My server at home runs CentOS 5 and this has OpenSSH version 4.3. Running updates doesn’t update this version, because RedHat keeps the version number stable.
But I wanted a newer OpenSSH because of some nice new features. But when I do compile a new version I’m still stuck with old OpenSSL, and that’s not what I want.
Well, you can guess it by now, this is what I did.
I first got the newest version of OpenSSL and compiled it with
./config shared --prefix=/usr/local/openssl
make
make install
this way this SSL is completely seperate from the one on the system, so nothing gets broken.
After this I wanted to compile OpenSSH, and I did get the message
configure: error: Your OpenSSL headers do not match your library
I took a look at Google and I found a lot of answers, including one where you had to copy all the header files all over the place. I was completely flabbergasted when I read this solution. A short example (there where a lot more. To protect this lunatic I removed his userid from the lines below)
cd /home/x/openssl/openssl-*
cd include/openssl
cp * /usr/include
cp * /usr/local/ssl/include
cp * /usr/local/ssl/include/openssl
cd /home/x/openssl/openssl-*/include/openssl
cp * /usr/local/ssl/include
cd /home/x/openssl/openssl-*
cp lib* /usr/local/ssl/lib/
cp lib* /usr/lib/
ldconfig
cd /home/x/openssl/openssl-*/include/openssl
cp * /usr/include/
cp * /usr/local/ssl/include/
cp * /usr/local/ssl/include/openssl
Well, let’s put it this way: ARE YOU NUTS!!!
If you want to break things, that’s the way to go.
And after all this copying he got the message:
Connecting to server...
OpenSSL version mismatch. Built against 90603f, you have 90607f
Couldn't read packet: Connection reset by peer
And guess what, this was solved with more copying of libraries and header files. What a mess. Thank God he lives in the States and his resume says he is only a Linux Systems Expert working for a brain surgeon. I’ll reckon he will never touch my brain or machines.
I experimented somewhat with the configure options and it’s quiet easy
export LDFLAGS=/usr/local/openssl/lib
./configure \
--with-pam \
--with-kerberos5 \
--with-ssl-engine \
--includedir=/usr/local/openssl/include \
--with-ssl-dir=/usr/local/openssl
and now OpenSSH compiles with the special OpenSSL without polluting your entire system.
Have fun and don’t mess up!