David's development/operations Blog

Build A Custom Debian Package Of The Latest OpenSSH

Posted in Systems Engineering / Unix Systems Operations by david415 on September 10, 2008

I needed the latest OpenSSH installed on a large cluster of Debian servers running Debian stable Etch. Since Debian isn’t going to ship a package with the latest OpenSSH for Debian stable Etch I decided to build this package myself.

This is my recipe to build a Debian package of the latest OpenSSH which installs in prefix=/usr/local. I decided not to repackage Debian’s patched OpenSSH because I didn’t want to deal with all the dependencies. The Debian OpenSSH patch adds a lot of code that I don’t need for my production environment. Also my package is named differently than the Debian one… so it can be installed without removing the old Debian openssh package. For my situation I don’t need a post install script as part of the Debian package… because I’m performing a custom cluster-wide software deploy….

Find a mirror and then download the OpenSSH sourcecode :

wget ftp://ftp5.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.1p1.tar.gz

Cryptographically verify the OpenSSH tarball :

wget ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.1p1.tar.gz.asc
wget ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/DJM-GPG-KEY.asc
gpg --import DJM-GPG-KEY.asc
gpg --fingerprint
gpg --verify openssh-5.1p1.tar.gz.asc  openssh-5.1p1.tar.gz
gpg --delete-keys "Damien Miller (Personal Key) "

Prepare the build :

tar xzf openssh-5.1p1.tar.gz
mv openssh-5.1p1 openssh-5.1p1-spinn3r-r1
cd openssh-5.1p1-spinn3r-r1
dh_make --email david@spinn3r.com --single --native --packagename openssh-5.1p1-spinn3r-r1
cd debian/

Edit the ‘control’ file :

vi control:

Source: openssh-5.1p1-spinn3r-r1
Section: unknown
Priority: extra
Maintainer: root
Build-Depends: debhelper (>= 5), autotools-dev
Standards-Version: 3.7.2

Package: openssh-5.1p1-spinn3r-r1
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: David's attempt at a custom Spinn3r OpenSSH deb package

Edit the ‘rules’ file (e.g. vi rules) :
edited this section to make the install prefix set to /usr/local/ :

config.status: configure
        # Add here commands to configure the package.
        ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
--prefix=/usr/local --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs"

later on in this file there seems to be this section that seemed like a good idea to edit with the correct prefix :

        $(MAKE) prefix=$(CURDIR)/debian/openssh-5.1p1-spinn3r-r1/usr/local install

Change to parent directory and edit Makefile.in
cd ..

Edit the Makefile.in (so autoconf generates the Makefile that way we want it). We need to edit the ‘install’ target to NOT generate ssh keys otherwise build process will create a set of keys and the .deb package will be distributed with those keys.
change this:

install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config

to this :

install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf check-config

Build the custom debian package:
dpkg-buildpackage -rfakeroot -uc -b

       -us, -uc
              Do not sign the source package or the .changes file, respectively.

         -b indicates that no source files  are  to  be
              built  and/or  distributed

the above command outputs out a bunch of stuff and then ends with this :

dpkg-deb: building package `openssh-5.1p1-spinn3r-r1' in `../openssh-5.1p1-spinn3r-r1_5.1p1-spinn3r-r1_amd64.deb'.
 dpkg-genchanges -b
dpkg-genchanges: binary-only upload - not including any source code
dpkg-buildpackage: binary only upload (no source included)

The .deb file should have been written to the parent directory.


Tagged with: , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: