[ssh_x509] Integrating SSH with X, 509 support into a CentOS 7 system

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed May 31 15:42:07 EEST 2017


We are currently porting a product to CentOS 7 from an earlier version of Linux, and this product requires X.509 support with OpenSSH. The product is on an isolated network with minimal development tools available. Previously, we took a full source archive of OpenSSH 6.1, and applied the X.509 patch to it. We then rebuilt the archive and simply performed a "make install" on the target (only requiring the make package to be installed). This has worked well for our needs so far.

Fast forward to 2017, and I can now see that only pre-patched versions of OpenSSH are provided, in the form of pkissh archives. In order to minimise disruptive changes, we would like to maintain the same base version of Openssh (6.6)  as comes pre-installed with CentOS 7 - this means that we intend to use pkixssh-8.1, which is the latest version built against OpenSSH 6.1. But there the problems start; though I have successfully managed to build and install this archive, much of the expected functionality is missing, including the service startup/shutdown scripts in /lib/systemd/system, and the sshd configuration scripts. The binary executables have also moved from /usr/sbin to /usr/local/sbin, indicating that this is not a clean transition from OpenSSH 6.6. Also, after looking at a native OpenSSH 6,6 installation, I can see the following rpms installed:


So does pkixssh-8.1 effectively replace all of these, or only one of them, and do any of these native packages still need to be installed?

The following service startup/shutdown scripts in /lib/systemd/system are present on a native installation:

./sshd at .service

And using systemctl list-unit-files relates the following relevant information:

sshd-keygen.service                           static
sshd.service                                  enabled
sshd at .service                                 static
sshd.socket                                   disabled

So my question is, if I build pkixssh-8.1 and manually install using "make install", do I have to install these service scripts and enable the services manually - this is normally done as part of the OpenSSH RPM installation process, so it would be good to have some guidance as to how to incorporate pkixssh-8.1 as a "drop in" replacement for OpenSSH 6.6.

Another approach is to manually build a binary RPM from pkixssh-8.1, which would be a more elegant solution, but again, it is unclear if this would encompass installing and setting up the service control scripts, and which RPM(s) it would actually replace in the suite of OpenSSH RPMs defined above. All in all, it would be great if somebody could provide some guidance on this process, if they have done a similar thing before.



[Telespazio VEGA UK Ltd]

Robert Coward
Navigation, Telecoms & Ground Segment
Telespazio VEGA UK Ltd

350 Capability Green, Luton, Bedfordshire LU1 3LU - United Kingdom
Ph: +44 1582 399018
Robert.Coward at telespazio.com

-WARNING: This message contains confidential and/or proprietary information which may be subject to privilege or immunity and which is intended for the use of its addressee only.
Should you receive this message in error, you are kindly requested to inform the sender and to definitively remove it from any paper or electronic format.
Any other use of this e-mail is strictly forbidden. Thank you in advance for your cooperation.

Please consider the environment before printing this e-mail.

More information about the ssh_x509 mailing list