[ssh_x509] Integrating SSH with X, 509 support into a CentOS 7 system

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Jun 1 11:53:05 EEST 2017

Hi Roumen,

Thank you for the update - I now have a better understanding of how this all goes together, so have managed to integrate it into our environment. This is using your pkissh archive, meaning we miss out on the 76 vendor patches, but I don't envisage any significant problems here. The proof of the pudding will of course be when we start testing the system in earnest.

Once again, thanks for your advice.

btw. On your download site, the "tar.gz" files are actually just unzipped tarballs, so should probably be renamed as .tar files.



-----Original Message-----
From: ssh_x509 [mailto:ssh_x509-bounces at roumenpetrov.info] On Behalf Of ssh_x509 at roumenpetrov.info
Sent: 31 May 2017 21:07
To: ssh_x509 at roumenpetrov.info
Subject: Re: [ssh_x509] Integrating SSH with X, 509 support into a CentOS 7 system

Hi Robert,

ssh_x509 at roumenpetrov.info wrote:
> Hi,
> We are currently porting a product to CentOS 7 from an earlier version of Linux, and this product requires X.509 support with OpenSSH. The product is on an isolated network with minimal development tools available. Previously, we took a full source archive of OpenSSH 6.1, and applied the X.509 patch to it. We then rebuilt the archive and simply performed a "make install" on the target (only requiring the make package to be installed). This has worked well for our needs so far.
You could continue with this approach.

> Fast forward to 2017, and I can now see that only pre-patched versions of OpenSSH are provided, in the form of pkissh archives.
Please have a look on download page, in last column "(diff)" is link to patch and for you version it is ..../openssh-6.6p1+x509-8.1.diff.gz.

> In order to minimise disruptive changes, we would like to maintain the same base version of Openssh (6.6)  as comes pre-installed with CentOS 7 - this means that we intend to use pkixssh-8.1, which is the latest version built against OpenSSH 6.1.

> But there the problems start; though I have successfully managed to build and install this archive, much of the expected functionality is missing, including the service startup/shutdown scripts in /lib/systemd/system, and the sshd configuration scripts.
OpenSSH and PKIX-SSH provide "portable" version. Support for systemd and etc is from OS vendor - systemd patch from source rpm.

> The binary executables have also moved from /usr/sbin to /usr/local/sbin, indicating that this is not a clean transition from OpenSSH 6.6. Also, after looking at a native OpenSSH 6,6 installation, I can see the following rpms installed:
It is managed by configure options . All autoconf-based scripts support --prefix --bindir -sbidir and etc.
> openssh-6.6.1p1-33.el7_3.x86_64.rpm
> openssh-clients-6.6.1p1-33.el7_3.x86_64.rpm
> openssh-server-6.6.1p1-33.el7_3.x86_64.rpm

The spec-files is PKIX source tree are not updated :(
> So does pkixssh-8.1 effectively replace all of these, or only one of them, and do any of these native packages still need to be installed?

 From functional point of view pkixssh is effective replacement.

 From maintenance point of view no :  source rpm is with 76 extra patches.

> [SNIP]
> So my question is, if I build pkixssh-8.1 and manually install using "make install", do I have to install these service scripts and enable the services manually - this is normally done as part of the OpenSSH RPM installation process, so it would be good to have some guidance as to how to incorporate pkixssh-8.1 as a "drop in" replacement for OpenSSH 6.6.
I have no idea what is scope of work to manage conflicts with all
those(76) vendor patches.

> Another approach is to manually build a binary RPM from pkixssh-8.1, which would be a more elegant solution, but again, it is unclear if this would encompass installing and setting up the service control scripts, and which RPM(s) it would actually replace in the suite of OpenSSH RPMs defined above. All in all, it would be great if somebody could provide some guidance on this process, if they have done a similar thing before.

I could give hints some for "fips" patch. PKIX-SSH support builds with fips validated openssh - options is --enable-openssl-fips .
Implementation is different but functionality is same.
One of differences is how is activated fips mode. PKIX-SSH uses openssl style with environment variable OPENSSL_FIPS whille redhat uses file.
So part of vendor fips patch has to be applied . Also I note that now fips-check signatures are located in separate directory instead directory of executable, i.e. installation has to be adapted.

> Regards,
> Robert


Secure shell with X.509 certificate support http://roumenpetrov.info/secsh/

ssh_x509 mailing list
ssh_x509 at roumenpetrov.info

[Telespazio VEGA UK Ltd]

Robert Coward
Navigation, Telecoms & Ground Segment
Telespazio VEGA UK Ltd

350 Capability Green, Luton, Bedfordshire LU1 3LU - United Kingdom
Ph: +44 1582 399018
Robert.Coward at telespazio.com

-WARNING: This message contains confidential and/or proprietary information which may be subject to privilege or immunity and which is intended for the use of its addressee only.
Should you receive this message in error, you are kindly requested to inform the sender and to definitively remove it from any paper or electronic format.
Any other use of this e-mail is strictly forbidden. Thank you in advance for your cooperation.

Please consider the environment before printing this e-mail.

More information about the ssh_x509 mailing list