Hi all,
I would like to replace default OpenSSH version 4.3 with latest one (5.x). New version do support SFTP chroot, which is something I need.
Of course, it can be compiled from source, but it is worst possible option for maintenance, since I do have few servers. Does someone provide RPMs or source RPMs at least ? If yes, what is repository/URL ?
Thanks in advance.
Dusan
How to install Openssh 5 on CentOS 5.5 from RPM ?
Re: How to install Openssh 5 on CentOS 5.5 from RPM ?
First: are you sure the functionality you are looking for hasn't already been backportedd to the RHEL 4.3 release?
I did build RPMs of openssh 5.3 and 5.4 at one point but I didn't see the benefits I was hoping to gain from them (there are meant to be scp performance improvements in the 5.x series). I used the freely available source tarball, unpacked it and renamed the top level dir to openssh5 then re-tarred it. I hacked the various files around so that it built and installed in parallel alongside the RHEL 4.3 version in /opt/ssh5 and you could run both versions at the same time.
No idea if patch files can be posted here and then cut and pasted successfully but...
[code]
diff -ur openssh5-5.4p1/contrib/redhat/openssh.spec openssh-5.4p1/contrib/redhat/openssh.spec
--- openssh5-5.4p1/contrib/redhat/openssh.spec 2010-03-07 22:41:04.000000000 +0000
+++ openssh-5.4p1/contrib/redhat/openssh.spec 2010-03-10 00:48:59.000000000 +0000
@@ -29,6 +29,11 @@
# Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1
-%define _mandir /opt/ssh5/doc
-%define _sbindir /opt/ssh5/sbin
-%define _bindir /opt/ssh5/bin
-%define skip_x11_askpass 1
-
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%define no_x11_askpass 1}
@@ -65,7 +70,7 @@
%endif
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
+Name: openssh
-Name: openssh5
Version: %{ver}
%if %{rescue}
Release: %{rel}rescue
@@ -94,7 +99,7 @@
BuildPreReq: /usr/include/security/pam_appl.h
%endif
%if ! %{no_x11_askpass}
+BuildPreReq: /usr/include/X11/Xlib.h
-BuildPreReq: XFree86-devel
%endif
%if ! %{no_gnome_askpass}
BuildPreReq: pkgconfig
@@ -106,7 +111,7 @@
%package clients
Summary: OpenSSH clients.
+Requires: openssh = %{version}-%{release}
-Requires: openssh5 = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients
@@ -114,7 +119,7 @@
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
+PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
-PreReq: openssh5 = %{version}-%{release}, chkconfig >= 0.9
%if ! %{build6x}
Requires: /etc/pam.d/system-auth
%endif
@@ -122,13 +127,13 @@
%package askpass
Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
+Requires: openssh = %{version}-%{release}
-Requires: openssh5 = %{version}-%{release}
Obsoletes: ssh-extras
%package askpass-gnome
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
Group: Applications/Internet
+Requires: openssh = %{version}-%{release}
-Requires: openssh5 = %{version}-%{release}
Obsoletes: ssh-extras
%description
@@ -184,19 +189,19 @@
%endif
%if %{kerberos5}
+K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
-K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | tail -1 | sed 's,\/include\/krb5.h,,'`
echo K5DIR=$K5DIR
%endif
%configure \
+ --sysconfdir=%{_sysconfdir}/ssh \
+ --libexecdir=%{_libexecdir}/openssh \
- --sysconfdir=%{_sysconfdir}/ssh5 \
- --libexecdir=%{_libexecdir}/openssh5 \
--datadir=%{_datadir}/openssh \
--with-tcp-wrappers \
--with-rsh=%{_bindir}/rsh \
+ --with-default-path=/usr/local/bin:/bin:/usr/bin \
+ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
+ --with-privsep-path=%{_var}/empty/sshd \
- --with-default-path=/opt/ssh5/bin:/usr/local/bin:/bin:/usr/bin \
- --with-superuser-path=/opt/ssh5/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
- --with-privsep-path=%{_var}/empty/ssh5d \
--with-md5-passwords \
%if %{scard}
--with-smartcard \
@@ -219,7 +224,7 @@
%if ! %{no_x11_askpass}
pushd x11-ssh-askpass-%{aversion}
+%configure --libexecdir=%{_libexecdir}/openssh
-%configure --libexecdir=%{_libexecdir}/openssh5
xmkmf -a
make
popd
@@ -247,29 +252,29 @@
%install
rm -rf $RPM_BUILD_ROOT
+mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
-mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh5
-mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh5
-mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/ssh5d
make install DESTDIR=$RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
+install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
-install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh5
%if %{build6x}
+install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
-install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/ssh5d
%else
+install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
-install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/ssh5d
%endif
+install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
-install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ssh5d
%if ! %{no_x11_askpass}
+install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
+ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
-install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh5/x11-ssh-askpass
-ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh5/ssh-askpass
%endif
%if ! %{no_gnome_askpass}
+install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
-install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh5/gnome-ssh-askpass
%endif
%if ! %{scard}
@@ -288,49 +293,50 @@
rm -rf $RPM_BUILD_ROOT
%triggerun server -- ssh-server
+if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
+ touch /var/run/sshd.restart
-if [ "$1" != 0 -a -r /var/run/ssh5d.pid ] ; then
- touch /var/run/ssh5d.restart
fi
%triggerun server -- openssh-server < 2.5.0p1
# Count the number of HostKey and HostDsaKey statements we have.
gawk 'BEGIN {IGNORECASE=1}
/^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
+ END {exit sawhostkey}' /etc/ssh/sshd_config
- END {exit sawhostkey}' /etc/ssh5/sshd_config
# And if we only found one, we know the client was relying on the old default
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
# one nullifies the default, which would have loaded both.
if [ $? -eq 1 ] ; then
+ echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
+ echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
- echo HostKey /etc/ssh5/ssh_host_rsa_key >> /etc/ssh5/sshd_config
- echo HostKey /etc/ssh5/ssh_host_dsa_key >> /etc/ssh5/sshd_config
fi
%triggerpostun server -- ssh-server
if [ "$1" != 0 ] ; then
+ /sbin/chkconfig --add sshd
+ if test -f /var/run/sshd.restart ; then
+ rm -f /var/run/sshd.restart
+ /sbin/service sshd start > /dev/null 2>&1 || :
- /sbin/chkconfig --add ssh5d
- if test -f /var/run/ssh5d.restart ; then
- rm -f /var/run/ssh5d.restart
- /sbin/service ssh5d start > /dev/null 2>&1 || :
fi
fi
%pre server
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
+%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
-%{_sbindir}/useradd -d /var/empty/ssh5d -s /bin/false -u %{sshd_uid} \
-g sshd -M -r sshd 2>/dev/null || :
%post server
+/sbin/chkconfig --add sshd
-/sbin/chkconfig --add ssh5d
-
%postun server
+/sbin/service sshd condrestart > /dev/null 2>&1 || :
-/sbin/service ssh5d condrestart > /dev/null 2>&1 || :
%preun server
if [ "$1" = 0 ]
then
+ /sbin/service sshd stop > /dev/null 2>&1 || :
+ /sbin/chkconfig --del sshd
- /sbin/service ssh5d stop > /dev/null 2>&1 || :
- /sbin/chkconfig --del ssh5d
fi
%files
@@ -338,14 +344,14 @@
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO WARNING*
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
-%attr(0755,root,root) %dir %{_sysconfdir}/ssh5
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh5/moduli
%if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
+%attr(0755,root,root) %dir %{_libexecdir}/openssh
+%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
-%attr(0755,root,root) %dir %{_libexecdir}/openssh5
-%attr(4711,root,root) %{_libexecdir}/openssh5/ssh-keysign
-%attr(0755,root,root) %{_libexecdir}/openssh5/ssh-pkcs11-helper
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%endif
@@ -359,7 +365,7 @@
%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh5/ssh_config
%attr(-,root,root) %{_bindir}/slogin
%attr(-,root,root) %{_mandir}/man1/slogin.1*
%if ! %{rescue}
@@ -376,17 +382,17 @@
%if ! %{rescue}
%files server
%defattr(-,root,root)
