#---------------------------------------------------------------------------- # build_ssh.txt - how to build the ssh binaries and create folder and packages # # Creation : 2012-09-15 holbru # Last update: $Id$ # # !!! this is not a script but an step-by-step howto !!! #---------------------------------------------------------------------------- exit 1 ### download the source code from the internet, e.g. # http:// ssh # http://mirror.switch.ch/ftp/pub/OpenBSD/OpenSSH/portable/ # openssh-6.1p1.tar.bz2 ### extract file in a temporary location tar -xf openssh-6.1p1.tar.bz2 # 2013-03-10 -> openssh-6.1p1 LibC-2.8 cd ssh-6.1p1 ### build export CFLAGS='-O2 -march=i486' export CXXFLAGS="${CFLAGS}" mkdir build-6.1-usr # 2013-03-10 build-6.1-2.8 ../openssh-6.1p1/configure \ --prefix=/usr \ --with-ssl-dir=/usr/lib \ --sysconfdir=/etc/ssh \ --libexecdir=/usr/lib/ssh \ --with-pam \ --with-tcp-wrappers \ --with-privsep-path=/var/lib/empty \ --build=i486-pc-linux-gnu \ --host=i486-pc-linux-gnu OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/lib/ssh/ssh-askpass Manual pages: /usr/share/man/manX PID file: /var/run Privilege separation chroot path: /var/lib/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: yes MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: i486-pc-linux-gnu Compiler: i486-pc-linux-gnu-gcc Compiler flags: -O2 -march=i486 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -fstack-protector-all -std=gnu99 Preprocessor flags: -I/usr/lib Linker flags: -L/usr/lib -fstack-protector-all Libraries: -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt +for sshd: -lwrap -lpam PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory # # # 2013-04-16 OpenSSH-6.2p1 mkdir build-6.2 cd build-6.2 ../openssh-6.2p1/configure \ --prefix=/usr \ --with-ssl-dir=/usr/lib \ --sysconfdir=/etc/ssh \ --libexecdir=/usr/lib/ssh \ --with-pam \ --with-tcp-wrappers \ --with-privsep-path=/var/lib/empty \ --build=i486-pc-linux-gnu \ --host=i486-pc-linux-gnu OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/lib/ssh/ssh-askpass Manual pages: /usr/share/man/manX PID file: /var/run Privilege separation chroot path: /var/lib/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: yes MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: i486-pc-linux-gnu Compiler: i486-pc-linux-gnu-gcc Compiler flags: -O2 -march=i486 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -fstack-protector-all -std=gnu99 Preprocessor flags: -I/usr/lib Linker flags: -L/usr/lib -fstack-protector-all Libraries: -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt +for sshd: -lwrap -lpam PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory # # # 2013-08-18 OpenSSH-6.2p2 mkdir build-6.2 cd build-6.2 ../openssh-6.2p2/configure \ --prefix=/usr \ --with-ssl-dir=/usr/lib \ --sysconfdir=/etc/ssh \ --libexecdir=/usr/lib/ssh \ --with-pam \ --with-tcp-wrappers \ --with-privsep-path=/var/lib/empty \ --build=i486-pc-linux-gnu \ --host=i486-pc-linux-gnu OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/lib/ssh/ssh-askpass Manual pages: /usr/share/man/catX PID file: /var/run Privilege separation chroot path: /var/lib/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: cat PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: yes MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: i486-pc-linux-gnu Compiler: i486-pc-linux-gnu-gcc Compiler flags: -O2 -march=i486 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -fstack-protector-all Preprocessor flags: -I/usr/lib Linker flags: -L/usr/lib -fstack-protector-all Libraries: -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt +for sshd: -lwrap -lpam PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory # # # 2013-11-04 OpenSSH-6.3p1 mkdir build-6.3 cd build-6.3 ../openssh-6.3p1/configure \ --prefix=/usr \ --with-ssl-dir=/usr/lib \ --sysconfdir=/etc/ssh \ --libexecdir=/usr/lib/ssh \ --with-pam \ --with-tcp-wrappers \ --with-privsep-path=/var/lib/empty \ --build=i486-pc-linux-gnu \ --host=i486-pc-linux-gnu OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/lib/ssh/ssh-askpass Manual pages: /usr/share/man/manX PID file: /var/run Privilege separation chroot path: /var/lib/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: yes MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: i486-pc-linux-gnu Compiler: i486-pc-linux-gnu-gcc Compiler