy the command into text editor and remove replace single quotes. Example —
    perl -i.bak -pe ‘s/^(%define no_(gnome|x11)_askpass)s+0$/$1 1/’ openssh.spec

  10. Chris Reply

    Reference the -bash: syntax error near unexpected token `(‘ —
    Simpley take the command — -bash: syntax error near unexpected token `(‘

    and paste it into notepad —

    Now replace remove each single quote with a new single quote inside of note pad. Then copy the code back into SSH and your good to go!

    Should look like —
    perl -i.bak -pe ‘s/^(%define no_(gnome|x11)_askpass)s+0$/$1 1/’ openssh.spec

    PS – Article is AWESOME and a huge help!

  11. Chris Reply

    Why the perl? Why not just open the spec and set both the askpass lines to 1 instead of 0 so that it doesn’t build them – that’s what the conditions are there for?

  12. alfonso Reply

    Help I get the following when ever I try to install the rpm thanks what Newbie what can I do
    total 1472
    -rw-r–r– 1 root root 482866 Sep 14 13:02 openssh-5.8p1-1.i386.rpm
    -rw-r–r– 1 root root 650975 Sep 14 13:02 openssh-clients-5.8p1-1.i386.rpm
    -rw-r–r– 1 root root 356736 Sep 14 13:02 openssh-server-5.8p1-1.i386.rpm
    [root@CENTOSFTP i386]# rpm -Uvh openssh*
    error: Failed dependencies:
    openssh = 4.3p2-72.el5_7.5 is needed by (installed) openssh-askpass-4.3p2-72.el5_7.5.i386
    [root@CENTOSFTP i386]# rpm -Uvh openssh-server-5.8p1-1.i386.rpm
    error: Failed dependencies:
    openssh = 5.8p1-1 is needed by openssh-server-5.8p1-1.i386
    [root@CENTOSFTP i386]#

  13. Thereson Antaltego Reply

    I found a couple items across the web that may solve the bad exit issue (having some updated packages installed):

    yum install pam-devel
    yum install openssl-devel

    But more than likely, I think it was a problem with the SPEC file. I had to try one version back from current (5.9p1 => 5.8p1), to get a distribution that would build.

    The perl command overrides the building of X11 and Gnome GUI elements, which you wouldn’t need on a headless server. But forget about it and use the options built-in to the SPEC file to override these components instead:

    rpmbuild –define skip_x11_askpass=0
    –define skip_gnome_askpass=0
    -bb openssh.spec

  14. Nyoman Reply

    I got this error:
    RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.5659 (%doc)

    Compile latest version is openssh-5.9p1

  15. Nyoman Reply

    Update: working with openssh-5.8p2 version
    For whom got error with openssh-askpass-4.3p2-72.el5_7.5.i386 depencies failed, please remove it first

  16. Mark Reply

    To make this work with openssh-5.9p1, remove WARNING* from the %doc line. This fixes the ‘Nyoman said on Dec-09-2011’ error.

  17. Robert Reply

    @Thereson thanks but I got an error complaining that -define was not an option, but the perl worked after doing the intermediate update of single quotes in notepad. I didn’t even mess with version 5.9 because I was just trying to get above 4.4 to pass a security scan.

    Vanessa, thanks for sharing this procedure, I appreciate it.

  18. Pingback: PCI Compliance on CentOS 5, OpenSSH 5.8 RPM Upgrade Howto | SRI Hosting

  19. Avinash.Rao Reply

    I did everything that was listed the tutorial website. Instead of 5.8 i am using 6.0
    The rpm build completed without any errors. Unfortunately, the version doesn’t seem to change!

    Last few lines of rpm build.

    Processing files: openssh-6.0p1-1
    Executing(%doc): /bin/sh -e /var/tmp/rpm-tmp.9920
    + umask 022
    + cd /usr/src/redhat/BUILD
    + cd openssh-6.0p1
    + DOCDIR=/var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1
    + export DOCDIR
    + rm -rf /var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1
    + /bin/mkdir -p /var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1
    + cp -pr CREDITS ChangeLog INSTALL LICENCE OVERVIEW README README.dns README.platform README.privsep README.tun PROTOCOL PROTOCOL.agent PROTOCOL.certkeys PROTOCOL.mux TODO /var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1
    + exit 0

    sshd -v
    OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

  20. Jag Reply

    I am a newbie I followed the exact steps, i could not see an archive folder in /usr/src/redhat/RPMS/. I would like to know if these steps can be followed in VPS server also

  21. RobH Reply

    Out of curiosity, why did you choose to install via self built RPM rather than just installing from source, adding openssh* to the ever growing list of yum excludes, and call it a day? Just preference?

    Seems it may have been a bit easier for some of the above people who have encountered issues. 🙂

    1. Vanessa Reply

      It’s mostly a matter of preference. I prefer using RPMs when possible, as it makes upgrades/downgrades/removals a lot easier to deal with.

  22. Tyler W Reply

    Thanks so much, still useful even a year later! I agree with those who say CentOS 5 lacks in security! Unfortunately I have an old client who run their own servers through media temple and use CentOS with Plesk (yuck) and being more comfortable with the Debian/Ubuntu spectrum this tutorial definitely aided me in building out these RPMs. Worked perfectly for me and now I’m going to run our PCI Compliance scan once more and try to knock these other vulnerabilities off.

  23. Jay Reply

    I like the tut.

    configure: error: PAM headers not found
    error: Bad exit status from /var/tmp/rpm-tmp.24388 (%build)

    RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.24388 (%build)

    Solution:
    yum install pam-devel

    Also for other errors durring this process:
    yum install openssl-devel
    yum install krb5-devel

  24. Wrathtard Reply

    Very informative and useful. However, I am stuck because my current openssh-askpass is still at 4.3 and requires openssh-XXXX to also be 4.3. Can I safely uninstall askpass, install the new RPMs, then reinstall a later version of askpass?

    Thank you!

  25. Wrathtard Reply

    Addendum: I’m only using command line, so it might be irrelevant after all…is askpass just for X? If that’s the case I think I’m good.

  26. Rad Reply

    Following these instructions I had received “error: Failed dependencies:”

    Installing the rpms via “rpm -Uvh *.rpm”, including an asterisk, did not work. Using the specific rpm name is what gave the dependencies error. Figured out you have to do “rpm -Uvh *.rpm *.rpm *.rpm”, listing each of the three rpm’s inline like that.

    Not sure if that is common knowledge (i’m a *nix newbie) or if for some reason using an asterisk just didn’t work for me. But there’s your answer.

    Full command was:

    rpm -Uvh openssh-5.8p1-1.x86_64.rpm openssh-server-5.8p1-1.x86_64.rpm openssh-clients-5.8p1-1.x86_64.rpm

  27. Rale Reply

    Hello,

    After rpm -Uvh *.rpm i get dependencies failed:

    openssh = 4.3p2-82.el5 is needed by (installed) openssh-askpass-4.3p2-82.el5.x86_64

    Can somebody give me instructions how to fix this?

    Thanks for great article!

    1. Jesse Reply

      I also got the same problem. But after searching, I found the already installed openssh-askpass has to be removed first. For my case using centOS, I’ve got this command: yum remove openssh-askpass
      Then I can successfully install the new openssh. Hope this helps.

  28. John Andreasson Reply

    This is actually a very stupid thing to do. The OpenSSH server included in the distribution is continously patched by Red Hat. You have to understand that the version shipped by Red Hat (and later CentOS) is NOT the same version that the OpenSSH project distributed. It is heavily patched when bugs are found.

    What you do when you download and build your own copy of the OpenSSH server is transfer the responsibility for maintaining and patching the installation to YOU. You have actually most likely made your system less secure, since you probably have other things to do than constantly repatch the OpenSSH installation.

