My server at home runs CentOS 5 and this has OpenSSH version 4.3. Running updates doesn’t update this version, because RedHat keeps the version number stable.
But I wanted a newer OpenSSH because of some nice new features. But when I do compile a new version I’m still stuck with old OpenSSL, and that’s not what I want.
Well, you can guess it by now, this is what I did.
I first got the newest version of OpenSSL and compiled it with
./config shared --prefix=/usr/local/openssl make make install
this way this SSL is completely seperate from the one on the system, so nothing gets broken.
After this I wanted to compile OpenSSH, and I did get the message
configure: error: Your OpenSSL headers do not match your library
I took a look at Google and I found a lot of answers, including one where you had to copy all the header files all over the place. I was completely flabbergasted when I read this solution. A short example (there where a lot more. To protect this lunatic I removed his userid from the lines below)
cd /home/x/openssl/openssl-* cd include/openssl cp * /usr/include cp * /usr/local/ssl/include cp * /usr/local/ssl/include/openssl cd /home/x/openssl/openssl-*/include/openssl cp * /usr/local/ssl/include cd /home/x/openssl/openssl-* cp lib* /usr/local/ssl/lib/ cp lib* /usr/lib/ ldconfig cd /home/x/openssl/openssl-*/include/openssl cp * /usr/include/ cp * /usr/local/ssl/include/ cp * /usr/local/ssl/include/openssl
Well, let’s put it this way: ARE YOU NUTS!!!
If you want to break things, that’s the way to go.
And after all this copying he got the message:
Connecting to server... OpenSSL version mismatch. Built against 90603f, you have 90607f Couldn't read packet: Connection reset by peer
And guess what, this was solved with more copying of libraries and header files. What a mess. Thank God he lives in the States and his resume says he is only a Linux Systems Expert working for a brain surgeon. I’ll reckon he will never touch my brain or machines.
I experimented somewhat with the configure options and it’s quiet easy
export LDFLAGS=/usr/local/openssl/lib ./configure \ --with-pam \ --with-kerberos5 \ --with-ssl-engine \ --includedir=/usr/local/openssl/include \ --with-ssl-dir=/usr/local/openssl
and now OpenSSH compiles with the special OpenSSL without polluting your entire system.
Have fun and don’t mess up!