+%dir %attr(0111,root,root) %{_var}/empty/sshd
+%attr(0755,root,root) %{_sbindir}/sshd
+%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
-%dir %attr(0111,root,root) %{_var}/empty/ssh5d
-%attr(0755,root,root) %{_sbindir}/ssh5d
-%attr(0755,root,root) %{_libexecdir}/openssh5/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
+%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
+%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
-%attr(0755,root,root) %dir %{_sysconfdir}/ssh5
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh5/sshd_config
-%attr(0600,root,root) %config(noreplace) /etc/pam.d/ssh5d
-%attr(0755,root,root) %config /etc/rc.d/init.d/ssh5d
%endif
%if ! %{no_x11_askpass}
@@ -395,15 +401,15 @@
%doc x11-ssh-askpass-%{aversion}/README
%doc x11-ssh-askpass-%{aversion}/ChangeLog
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
+%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
-%attr(0755,root,root) %{_libexecdir}/openssh5/ssh-askpass
-%attr(0755,root,root) %{_libexecdir}/openssh5/x11-ssh-askpass
%endif
%if ! %{no_gnome_askpass}
%files askpass-gnome
%defattr(-,root,root)
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
+%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
-%attr(0755,root,root) %{_libexecdir}/openssh5/gnome-ssh-askpass
%endif
%changelog
diff -ur openssh5-5.4p1/contrib/redhat/sshd.init openssh-5.4p1/contrib/redhat/sshd.init
--- openssh5-5.4p1/contrib/redhat/sshd.init 2006-04-22 11:26:08.000000000 +0000
+++ openssh-5.4p1/contrib/redhat/sshd.init 2010-03-09 17:17:24.000000000 +0000
@@ -16,18 +16,18 @@
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
+[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
-[ -f /etc/sysconfig/ssh5d ] && . /etc/sysconfig/ssh5d
RETVAL=0
+prog="sshd"
-prog="ssh5d"
# Some functions to make the below more readable
+KEYGEN=/usr/bin/ssh-keygen
+SSHD=/usr/sbin/sshd
+RSA1_KEY=/etc/ssh/ssh_host_key
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+DSA_KEY=/etc/ssh/ssh_host_dsa_key
+PID_FILE=/var/run/sshd.pid
-KEYGEN=/opt/ssh5/bin/ssh-keygen
-SSHD=/opt/ssh5/sbin/ssh5d
-RSA1_KEY=/etc/ssh5/ssh_host_key
-RSA_KEY=/etc/ssh5/ssh_host_rsa_key
-DSA_KEY=/etc/ssh5/ssh_host_dsa_key
-PID_FILE=/var/run/ssh5d.pid
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
@@ -104,9 +104,9 @@
do_dsa_keygen
echo -n $"Starting $prog:"
+ initlog -c "$SSHD $OPTIONS" && success || failure
- $SSHD $OPTIONS && success || failure
RETVAL=$?
+ [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
- [ "$RETVAL" = 0 ] && touch /var/lock/subsys/ssh5d
echo
}
@@ -115,7 +115,7 @@
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
+ [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
- [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/ssh5d
echo
}
@@ -142,7 +142,7 @@
reload
;;
condrestart)
+ if [ -f /var/lock/subsys/sshd ] ; then
- if [ -f /var/lock/subsys/ssh5d ] ; then
do_restart_sanity_check
if [ "$RETVAL" = 0 ] ; then
stop
diff -ur openssh5-5.4p1/Makefile.in openssh-5.4p1/Makefile.in
--- openssh5.4p1/Makefile.in 2010-02-24 07:18:51.000000000 +0000
+++ openssh-5.4p1/Makefile.in 2010-03-09 17:07:44.000000000 +0000
@@ -62,7 +62,7 @@
INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
-TARGETS=ssh$(EXEEXT) ssh5d$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
@@ -141,7 +141,7 @@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
-ssh5d$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
@@ -243,7 +243,7 @@
install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files
check-config:
+ -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
- -$(DESTDIR)$(sbindir)/ssh5d -t -f $(DESTDIR)$(sysconfdir)/sshd_config
install-files:
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
@@ -261,7 +261,7 @@
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent $(DESTDIR)$(bindir)/ssh-agent
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan
+ $(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh5d $(DESTDIR)$(sbindir)/ssh5d
if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \
fi
@@ -368,7 +368,7 @@
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
- -rm -f $(DESTDIR)$(sbindir)/ssh5d$(EXEEXT)