    And you did this because you ran some scanner tool that only checked a version number and concluded that you were vulnerable, without checking that you were actually vulnerable and without realizing how Red Hat uses version numbers.

    1. Vanessa Reply

      John – Thank you for you comment. While you bring up some interesting points, it seems that you may not be entirely familiar with how PCI scans work. Firstly, yes Redhat does indeed backport certain fixes into their RPMs without updating the actual version of the software, and this can cause “false positives” to be reported. All of our PCI articles do indeed state this, and it’s undisputed. However, Redhat does NOT patch all the vulnerabilities that may come up in a PCI scan. This is why it’s important for any server administrator to understand how package versions work on Redhat systems (This includes RHEL, Fedora (somewhat). and CentOS). As stated in our Terms of Use, the information we provide is only that – information. What you choose to do on your server is your business.

      Determining whether it is necessary to manually upgrade and/or maintain certain packages is your choice, and I wouldn’t call it a “stupid” thing to do, if you know what you’re doing and why you’re doing it. This post is primarily targeted to the numerous readers that have contacted us about failing PCI scans due to the OpenSSH version. Bearing in mind that the fixes may be backported, many of the CVE’s listed in these scans were not actually patched by the vendor, and therefore it may be necessary to manually upgrade the version, as instructed in this article.

      For the readers that may not know whether this is necessary, simply use “rpm -q –changelong $packagename” and use the “grep” command to search for the CVE that your scanning vendor is complaining about. If it is NOT listed, and your OS vendor has not released an update that does address the CVE, then you will need to upgrade the package manually as shown in this post. You can, however, easily move back to the vendor package when the mentioned CVE’s are applied.

  29. Yehuda Katz Reply

    There are some wrong paths, so here is the correct commands (I personally needed 4.4 version which supports Match User directive). The code above requires to update also openssl

    cd /usr/src
    wget http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/openssh-4.4p1.tar.gz
    tar -xvzf openssh-4.4p1.tar.gz

    yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

    cp ./openssh-4.4p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
    mv openssh-4.4p1.tar.gz /usr/src/redhat/SOURCES
    rm -rf ./openssh-4.4p1/

    cd /usr/src/redhat/SPECS
    sed -i -e “s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g” /usr/src/redhat/SPECS/openssh.spec
    sed -i -e “s/%define no_x11_askpass 0/%define no_x11_askpass 1/g” /usr/src/redhat/SPECS/openssh.spec
    sed -i -e “s/BuildPreReq/BuildRequires/g” /usr/src/redhat/SPECS/openssh.spec

    rpmbuild -bb openssh.spec
    cd /usr/src/redhat/RPMS/x86_64
    rpm -Uvh *.rpm

  30. Nibin Reply

    Please would you tell me why you prefer to upgrade, when the CVE mentioned is already back-ported and patched?

    ====================================
    * Wed Jun 18 2014 Petr Lautrbach 5.3p1-96
    – prevent a server from skipping SSHFP lookup (#1081338) CVE-2014-2653
    – ignore environment variables with embedded ‘=’ or ” characters CVE-2014-2532
    – backport ControlPersist option (#953088)
    – log when a client requests an interactive session and only sftp is allowed (#997377)
    – don’t try to load RSA1 host key in FIPS mode (#1009959)
    – restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over restart
    (#1010429)
    – ssh-keygen -V – relative-specified certificate expiry time should be relative to current time
    (#1022459)
    ========================================

    Above is from OS version 6. 6

  31. Jacob Steelsmith Reply

    Hi Vanessa,

    We are looking at doing this to our ancient centos 5 install we cannot upgrade. We have been told by LiquidWeb that CPanel might “overwrite” the updated software during it’s upgrade. Is this the case in your experience?