flags: -O2 -march=i486 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -fstack-protector-all Preprocessor flags: -I/usr/lib Linker flags: -L/usr/lib -fstack-protector-all Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl -lcrypt +for sshd: -lwrap -lpam PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory # # # 2013-12-20 OpenSSH-6.4p1 mkdir build-6.4 cd build-6.4 ../openssh-6.4p1/configure \ --prefix=/usr \ --with-ssl-dir=/usr/lib \ --sysconfdir=/etc/ssh \ --libexecdir=/usr/lib/ssh \ --with-pam \ --with-tcp-wrappers \ --with-privsep-path=/var/lib/empty \ --build=i486-pc-linux-gnu \ --host=i486-pc-linux-gnu OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/lib/ssh/ssh-askpass Manual pages: /usr/share/man/manX PID file: /var/run Privilege separation chroot path: /var/lib/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: yes MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: i486-pc-linux-gnu Compiler: i486-pc-linux-gnu-gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -fstack-protector-all Preprocessor flags: -I/usr/lib Linker flags: -L/usr/lib -fstack-protector-all Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl -lcrypt +for sshd: -lwrap -lpam PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory ------------------------------------------------------------------------------------ # 2014-03-22 -> OpenSSH-6.5p1 # build with rpm Suse Factory # openssh-6.5p1-3.1.src.rpm OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/lib/ssh/ssh-askpass Manual pages: /usr/share/man/manX PID file: /run Privilege separation chroot path: /var/lib/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: yes MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: i486-pc-linux-gnu Compiler: i486-pc-linux-gnu-gcc Compiler flags: -O2 -g -march=i486 -fpie -fstack-protector \ -Wall -Wpointer-arith -Wuninitialized \ -Wsign-compare -Wformat-security \ -Wno-pointer-sign -Wno-unused-result \ -fno-strict-aliasing -D_FORTIFY_SOURCE=2 \ -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE Preprocessor flags: Linker flags: -pie -Wl,--as-needed -Wl,-z,relro -Wl,-z,now \ -Wl,-z,noexecstack -fstack-protector-all -pie Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl -lcrypt +for sshd: -lwrap -laudit -lpam PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory # hbfl # 2018-02-10 -> openssh-7.6p1 # build with rpm Suse # openssh-7.6p1-165.1.src.rpm # hbfl # 2018-05-20 -> openssh-7.6p1 # build with rpm Suse # openssh-7.6p1-6.1.src.rpm # build with OpenSSL-1.1 # hbfl # 2018-11-08 -> openssh-7.9p1 # build with rpm Suse # openssh-7.9p1-198.1.src.rpm # hbfl # 2019-10-28 -> openssh-8.1p1 # build with rpm Suse # openssh-8.1p1-1.1.src.rpm # hbfl # 2019-11-24 -> openssh-8.1p1 # build with rpm Suse # openssh-8.1p1-2.1.src.rpm # hbfl # 2020-03-07 -> openssh-8.1p1 # rebuild with rpm Suse # openssh-8.1p1-4.1.src.rpm # hbfl # 2020-06-14 -> openssh-8.1p1 # rebuild with rpm Suse -> gcc9 -> glibc-2.31 # openssh-8.1p1-4.2.src.rpm # hbfl # 2020-09-06 -> openssh-8.1p1 # rebuild with rpm Suse -> OpenSSL-1.1.1g # openssh-8.1p1-4.3.src.rpm # hbfl # 2021-01-05 -> openssh-8.3p1 # build with rpm Suse -> OpenSSL-1.1.1h # openssh-8.3p1-5.1.src.rpm # !!!! ldap Patch31: kommentieren # !!!! openssh-link-with-sk.patch <- bearbeiten wegen ldap # !!!! ldap eintrag tauschen # hbfl # 2021-02-05 -> openssh-8.4p1 # build with rpm Suse -> OpenSSL-1.1.1h # openssh-8.4p1-3.1.src.rpm # !!!! ldap Patch31: kommentieren # !!!! openssh-link-with-sk.patch <- bearbeiten wegen ldap # !!!! ldap eintrag tauschen # hbfl # 2021-06-08 -> openssh-8.4p1 # build with rpm Suse -> OpenSSL-1.1.1k -> gcc-10 -> glibc-2.33 # openssh-8.4p1-4.4.src.rpm # !!!! ldap Patch31: kommentieren # !!!! openssh-link-with-sk.patch <- bearbeiten wegen ldap # !!!! ldap eintrag tauschen # hbfl # 2022-01-12 -> openssh-8.8p1 # build with rpm Suse -> OpenSSL-1.1.1m # openssh-8.8p1-1.4.src.rpm # !!!! ldap Patch31: kommentieren # !!!! openssh-link-with-sk.patch <- bearbeiten wegen ldap # ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) # $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) # !!!! ldap eintrag tauschen # hbfl # 2022-04-02 -> openssh-8.9p1 # build with rpm Suse -> OpenSSL-1.1.1n # openssh-8.9p1-1.1.src.rpm # !!!! ldap Patch31: kommentieren # !!!! openssh-link-with-sk.patch <- bearbeiten wegen ldap # ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) # $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) # !!!! ldap eintrag tauschen # added patch for 32bit from # https://bugzilla.mindrot.org/attachment.cgi?id=3574&action=diff # see also: https://bugzilla.suse.com/show_bug.cgi?id=1197974 # hbfl # 2023-05-12 -> openssh-8.9p1 # rebuild with rpm Suse -> OpenSSL-3.0.8 # openssh-8.9p1-9.1.src.rpm # !!!! ldap Patch31: kommentieren # !!!! openssh-link-with-sk.patch <- bearbeiten wegen ldap # ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) # $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) # !!!! ldap eintrag tauschen # added patch for 32bit from # https://bugzilla.mindrot.org/attachment.cgi?id=3574&action=diff # see also: https://bugzilla.suse.com/show_bug.cgi?id=1197974 # hbfl # 2023-06-21 -> openssh-9.3p1 # rebuild with rpm Suse -> OpenSSL-3.1.1 # openssh-9.3p1-1.2.src.rpm # !!!! ldap Patch31: kommentieren # !!!! openssh-link-with-sk.patch <- bearbeiten wegen ldap # ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) # $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS # !!!! ldap eintrag tauschen # !!!! fix-missing-lz.patch # ldap eintrag tauschen # hbfl # 2024-07-05 -> openssh-9.3p1 # rebuild with rpm Suse # openssh-9.3p1-2.1.src.rpm # !!!! ldap Patch31: kommentieren # !!!! openssh-link-with-sk.patch <- bearbeiten wegen ldap # ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) # $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS # !!!! ldap eintrag tauschen # !!!! fix-missing-lz.patch # ldap eintrag tauschen # PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387 # Patch109: fix-CVE-2024-6387.patch # hbfl # 2024-07-15 -> openssh-9.6p1 # rebuild with rpm Suse # openssh-9.6p1-11.1.src.rpm # without extra actions for ldap # ldap only in helpers # hbfl # 2024-11-06 -> openssh-9.9p1 # rebuild with rpm Suse # openssh-9.9p1-4.1.src.rpm # without extra actions for ldap # ldap only in helpers # hbfl # 2025-02-20 -> openssh-9.9p2 # rebuild with rpm Suse # openssh-9.9p2-1.1.src.rpm # without extra actions for ldap # ldap only in helpers # hbfl # 2025-04-29 -> openssh-10.0p2 # rebuild with rpm Suse # openssh-10.0p2-1.1.src.rpm -> gcc-14 -> glibc-2.41 #nach dem strippen hmac neu generieren { for b in \ usr/bin/ssh \ usr/sbin/sshd \ usr/libexec/ssh/sftp-server \ ; do rm -f $b.hmac openssl dgst -sha256 -binary -hmac "HMAC_KEY:OpenSSH-FIPS@SLE" < $b > $b.hmac chmod 444 $b.hmac done } ------------------------------------------------------------------------------------------- make make check make DESTDIR=/public/utils/ssh/6.4-1 install # strip files/binarys for filename in `find /public/utils/ssh/6.2/usr/{bin/*,sbin/*,lib/ssh/*} -type f` do echo $filename strip -R .note -R .comment "$filename" done # copy files cp *** /lib/ssh/bin_**_ssh_6_1p1/*** #---------------------------------------------------------------------------- create folder Um die Folder im Hauptverszeichnis zu erstellen gibt es das Script 'ssh-folder.sh' unter ssh/_ADMIN/ mit ssh-folder.sh -v 6.1p1 -w create wird die folder Struktur fuer die lib Version 6.1p1 erstellt nun koennen die files aus dem compilat eingefuegt werden. mit ssh-folder.sh -v 6.1p1 -w add wird ein svn add auf die erzeugten Folder durchgefuehrt. mit ssh-folder.sh -v 6.1p1 -w list wird fuer jeden Folder die files-list.txt erzeugt, add muss zwingend vorher ausgefuehrt worden sein mit ssh-folder.sh -v 6.1p1 -w ci erfolgt der commit der erzeugten Folder In den eis und eis_dev Foldern muessen keine Anpassungen vorgenommen werden. Diese Anpassungen erfolgen beim packen der packages durch mktarball.sh mit den _do_ Scripten unter _ADMIN automatisch. In den Pack-Scripten unter _ADMIN muss dann noch die Pfadangabe geaendert werden, auf den soeben erzeugten Pfad und ein commit ausgefuehrt werden. Nach dem checkout auf eisler koennen nun die packages erzeugt werden. die wichtigsten Parameter fuer mktarball.sh sind dann -setdate now -setversion ${version} mktarball.sh - home -setdate now -setversion [version angeben] ssh ssh-dev duch die Angabe von -home werden die packages in die Folder Struktur /home/user/public_html/packages/ kopiert und koennen von da direkt auf Pack-Eis geladen werden. wichtig ist noch, dass unbedingt die 'lib' Version zuerst gebaut werden muss, da fuer die 'dev' Version Informationen aus der 'lib' Info Datei gelesen werden.