andersblockmar.
twitter.com/blockmar:
Recently I was faced with the task of upgrading OpenSSH on an old Fedora 9 Linux system. This is the tale of how it is done.
I will not address the issue of why we do not just upgrade our Fedora 9 (the current version is 16 or 17) that is a totally different story…
The problem with installing the latest version of ssh on an old system is that no prebuilt rpms exists. And since I was preforming the upgrade remotely (using ssh) I wasn’t too happy about having to build the server from source. Luckily some Googeling provided a golden mean.
This blog-post explained how to build custom rpm’s using redhat’s contributed presets:
http://wiki.xdroop.com/space/Linux/Building+OpenSSH-Portable+for+CentOS
First the basics. Install development packages needed to compile OpenSSH.
# yum install gcc # yum install openssl-devel # yum install pam-devel # yum install rpm-build
To install OpenSSH 5.9 you also need tcp_wrappers_devel
# yum install tcp_wrappers-devel
Then download the latest tar-ball from here. Extract it somewhere, eg. /usr/local/src. Then copy the files into the redhat rpm build tree:
# tar zxvf openssh-5.9p1.tar.gz # cp openssh-5.9p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/ # cp openssh-5.9p1.tar.gz /usr/src/redhat/SOURCES/ # cd /usr/src/redhat/SPECS
The blog-post then suggested running a perl hack to remove som unwanted configuration options. This hack wan’t compatible with the newer version of the openssh.spec file. Instead just edit the file by hand using your editor of choice. I used vi.
The following changes are needed:
- Change “no_x11_askpass” from 0 to 1
- Change “no_gnome_askpass” from 0 to 1
- Remove WARNING* from the line begining with %doc
I added the last change to solve a problem when building the docs, no files named WARNING* exists resulting in a failed build.
Now build the rpms.
# rpmbuild -bb openssh.spec
Before you install the rpms there is one last very important step. The new rpms will replace the /etc/pam.d/sshd file with an updated incorrect version. Make a backup copy of this file before you install. If you do not replace the file after the install logging in to the server will NOT work!
# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
Then install your new rpm from the /usr/src/redhat/RPMS/<architecture>/ folder
# rpm -Uvh openssh*rpm Preparing… ############################ [100%] 1:openssh ############################ [ 33%] 2:openssh-clients ####################### [ 67%] 3:openssh-server ####################### [100%]
And then re-replace your pam-config
# cp /etc/pam.d/sshd.bak /etc/pam.d/sshd
The last step is to restart sshd and test logging in to your server.
# /etc/init.d/sshd restart
Now try logging in to your server using ssh. If it does not work you need to reinstall the old ssh-rpms. Download them from the Fedora site and use the same command as above (Use —force to allow downgrading) then restart again and see that everything works.
If you missed the step of replacing the pam-configuration and login does not work. You will see an error message like this one in your logs (/var/log/security)
PAM unable to dlopen(/lib64/security/pam_stack.so): /lib64/security/pam_stack.so: cannot open shared object file: No such file or directory
This is because the config wrongly is pointing to pam_stack.so that does not exist on Fedora 9. The correct pam-config should look like this:
#%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
At Creative Mornings in Sthlm. Listening to Snask - they really now how to present their brand.
Some inspiring notes from JD Hooge of weareinstrument.com speaking at the latest CreativeMornings/Portland.
Photo by Matty Jasperson
Härligt att vara tillbaka. Har saknat 50-talet. Svart kaffe med äppelkaka, mums! (Taken with Instagram at Café Valand)
sqrt(cos(x))*cos(300x)+sqrt(abs(x))-0.7) *(4-x*x)^0.01, sqrt(6-x^2), -sqrt(6-x^2) from -4.5 to 4.5