    1. Vanessa Vasile Reply

      cPanel does not manage the OpenSSH version at all. If anything, cPanel updates would run a system update (basically, “yum update”) and packages can be overwritten during this process. However, if you’re on CentOS 5 or 6, I can assure you this will not be a problem. For one, these instructions involve creating a new package that has a version number higher than any version you’ll find in CentOS’s repos – so yum will not overwrite the package unless you explicitly do a ‘yum downgrade openssh’, etc. Secondly, if it’s a concern, you can add openssh* to /etc/yum.conf excludes, and it will be ignored entirely. While we can’t be certain that cPanel’s behavior won’t change in the future, right now it does not manage the openssh package at all, and I have never seen it be an issue.

  32. Khoi Reply

    Why i couldn’t build my RPM? Could you tell me the reason?
    [centos@khoi ~]$ cd /usr/src/redhat/SPECS
    [centos@khoi SPECS]$ sudo rpmbuild -bb openssh.spec
    error: File /root/rpmbuild/SOURCES/openssh-7.1p2.tar.gz: No such file or directory

      1. Khoi Reply

        So when i was using ssh to connect to this server from client it said: No hostkey alg. I checked the folder /etc/ssh and still saw some key files like ssh_host_dsa_key …etc. Maybe the openssh didn’t work with CentOS 6.7 i think.

  33. jacob Reply

    Hello Vanessa,

    I am getting the error sed -e expression #1, char 58 : unknown option to ‘s’

    when executing the command

    sed -i -e “s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g”openssh.spec

    is there any help you can give me on this issue?

  34. Neil Yal Reply

    This is for CLEAROS 5.2
    I was wondering if you could help me!
    I’m following your method above and it is working.. .but I ran into a problem.
    First when I compiled it told me I have the wrong version of openssl.
    SO I installed Openssl following these instructions
    https://j3pd.wordpress.com/2011/08/31/upgrading-openssl/
    I now get:
    # openssl version
    OpenSSL 1.0.0d 8 Feb 2011
    but when I go to install the RPM created above I get:
    # rpm -Uvh *.rpm
    error: Failed dependencies:
    libcrypto.so.1.0.0 is needed by openssh-7.1p2-1.i386
    libcrypto.so.1.0.0 is needed by openssh-clients-7.1p2-1.i386
    libcrypto.so.1.0.0 is needed by openssh-server-7.1p2-1.i386
    I checked and it looks like this is part of the openssl package. So when I queried rpm I see:
    rpm -qa | grep openssl
    openssl-0.9.8e-37.el5_11
    openssl-devel-0.9.8e-37.el5_11
    Any way to let RPM know I have the newer version?
    If you have advice, Please let me know!
    Neil.

      1. cristi Petrisor Reply

        Hi. am facing an issue
        I hit the carpark barrier :

        when trying to make the rpm
        i got… checking OpenSSL header version… 0090802f (OpenSSL 0.9.8e-rhel5 01 Jul 2008)
        checking OpenSSL library version… configure: error: OpenSSL >= 0.9.8f required (hav

        From your note i saw you manipulate the openssh.spec to look for 0.9.8e. Can you share more details, please. How can i do trhat too? The rpm you shared can’t help me as i have higher versions for glibc etc..

  35. Ashutosh Reply

    Thanks Venessa for your post.

    I would just like to add a point. After updating openssh please replace your current sshd file in /etc/pam.d folder with older one. I did not do that and ran into server aborting connection after exiting from session. I mounted the drive to another instance and replaced it. Now it is working fine.

    Hope this helps someone.

  36. sara Reply

    Hi while building rpm I am getting file not found error. How do we fix this.

    Processing files: openssh-clients-7.2p1-1.x86_64
    error: File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/bin/slogin
    error: File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/share/man/man1/slogin.1*

    RPM build errors:
    File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/bin/slogin
    File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/share/man/man1/slogin.1*

    1. Carlton Reply

      Just comment out the two lines for slogin and slogin.1 in the spec file. slogin was just a symlink to ssh in previous versions and somewhere along the way it was removed from OpenSSH, but the spec file wasn’t updated.

