RedHat Enterprise Linux, CentOS and Scientific Linux (RHEL/CentOS/SL) do not ship with a version of OpenSSH that is compatible with Moonshot.

To get Moonshot support for it, you must install a specific Moonshot-enabled version. These instructions tell you how to re-compile it by hand.

Contents

All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).

The instructions on this page will replace the system provided OpenSSH packages with the Moonshot enabled ones (don't worry, standard SSH things will still work!).

We currently have patching available for RHEL/CentOS/SL 6.4 - 6.8 and RHEL/CentOS/SL 7.2 - 7.3.

Following the instructions on this page will give you a Moonshot-enabled OpenSSH Server only.

Building OpenSSH

Install prerequisites

You will need various packages installed in order to build OpenSSH from scratch. Install them via yum:

$ yum install rpmdevtools gcc openssl-devel pam-devel rpm-build autoconf automake gtk2-devel libX11-devel \
audit-libs-devel tcp_wrappers-devel fipscheck-devel openldap-devel libedit-devel ncurses-devel nss-devel make man xauth

$ yum install audit-libs-devel gtk2-devel libX11-devel gnome-libs-devel openldap-devel autoconf automake perl \
zlib-audit devel-libs-devel util-linux groff pam-devel tcp_wrappers-devel fipscheck-devel openssl-devel \
perl-podlators krb5-devel libedit-devel ncurses-devel libselinux-devel audit-libs xauth zlib-devel

Get the sources and patches

1. If you do not have any rpmbuild directories already, create them now.

   $ mkdir -p ~/rpmbuild/SOURCES ~/rpmbuild/SPECS ~/rpmbuild/RPMS

2. Download the OpenSSH sources for your particular minor version of RHEL/CentOS/SL into the SOURCES directory. The sources are available at the following locations:

   CentOS 6.8: http://vault.centos.org/6.8/updates/Source/SPackages/openssh-5.3p1-118.1.el6_8.src.rpm CentOS 6.7: http://vault.centos.org/6.7/updates/Source/SPackages/openssh-5.3p1-114.el6_7.src.rpm CentOS 6.6: http://vault.centos.org/6.6/updates/Source/SPackages/openssh-5.3p1-104.el6_6.1.src.rpm CentOS 6.5: http://vault.centos.org/6.5/os/Source/SPackages/openssh-5.3p1-94.el6.src.rpm CentOS 6.4: http://vault.centos.org/6.4/os/Source/SPackages/openssh-5.3p1-84.1.el6.src.rpm

   CentOS 7.3: http://vault.centos.org/7.3.1611/updates/Source/SPackages/openssh-6.6.1p1-33.el7_3.src.rpm CentOS 7.2: http://vault.centos.org/7.2.1511/updates/Source/SPackages/openssh-6.6.1p1-25.el7_2.src.rpm

3. Navigate to the SOURCES directory and extract the source from the RPM.

   $ cd ~/rpmbuild/SOURCES && rpm -ivh openssh-5.3p1-*.src.rpm

   $ cd ~/rpmbuild/SOURCES && rpm -ivh openssh-6.*.src.rpm

4. Download the Moonshot patches into the SOURCES directory:

   $ curl -o openssh-gssapi-generic.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-5.3p1-gssapi-generic.patch?api=v2 && \ curl -o openssh-nulluser.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-5.3p1-nulluser.patch?api=v2 $ curl -o openssh-gssapi-generic.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-5.3p1-gssapi-generic.patch?api=v2 && \ curl -o openssh-nulluser.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-5.3p1-nulluser-118.patch?api=v2

   $ curl -o openssh-gssapi-generic-6x.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-gssapi-generic-6x.patch?api=v2 && \ curl -o openssh-nulluser-6x.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-nulluser-6x.patch?api=v2 $ curl -o openssh-gssapi-generic-6x.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-gssapi-generic-6x.patch?api=v2 && \ curl -o openssh-nulluser-6x.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-nulluser-6.6.1p1-33.patch?api=v2

5. Navigate to the SPECS directory and download the Moonshot-enabled OpenSSH spec file for your particular version of RHEL/CentOS/SL. The sources are available at the following locations:

   CentOS 6.8: openssh-5.3p1-118.spec CentOS 6.7: openssh-5.3p1-114.spec CentOS 6.6: openssh-5.3p1-104.spec CentOS 6.5: openssh-5.3p1-94.spec CentOS 6.4: openssh-5.3p1-84.spec

   CentOS 7.3: openssh-6.6.1p1-33.spec CentOS 7.2: openssh-6.6.1p1-25.spec

6. Rename the file you downloaded to "openssh.spec", overwriting the existing copy:

   $ mv openssh-5.3p1-104.spec openssh.spec

Build OpenSSH

Now we're ready to build the Moonshot-enabled version of OpenSSH.

1. Make sure you're in the SPECS directory and execute an RPM build.

   $ rpmbuild -bb openssh.spec

   If the build was successful, in your ~/rpmbuild/RPMS/x86_64 directory you should find RPMs for the following: openssh openssh-askpass openssh-clients openssh-ldap openssh-server pam_ssh_agent_auth

Installation Instructions

Add the Moonshot libraries.

If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on a Linux Server.

Ensure that your hostname is correct

The channel bindings check requires that the hostname of your SSH server match the hostname people are SSHing to. That is, the output of the "hostname" command should match the FQDN of the server. If it doesn't, change the relevant line in /etc/sysconfig/network to make it so.

Installation Instructions

1. Establish first which of the above OpenSSH packages are installed and note them down:

   $ yum list installed |grep openssh

2. Change to the ~/rpmbuild/RPMS/x86_64 directory that contains your packages and install the packages by using the yum downgrade command by listing the RPM for each of the packages listed in Step 1 above:

   $ yum downgrade openssh-6.6.1p1-33.el7.centos.x86_64.rpm openssh-clients-6.6.1p1-33.el7.centos.x86_64.rpm \ openssh-server-6.6.1p1-33.el7.centos.x86_64.rpm

3. Your packages should now be installed correctly.

Configuration Instructions

The configuration instructions for this version of the OpenSSH server are unchanged from those in the repository.