[ssh_x509] Integrating SSH with X, 509 support into a CentOS 7 system

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed May 31 23:07:11 EEST 2017

Hi Robert,

ssh_x509 at roumenpetrov.info wrote:
> Hi,
> We are currently porting a product to CentOS 7 from an earlier version of Linux, and this product requires X.509 support with OpenSSH. The product is on an isolated network with minimal development tools available. Previously, we took a full source archive of OpenSSH 6.1, and applied the X.509 patch to it. We then rebuilt the archive and simply performed a "make install" on the target (only requiring the make package to be installed). This has worked well for our needs so far.
You could continue with this approach.

> Fast forward to 2017, and I can now see that only pre-patched versions of OpenSSH are provided, in the form of pkissh archives.
Please have a look on download page, in last column "(diff)" is link to 
patch and for you version it is ..../openssh-6.6p1+x509-8.1.diff.gz.

> In order to minimise disruptive changes, we would like to maintain the same base version of Openssh (6.6)  as comes pre-installed with CentOS 7 - this means that we intend to use pkixssh-8.1, which is the latest version built against OpenSSH 6.1.

> But there the problems start; though I have successfully managed to build and install this archive, much of the expected functionality is missing, including the service startup/shutdown scripts in /lib/systemd/system, and the sshd configuration scripts.
OpenSSH and PKIX-SSH provide "portable" version. Support for systemd and 
etc is from OS vendor - systemd patch from source rpm.

> The binary executables have also moved from /usr/sbin to /usr/local/sbin, indicating that this is not a clean transition from OpenSSH 6.6. Also, after looking at a native OpenSSH 6,6 installation, I can see the following rpms installed:
It is managed by configure options . All autoconf-based scripts support 
--prefix --bindir -sbidir and etc.
> openssh-6.6.1p1-33.el7_3.x86_64.rpm
> openssh-clients-6.6.1p1-33.el7_3.x86_64.rpm
> openssh-server-6.6.1p1-33.el7_3.x86_64.rpm

The spec-files is PKIX source tree are not updated :(
> So does pkixssh-8.1 effectively replace all of these, or only one of them, and do any of these native packages still need to be installed?

 From functional point of view pkixssh is effective replacement.

 From maintenance point of view no :  source rpm is with 76 extra patches.

> [SNIP]
> So my question is, if I build pkixssh-8.1 and manually install using "make install", do I have to install these service scripts and enable the services manually - this is normally done as part of the OpenSSH RPM installation process, so it would be good to have some guidance as to how to incorporate pkixssh-8.1 as a "drop in" replacement for OpenSSH 6.6.
I have no idea what is scope of work to manage conflicts with all 
those(76) vendor patches.

> Another approach is to manually build a binary RPM from pkixssh-8.1, which would be a more elegant solution, but again, it is unclear if this would encompass installing and setting up the service control scripts, and which RPM(s) it would actually replace in the suite of OpenSSH RPMs defined above. All in all, it would be great if somebody could provide some guidance on this process, if they have done a similar thing before.

I could give hints some for "fips" patch. PKIX-SSH support builds with 
fips validated openssh - options is --enable-openssl-fips . 
Implementation is different but functionality is same.
One of differences is how is activated fips mode. PKIX-SSH uses openssl 
style with environment variable OPENSSL_FIPS whille redhat uses file.
So part of vendor fips patch has to be applied . Also I note that now 
fips-check signatures are located in separate directory instead 
directory of executable, i.e. installation has to be adapted.

> Regards,
> Robert


Secure shell with X.509 certificate support

More information about the ssh_x509 mailing list