  37. Nishant Kumar Reply

    Hi Vanessa ,
    I tried the above steps and I’m getting the same error as Sara:
    RPM build errors:
    File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/bin/slogin
    File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p1-1.x86_64/usr/share/man/man1/slogin.1*

    Below are the commands that i executed:

    cd /usr/src
    wget http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-7.2p2.tar.gz
    tar -xvzf openssh-7.2p2.tar.gz
    yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

    mkdir -p /usr/src/redhat/{SOURCES,SPECS}
    ********************************************************************************************************************
    1.
    cp ./openssh-7.2p2/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
    cp openssh-7.2p2.tar.gz /usr/src/redhat/SOURCES/
    cd /usr/src/redhat/SPECS
    sed -i -e “s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g” openssh.spec
    sed -i -e “s/%define no_x11_askpass 0/%define no_x11_askpass 1/g” openssh.spec
    sed -i -e “s/BuildPreReq/BuildRequires/g” openssh.spec

    [root@ssdglbr2 SPECS]# rpmbuild -bb openssh.spec
    error: File /root/rpmbuild/SOURCES/openssh-7.2p2.tar.gz: No such file or directory

    cd /usr/src
    cp openssh-7.2p2.tar.gz /root/rpmbuild/SOURCES/

    cd /usr/src/redhat/SPECS
    rpmbuild -bb openssh.spec

    Output:
    Processing files: openssh-clients-7.2p2-1.x86_64
    error: File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/bin/slogin
    error: File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/share/man/man1/slogin.1*

    RPM build errors:
    File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/bin/slogin
    File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/share/man/man1/slogin.1*

  38. Jacob Gore Reply

    Hey Vanessa, received the same errors as sara, here are the commands

    cd /usr/src

    mv /home/username/Downloads/openssh-7.2p2.tar.gz /usr/src

    tar -xvzf openssh-7.1p2.tar.gz

    yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

    mkdir -p /usr/src/redhat/{SOURCES,SPECS}

    cp ./openssh-7.1p2/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/

    cp openssh-7.1p2.tar.gz /usr/src/redhat/SOURCES/

    cd /usr/src/redhat/SPECS
    sed -i -e “s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g” openssh.spec
    sed -i -e “s/%define no_x11_askpass 0/%define no_x11_askpass 1/g” openssh.spec
    sed -i -e “s/BuildPreReq/BuildRequires/g” openssh.spec

    rpmbuild -bb openssh.spec

    File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/bin/slogin
    File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/share/man/man1/slogin.1*

    System is CentOS 7

    1. Vanessa Vasile Reply

      There is a note in the post that you may need to copy the tarball to /root/rpmbuild. The original instructions are for CentOS 5. IF youre doing this on CentOS 6 or 7 the paths will be different. I have updated the post to clarify this.

      1. Andrew Reply

        Hi,

        Just wondering why this is happening.

        Processing files: openssh-clients-7.2p2-1.x86_64
        error: File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/bin/slogin
        error: File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/share/man/man1/slogin.1*

        RPM build errors:
        bogus date in %changelog: Wed Oct 01 2002 Damien Miller
        bogus date in %changelog: Sun Dec 29 2001 Nalin Dahyabhai
        File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/bin/slogin
        File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/share/man/man1/slogin.1

        1. Vanessa Vasile Reply

          The file not found error refers to where the source and spec files were moved. Please make sure you are following the instructions for the version of CentOS you are using, as it is different between 5 and the newer ones.

  39. Nishant Kumar Reply

    getting the below error now ::

    rpm -Uvh openssh-7.1p2-1.x86_64.rpm
    error: Failed dependencies:
    openssh = 5.3p1-114.el6_7 is needed by (installed) openssh-server-5.3p1-114.el6_7.x86_64
    openssh = 5.3p1-114.el6_7 is needed by (installed) openssh-clients-5.3p1-114.el6_7.x86_64
    openssh = 5.3p1-114.el6_7 is needed by (installed) openssh-askpass-5.3p1-114.el6_7.x86_64

  40. Nishant Kumar Reply

    Never-mind guys ..I got the above problem..

