On Thu, Feb 7, 2019 at 11:16 PM Damien Miller <djm at mindrot.org> wrote:> > On Fri, 8 Feb 2019, CLOSE Dave wrote: > > > I deal with a large number of internal machines that have not been > > updated for a while and which I am not at liberty to update. They run > > Fedora 20 which includes openssh 6.4p1. For various reasons, I'd like to > > put a more recent version on these machines but, of course, no package > > is available for that. > > > > Trying the portable version of openssh 7.9p1, I found that I can easily > > make it work by building my own package with rpmbuild. But it appears > > that the program is not actually built, just packaged, which leaves me > > with only the default options selected. As this is Fedora, I need to > > enable PAM. Has anyone done something similar? Can anyone offer some > > clues on how to proceed? > > You could try building a RPM using the contrib/openssh.spec in the > source distribution. It includes PAM support by default.That .spec file is not well maintained. The Source URL for x11-ssh-askpass, for example, is not valid, and it uses SysV init rather than systemd. Try using the .spec file from the latest Fedora SRPM, commenting out patches that have already been applied. I used to do this for RHEL and CentOS, and had to stop with the leading edge OpenSSH as OpenSSL requirements for OpenSSH diverged from being compatible with the relatively old version in RHEL releases. I've not had an opportunity to try it with RHEL 8 beta.
On Wed, Feb 13, 2019 at 11:04 PM Nico Kadel-Garcia <nkadel at gmail.com> wrote:> > On Thu, Feb 7, 2019 at 11:16 PM Damien Miller <djm at mindrot.org> wrote: > > > > On Fri, 8 Feb 2019, CLOSE Dave wrote: > > > > > I deal with a large number of internal machines that have not been > > > updated for a while and which I am not at liberty to update. They run > > > Fedora 20 which includes openssh 6.4p1. For various reasons, I'd like to > > > put a more recent version on these machines but, of course, no package > > > is available for that. > > > > > > Trying the portable version of openssh 7.9p1, I found that I can easily > > > make it work by building my own package with rpmbuild. But it appears > > > that the program is not actually built, just packaged, which leaves me > > > with only the default options selected. As this is Fedora, I need to > > > enable PAM. Has anyone done something similar? Can anyone offer some > > > clues on how to proceed? > > > > You could try building a RPM using the contrib/openssh.spec in the > > source distribution. It includes PAM support by default. > > That .spec file is not well maintained. The Source URL for > x11-ssh-askpass, for example, is not valid, and it uses SysV init > rather than systemd.It's better than I thought. It apparently had not been updated for RHEL 7, but it did work for RHEL 6. I submitted some patches at https://github.com/openssh/openssh-portable/pull/117 These do not necessarily match the sshd_config and ssh_config from RHEL, but it seems to work.
On Fri, Feb 15, 2019 at 8:23 PM Nico Kadel-Garcia <nkadel at gmail.com> wrote:> > On Wed, Feb 13, 2019 at 11:04 PM Nico Kadel-Garcia <nkadel at gmail.com> wrote: > > > > On Thu, Feb 7, 2019 at 11:16 PM Damien Miller <djm at mindrot.org> wrote:> > > You could try building a RPM using the contrib/openssh.spec in the > > > source distribution. It includes PAM support by default. > > > > That .spec file is not well maintained. The Source URL for > > x11-ssh-askpass, for example, is not valid, and it uses SysV init > > rather than systemd. > > It's better than I thought. It apparently had not been updated for > RHEL 7, but it did work for RHEL 6. I submitted some patches at > https://github.com/openssh/openssh-portable/pull/117 > > These do not necessarily match the sshd_config and ssh_config from > RHEL, but it seems to work.I updated the submitted patch a bit further, to clean up the pam-devel dependencies and get it to compile on Fedora 29. The use of "RHL" as a neme for an operating sysrtem is somewhat inconsistent: it seems to refer to RHEL in some places, and "Red Hat Linux" in other places in the changelog. However, the contrib/redhat/openssh.spec file also does not include any direct support for systemd. As much as I dislike many aspects of systemd, it is the de facto standard for daemons on RHEL and thus CentOS as well. This could make trying to weave in startup daemons for network daemons or SSH tunnels quite awkward. I can't take on weaving in systemd support right now, but would be happy to to test it if anyone else cares to try.