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -394,7 +394,7 @@
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \
TEST_SHELL="@TEST_SHELL@"; \
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
+ TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
- TEST_SSH_SSHD="$${BUILDDIR}/ssh5d"; \
TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \
TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \
diff -ur openssh5-5.4p1/sshd_config openssh-5.4p1/sshd_config
--- openssh5-5.4p1/sshd_config 2009-10-11 10:51:09.000000000 +0000
+++ openssh-5.4p1/sshd_config 2010-03-09 17:10:50.000000000 +0000
@@ -10,13 +10,13 @@
# possible, but leave them commented. Uncommented options change a
# default value.
+#Port 22
-Port 522
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
+#Protocol 2
-Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
@@ -30,13 +30,13 @@
# Logging
# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
-SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
+#PermitRootLogin yes
-PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
@@ -56,11 +56,11 @@
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
-PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
-ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
@@ -69,8 +69,8 @@
#KerberosGetAFSToken no
# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
-GSSAPIAuthentication no
-GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -81,16 +81,21 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
-UsePAM yes
-
-# Accept locale-related environment variables
-AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
+#X11Forwarding no
-X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
+#PrintLastLog yes
-PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
@@ -108,7 +113,7 @@
#Banner none
# override default of no subsystems
+Subsystem sftp /usr/libexec/sftp-server
-Subsystem sftp /usr/libexec/openssh5/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
[/code]
I did build RPMs of openssh 5.3 and 5.4 at one point but I didn't see the benefits I was hoping to gain from them (there are meant to be scp performance improvements in the 5.x series). I used the freely available source tarball, unpacked it and renamed the top level dir to openssh5 then re-tarred it. I hacked the various files around so that it built and installed in parallel alongside the RHEL 4.3 version in /opt/ssh5 and you could run both versions at the same time.
No idea if patch files can be posted here and then cut and pasted successfully but...
[code]
diff -ur openssh5-5.4p1/contrib/redhat/openssh.spec openssh-5.4p1/contrib/redhat/openssh.spec
--- openssh5-5.4p1/contrib/redhat/openssh.spec 2010-03-07 22:41:04.000000000 +0000
+++ openssh-5.4p1/contrib/redhat/openssh.spec 2010-03-10 00:48:59.000000000 +0000
@@ -29,6 +29,11 @@
# Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1
-%define _mandir /opt/ssh5/doc
-%define _sbindir /opt/ssh5/sbin
-%define _bindir /opt/ssh5/bin
-%define skip_x11_askpass 1
-
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%define no_x11_askpass 1}
@@ -65,7 +70,7 @@
%endif
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
+Name: openssh
-Name: openssh5
Version: %{ver}
%if %{rescue}
Release: %{rel}rescue
@@ -94,7 +99,7 @@
BuildPreReq: /usr/include/security/pam_appl.h
%endif
%if ! %{no_x11_askpass}
+BuildPreReq: /usr/include/X11/Xlib.h
-BuildPreReq: XFree86-devel
%endif
%if ! %{no_gnome_askpass}
BuildPreReq: pkgconfig
@@ -106,7 +111,7 @@
%package clients
Summary: OpenSSH clients.