    Found the old RPMs : rpm -qa | grep ssh
    removed them: rpm -e –nodeps openssh-server-5.3p1-114.el6_7.x86_64
    and then installed the new ones .
    # rpm -Uvh openssh-7.1p2-1.x86_64.rpm
    Preparing… ########################################### [100%]
    1:openssh ########################################### [100%]
    # rpm -Uvh openssh-clients-7.1p2-1.x86_64.rpm
    Preparing… ########################################### [100%]
    1:openssh-clients ########################################### [100%]
    # rpm -Uvh openssh-server-7.1p2-1.x86_64.rpm
    Preparing… ########################################### [100%]
    1:openssh-server ########################################### [100%]
    # ssh -V
    OpenSSH_7.1p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

    But i am facing issues with SSH now even after replacing the /etc/ssh/sshd_config file with the old one that i had backed up.
    /etc/init.d/sshd restart
    Stopping sshd:Connection to 192.168.10.251 closed by remote host.
    Connection to 192.168.10.251 closed.
    Have lost the connection to server. Will try from console tomorrow .

  41. steve Reply

    Hey Vanessa, thanks for the article – I was able to build the RPM with just a few errors:
    “error: File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/bin/slogin
    error: File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/share/man/man1/slogin.1*

    I like Jag was not able to find the archive folder with the RPM files. I’m running CentOS 6. So basically I’m at the last step trying to run the .RPM install files and not able to do so. Any ideas? Looking for those RPM files…

    1. Vanessa Vasile Reply

      As noted, please make sure you are using the instructions for the version of CentOS you are using. If you find that rpmbuild is trying to build in /root/rpmbuild, put your source there instead of /usr/src.

  42. Pingback: CentOS 6.8 upgrade ssh - Zeros & Ones

  43. Pingback: Upgrading Latest OpenSSH on CentOS | Jango Webpage

  44. Pingback: Upgrading Latest OpenSSH | Jango Webpage

  45. Santosh Chacharkar Reply

    Hi Venessa,

    i have upgraded openssl to version “OpenSSL 1.1.0e 16 Feb 2017” and now while building rpm it is showing me below error.

    checking whether AI_NUMERICSERV is declared… yes
    checking whether getpgrp requires zero arguments… yes
    checking OpenSSL header version… 1010004f (OpenSSL 1.1.0d 26 Jan 2017)
    checking OpenSSL library version… not found
    configure: error: OpenSSL library not found.
    error: Bad exit status from /var/tmp/rpm-tmp.lvAK78 (%build)

    RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.lvAK78 (%build)

  46. Santosh Chacharkar Reply

    Now I am trying to install same package in freshly created server and in rpmbuild below errors are found.

    Processing files: openssh-clients-7.2p2-1.x86_64
    error: File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/bin/slogin
    error: File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/share/man/man1/slogin.1*

    RPM build errors:
    File not found: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/bin/slogin
    File not found by glob: /root/rpmbuild/BUILDROOT/openssh-7.2p2-1.x86_64/usr/share/man/man1/slogin.1*

  47. Terdent Reply

    I did this udpate succesfully for a Cloudlinux 6 server but after the update login with ssh key does not work anymore. Any idea why this happens?

  48. Michael J. Oleksak Reply

    Hello Vanessa…
    Forgive a newbie, but what are the values for {SOURCES, SPECS}? I am trying to upgrade to openssh-8.1p1 on a cloudlinux 6 box and I am ready to blow the !*&$ thing up.

  49. YL Reply

    Thank you for the directions. For CentOS 5.11, I followed the guide, except:

    * I used `openssh-6.6p1`, the last release with support for `openssl-0.9.8e`.

    * `sed -i -e “s/BuildPrereq/BuildRequires/g” openssh.spec` (not `PreReq`).

Leave a Reply to Vanessa Cancel reply

Your email address will not be published. Required fields are marked *

Log in