Debian backport of OpenSSH 6.2

Tags: , ,
Add comments

Update

As written on the comments:

Colin Watson Says:
May 17th, 2013 at 7:12 pm

I uploaded 6.2 packages to Debian a week or so after you posted this, so you can/should now just use those instead. I expect they should build fine on wheezy.

As a matter of fact, the following is now deprecated

At ${DAYWORK}, we used to have our own OpenSSH debian package which included the famous OpenSSH LPK patch, which permits the use of an OpenLDAP server as an SSH public key provider.

I’ve been using OpenSSH-LPK for years, as this is a really handy solution and no valid alternative existed… until a couple of months.

OpenSSH 6.2 has a new configuration item called “AuthorizedKeysCommand”. The value associated to that key permits to call any executable as a public key provider. Yes, that is sexy.

Debian only have OpenSSH 6.1p1 packages available and tagged as “experimental”, so we had to hack a little bit in order to build 6.2 packages, here’s how:

  • Fetch experimental source package
  • # echo "deb-src http://ftp2.fr.debian.org/debian/ experimental main contrib non-free" > /etc/apt/sources.list.d/experimental.list
    # apt-get update
    $ mkdir openssh && cd openssh
    $ apt-get source openssh
    
  • Bump the release
  • $ wget http://ftp.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.2p1.tar.gz
    $ cd openssh-6.1p1
    $ uupdate -v 6.2p2 ../openssh-6.2p1.tar.gz
    $ cd ../openssh-6.2p1
    $ dch -i # enter changelog informations
    
  • Get rid of conflicting patches
  • As expected, many patches from debian don’t apply anymore, and I was not brave enough to backport them, I’ve just commented them in debian/patches/series:

    #gssapi.patch
    #selinux-role.patch
    #copy-id-restorecon.patch
    #ssh-vulnkey.patch
    #consolekit.patch
    #user-group-modes.patch
    #max-startups-default.patch
    #package-versioning.patch
    #debian-banner.patch
    #lintian-symlink-pickiness.patch
    #openbsd-docs.patch
    #ssh-argv0.patch
    #doc-upstart.patch
    
  • Remove uninstalled files
  • In order not to check some files that will not be present as we commented the patches which creates them, we’ll have to remove the following lines from debian/openssh-client.install

    usr/bin/ssh-vulnkey
    usr/share/man/man1/ssh-vulnkey.1
    

    And the following one from debian/openssh-client.docs

    ChangeLog.gssapi
    

    Finally, we just comment out the use of the vulnerable_host_keys shell function in debian/openssh-server.postinst.in:

    fix_doc_symlink
    create_sshdconfig
    create_keys
    #vulnerable_host_keys
    fix_statoverride
    

    That’s it! You can now happily build the brand new OpenSSH version using debuild as usual.

    After installing it, you’ll have access to the AuthorizedKeysCommand option.

    Thanks gaston, davromaniak and SliX from #GCU for the help.

2 Responses to “Debian backport of OpenSSH 6.2”

  1. Colin Watson Says:

    I uploaded 6.2 packages to Debian a week or so after you posted this, so you can/should now just use those instead. I expect they should build fine on wheezy.

  2. iMil Says:

    Great! thanks for letting me know :)

Leave a Reply

WP Theme & Icons based on GlossyBlue by N.Design Studio
Banner from www.trynthlas.com
Entries RSS Comments RSS Log in
Performance Optimization WordPress Plugins by W3 EDGE