+Requires: openssh = %{version}-%{release}
-Requires: openssh5 = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients
@@ -114,7 +119,7 @@
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
+PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
-PreReq: openssh5 = %{version}-%{release}, chkconfig >= 0.9
%if ! %{build6x}
Requires: /etc/pam.d/system-auth
%endif
@@ -122,13 +127,13 @@
%package askpass
Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
+Requires: openssh = %{version}-%{release}
-Requires: openssh5 = %{version}-%{release}
Obsoletes: ssh-extras
%package askpass-gnome
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
Group: Applications/Internet
+Requires: openssh = %{version}-%{release}
-Requires: openssh5 = %{version}-%{release}
Obsoletes: ssh-extras
%description
@@ -184,19 +189,19 @@
%endif
%if %{kerberos5}
+K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
-K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | tail -1 | sed 's,\/include\/krb5.h,,'`
echo K5DIR=$K5DIR
%endif
%configure \
+ --sysconfdir=%{_sysconfdir}/ssh \
+ --libexecdir=%{_libexecdir}/openssh \
- --sysconfdir=%{_sysconfdir}/ssh5 \
- --libexecdir=%{_libexecdir}/openssh5 \
--datadir=%{_datadir}/openssh \
--with-tcp-wrappers \
--with-rsh=%{_bindir}/rsh \
+ --with-default-path=/usr/local/bin:/bin:/usr/bin \
+ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
+ --with-privsep-path=%{_var}/empty/sshd \
- --with-default-path=/opt/ssh5/bin:/usr/local/bin:/bin:/usr/bin \
- --with-superuser-path=/opt/ssh5/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
- --with-privsep-path=%{_var}/empty/ssh5d \
--with-md5-passwords \
%if %{scard}
--with-smartcard \
@@ -219,7 +224,7 @@
%if ! %{no_x11_askpass}
pushd x11-ssh-askpass-%{aversion}
+%configure --libexecdir=%{_libexecdir}/openssh
-%configure --libexecdir=%{_libexecdir}/openssh5
xmkmf -a
make
popd
@@ -247,29 +252,29 @@
%install
rm -rf $RPM_BUILD_ROOT
+mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
-mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh5
-mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh5
-mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/ssh5d
make install DESTDIR=$RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
+install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
-install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh5
%if %{build6x}
+install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
-install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/ssh5d
%else
+install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
-install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/ssh5d
%endif
+install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
-install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ssh5d
%if ! %{no_x11_askpass}
+install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
+ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
-install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh5/x11-ssh-askpass
-ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh5/ssh-askpass
%endif
%if ! %{no_gnome_askpass}
+install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
-install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh5/gnome-ssh-askpass
%endif
%if ! %{scard}
@@ -288,49 +293,50 @@
rm -rf $RPM_BUILD_ROOT
%triggerun server -- ssh-server
+if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
+ touch /var/run/sshd.restart
-if [ "$1" != 0 -a -r /var/run/ssh5d.pid ] ; then
- touch /var/run/ssh5d.restart
fi
%triggerun server -- openssh-server < 2.5.0p1
# Count the number of HostKey and HostDsaKey statements we have.
gawk 'BEGIN {IGNORECASE=1}
/^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
+ END {exit sawhostkey}' /etc/ssh/sshd_config
- END {exit sawhostkey}' /etc/ssh5/sshd_config
# And if we only found one, we know the client was relying on the old default
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
# one nullifies the default, which would have loaded both.
if [ $? -eq 1 ] ; then
+ echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
+ echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
- echo HostKey /etc/ssh5/ssh_host_rsa_key >> /etc/ssh5/sshd_config
- echo HostKey /etc/ssh5/ssh_host_dsa_key >> /etc/ssh5/sshd_config
fi
%triggerpostun server -- ssh-server
if [ "$1" != 0 ] ; then
+ /sbin/chkconfig --add sshd
+ if test -f /var/run/sshd.restart ; then
+ rm -f /var/run/sshd.restart
+ /sbin/service sshd start > /dev/null 2>&1 || :
- /sbin/chkconfig --add ssh5d
- if test -f /var/run/ssh5d.restart ; then
- rm -f /var/run/ssh5d.restart
- /sbin/service ssh5d start > /dev/null 2>&1 || :
fi
fi
%pre server
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
+%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
-%{_sbindir}/useradd -d /var/empty/ssh5d -s /bin/false -u %{sshd_uid} \
-g sshd -M -r sshd 2>/dev/null || :
%post server
+/sbin/chkconfig --add sshd
-/sbin/chkconfig --add ssh5d
-
%postun server
+/sbin/service sshd condrestart > /dev/null 2>&1 || :
-/sbin/service ssh5d condrestart > /dev/null 2>&1 || :
%preun server
if [ "$1" = 0 ]
then
+ /sbin/service sshd stop > /dev/null 2>&1 || :
+ /sbin/chkconfig --del sshd
- /sbin/service ssh5d stop > /dev/null 2>&1 || :
- /sbin/chkconfig --del ssh5d
fi
%files
@@ -338,14 +344,14 @@
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO WARNING*
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
-%attr(0755,root,root) %dir %{_sysconfdir}/ssh5
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh5/moduli
%if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
+%attr(0755,root,root) %dir %{_libexecdir}/openssh
+%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
-%attr(0755,root,root) %dir %{_libexecdir}/openssh5
-%attr(4711,root,root) %{_libexecdir}/openssh5/ssh-keysign
-%attr(0755,root,root) %{_libexecdir}/openssh5/ssh-pkcs11-helper
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%endif
@@ -359,7 +365,7 @@
%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh5/ssh_config
%attr(-,root,root) %{_bindir}/slogin
%attr(-,root,root) %{_mandir}/man1/slogin.1*
%if ! %{rescue}
@@ -376,17 +382,17 @@
%if ! %{rescue}
%files server
%defattr(-,root,root)
+%dir %attr(0111,root,root) %{_var}/empty/sshd
+%attr(0755,root,root) %{_sbindir}/sshd
+%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
-%dir %attr(0111,root,root) %{_var}/empty/ssh5d
-%attr(0755,root,root) %{_sbindir}/ssh5d
-%attr(0755,root,root) %{_libexecdir}/openssh5/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
+%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
+%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
-%attr(0755,root,root) %dir %{_sysconfdir}/ssh5
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh5/sshd_config
-%attr(0600,root,root) %config(noreplace) /etc/pam.d/ssh5d
-%attr(0755,root,root) %config /etc/rc.d/init.d/ssh5d
%endif
%if ! %{no_x11_askpass}
@@ -395,15 +401,15 @@
%doc x11-ssh-askpass-%{aversion}/README
%doc x11-ssh-askpass-%{aversion}/ChangeLog
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
+%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
-%attr(0755,root,root) %{_libexecdir}/openssh5/ssh-askpass
-%attr(0755,root,root) %{_libexecdir}/openssh5/x11-ssh-askpass
%endif
%if ! %{no_gnome_askpass}
%files askpass-gnome
%defattr(-,root,root)
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
+%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
-%attr(0755,root,root) %{_libexecdir}/openssh5/gnome-ssh-askpass
%endif
%changelog
diff -ur openssh5-5.4p1/contrib/redhat/sshd.init openssh-5.4p1/contrib/redhat/sshd.init
--- openssh5-5.4p1/contrib/redhat/sshd.init 2006-04-22 11:26:08.000000000 +0000
+++ openssh-5.4p1/contrib/redhat/sshd.init 2010-03-09 17:17:24.000000000 +0000
@@ -16,18 +16,18 @@
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
+[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
-[ -f /etc/sysconfig/ssh5d ] && . /etc/sysconfig/ssh5d
RETVAL=0
+prog="sshd"
-prog="ssh5d"
# Some functions to make the below more readable
+KEYGEN=/usr/bin/ssh-keygen
+SSHD=/usr/sbin/sshd
+RSA1_KEY=/etc/ssh/ssh_host_key
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+DSA_KEY=/etc/ssh/ssh_host_dsa_key
+PID_FILE=/var/run/sshd.pid
-KEYGEN=/opt/ssh5/bin/ssh-keygen
-SSHD=/opt/ssh5/sbin/ssh5d
-RSA1_KEY=/etc/ssh5/ssh_host_key
-RSA_KEY=/etc/ssh5/ssh_host_rsa_key
-DSA_KEY=/etc/ssh5/ssh_host_dsa_key
-PID_FILE=/var/run/ssh5d.pid
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
@@ -104,9 +104,9 @@
do_dsa_keygen
echo -n $"Starting $prog:"
+ initlog -c "$SSHD $OPTIONS" && success || failure
- $SSHD $OPTIONS && success || failure
RETVAL=$?
