Build A Custom Debian Package Of The Latest OpenSSH
I needed the latest OpenSSH installed on a large cluster of Debian servers running Debian stable Etch. Since Debian isn’t going to ship a package with the latest OpenSSH for Debian stable Etch I decided to build this package myself.
This is my recipe to build a Debian package of the latest OpenSSH which installs in prefix=/usr/local. I decided not to repackage Debian’s patched OpenSSH because I didn’t want to deal with all the dependencies. The Debian OpenSSH patch adds a lot of code that I don’t need for my production environment. Also my package is named differently than the Debian one… so it can be installed without removing the old Debian openssh package. For my situation I don’t need a post install script as part of the Debian package… because I’m performing a custom cluster-wide software deploy….
Find a mirror and then download the OpenSSH sourcecode :
http://www.openssh.org/portable.html wget ftp://ftp5.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.1p1.tar.gz
Cryptographically verify the OpenSSH tarball :
wget ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.1p1.tar.gz.asc wget ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/DJM-GPG-KEY.asc gpg --import DJM-GPG-KEY.asc gpg --fingerprint gpg --verify openssh-5.1p1.tar.gz.asc openssh-5.1p1.tar.gz gpg --delete-keys "Damien Miller (Personal Key) "
Prepare the build :
tar xzf openssh-5.1p1.tar.gz mv openssh-5.1p1 openssh-5.1p1-spinn3r-r1 cd openssh-5.1p1-spinn3r-r1 dh_make --email david@spinn3r.com --single --native --packagename openssh-5.1p1-spinn3r-r1 cd debian/
Edit the ‘control’ file :
vi control:
Source: openssh-5.1p1-spinn3r-r1
Section: unknown
Priority: extra
Maintainer: root
Build-Depends: debhelper (>= 5), autotools-dev
Standards-Version: 3.7.2
Package: openssh-5.1p1-spinn3r-r1
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: David's attempt at a custom Spinn3r OpenSSH deb package
Edit the ‘rules’ file (e.g. vi rules) :
edited this section to make the install prefix set to /usr/local/ :
config.status: configure
dh_testdir
# Add here commands to configure the package.
./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
--prefix=/usr/local --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs"
later on in this file there seems to be this section that seemed like a good idea to edit with the correct prefix :
$(MAKE) prefix=$(CURDIR)/debian/openssh-5.1p1-spinn3r-r1/usr/local install
Change to parent directory and edit Makefile.in
cd ..
Edit the Makefile.in (so autoconf generates the Makefile that way we want it). We need to edit the ‘install’ target to NOT generate ssh keys otherwise build process will create a set of keys and the .deb package will be distributed with those keys.
change this:
install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
to this :
install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf check-config
Build the custom debian package:
dpkg-buildpackage -rfakeroot -uc -b
-us, -uc
Do not sign the source package or the .changes file, respectively.
-b indicates that no source files are to be
built and/or distributed
the above command outputs out a bunch of stuff and then ends with this :
dh_md5sums dh_builddeb dpkg-deb: building package `openssh-5.1p1-spinn3r-r1' in `../openssh-5.1p1-spinn3r-r1_5.1p1-spinn3r-r1_amd64.deb'. dpkg-genchanges -b dpkg-genchanges: binary-only upload - not including any source code dpkg-buildpackage: binary only upload (no source included) root@fu:~/builds/openssh-5.1p1-spinn3r-r1#
The .deb file should have been written to the parent directory.
Enjoy…
leave a comment