Modifying 7.9p1 to use PAM

Nico Kadel-Garcia nkadel at gmail.com
Thu Feb 14 15:04:36 AEDT 2019


On Thu, Feb 7, 2019 at 11:16 PM Damien Miller <djm at mindrot.org> wrote:
>
> On Fri, 8 Feb 2019, CLOSE Dave wrote:
>
> > I deal with a large number of internal machines that have not been
> > updated for a while and which I am not at liberty to update. They run
> > Fedora 20 which includes openssh 6.4p1. For various reasons, I'd like to
> > put a more recent version on these machines but, of course, no package
> > is available for that.
> >
> > Trying the portable version of openssh 7.9p1, I found that I can easily
> > make it work by building my own package with rpmbuild. But it appears
> > that the program is not actually built, just packaged, which leaves me
> > with only the default options selected. As this is Fedora, I need to
> > enable PAM. Has anyone done something similar? Can anyone offer some
> > clues on how to proceed?
>
> You could try building a RPM using the contrib/openssh.spec in the
> source distribution. It includes PAM support by default.

That .spec file is not well maintained. The Source URL for
x11-ssh-askpass, for example, is not valid, and it uses SysV init
rather than systemd.

Try using the .spec file from the latest Fedora SRPM, commenting out
patches that have already been applied. I used to do this for RHEL and
CentOS, and had to stop with the leading edge OpenSSH as OpenSSL
requirements for OpenSSH diverged from being compatible with the
relatively old version in RHEL releases. I've not had an opportunity
to try it with RHEL 8 beta.


More information about the openssh-unix-dev mailing list