+ [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
- [ "$RETVAL" = 0 ] && touch /var/lock/subsys/ssh5d
echo
}
@@ -115,7 +115,7 @@
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
+ [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
- [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/ssh5d
echo
}
@@ -142,7 +142,7 @@
reload
;;
condrestart)
+ if [ -f /var/lock/subsys/sshd ] ; then
- if [ -f /var/lock/subsys/ssh5d ] ; then
do_restart_sanity_check
if [ "$RETVAL" = 0 ] ; then
stop
diff -ur openssh5-5.4p1/Makefile.in openssh-5.4p1/Makefile.in
--- openssh5.4p1/Makefile.in 2010-02-24 07:18:51.000000000 +0000
+++ openssh-5.4p1/Makefile.in 2010-03-09 17:07:44.000000000 +0000
@@ -62,7 +62,7 @@
INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
-TARGETS=ssh$(EXEEXT) ssh5d$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
@@ -141,7 +141,7 @@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
-ssh5d$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
@@ -243,7 +243,7 @@
install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files
check-config:
+ -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
- -$(DESTDIR)$(sbindir)/ssh5d -t -f $(DESTDIR)$(sysconfdir)/sshd_config
install-files:
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
@@ -261,7 +261,7 @@
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent $(DESTDIR)$(bindir)/ssh-agent
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan
+ $(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh5d $(DESTDIR)$(sbindir)/ssh5d
if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \
fi
@@ -368,7 +368,7 @@
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
- -rm -f $(DESTDIR)$(sbindir)/ssh5d$(EXEEXT)
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -394,7 +394,7 @@
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \
TEST_SHELL="@TEST_SHELL@"; \
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
+ TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
- TEST_SSH_SSHD="$${BUILDDIR}/ssh5d"; \
TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \
TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \
diff -ur openssh5-5.4p1/sshd_config openssh-5.4p1/sshd_config
--- openssh5-5.4p1/sshd_config 2009-10-11 10:51:09.000000000 +0000
+++ openssh-5.4p1/sshd_config 2010-03-09 17:10:50.000000000 +0000
@@ -10,13 +10,13 @@
# possible, but leave them commented. Uncommented options change a
# default value.
+#Port 22
-Port 522
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
+#Protocol 2
-Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
@@ -30,13 +30,13 @@
# Logging
# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
-SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
+#PermitRootLogin yes
-PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
@@ -56,11 +56,11 @@
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
-PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
-ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
@@ -69,8 +69,8 @@
#KerberosGetAFSToken no
# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
-GSSAPIAuthentication no
-GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -81,16 +81,21 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
-UsePAM yes
-
-# Accept locale-related environment variables
-AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
+#X11Forwarding no
-X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
+#PrintLastLog yes
-PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
@@ -108,7 +113,7 @@
#Banner none
# override default of no subsystems
+Subsystem sftp /usr/libexec/sftp-server
-Subsystem sftp /usr/libexec/openssh5/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
[/code]
How to install Openssh 5 on CentOS 5.5 from RPM ?
At least openssh-4.3p2-41.el5 supports sftp chroot. I have it in production. From the config file:
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
The only bad news is that the "Match" does not work with this 4.3version
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
The only bad news is that the "Match" does not work with this 4.3version
Re: How to install Openssh 5 on CentOS 5.5 from RPM ?
[quote]
pjwelsh wrote:
At least openssh-4.3p2-41.el5 supports sftp chroot. I have it in production. From the config file:
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
The only bad news is that the "Match" does not work with this 4.3version[/quote]
Yes, it works, thanks for info.
btw. for having user chroot-ed, basic infrastructure must exist in it's home dir (/dev/.... etc). How do you usually create it ? Using some script maybe?
pjwelsh wrote:
At least openssh-4.3p2-41.el5 supports sftp chroot. I have it in production. From the config file:
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
The only bad news is that the "Match" does not work with this 4.3version[/quote]
Yes, it works, thanks for info.
btw. for having user chroot-ed, basic infrastructure must exist in it's home dir (/dev/.... etc). How do you usually create it ? Using some script maybe?