RedHat Enterprise Linux, CentOS and Scientific Linux (RHEL/CentOS/SL) do not ship with a version of OpenSSH that is compatible with Moonshot.

To get Moonshot support for it, you must install a specific Moonshot-enabled version. These instructions tell you how to re-compile it by hand.

Contents

All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).

The instructions on this page will replace the system provided OpenSSH packages with the Moonshot enabled ones (don't worry, standard SSH things will still work!).

We currently have patching available for RHEL/CentOS/SL 6.4 - 6.8 and RHEL/CentOS/SL 7.2 - 7.3.

Following the instructions on this page will give you a Moonshot-enabled OpenSSH Server only.

1. Building OpenSSH

1.1. Install prerequisites

You will need various packages installed in order to build OpenSSH from scratch. Install them via yum:

RHEL/CentOS/SL 6

RHEL/CentOS/SL 6

$ yum install audit-libs-devel autoconf automake fipscheck-devel gcc gtk2-devel libedit-devel \
libX11-devel make man ncurses-devel nss-devel openldap-devel openssl-devel pam-devel \
rpm-build rpmdevtools tcp_wrappers-devel xauth

RHEL/CentOS/SL 7

RHEL/CentOS/SL 7

$ yum install audit-libs audit-libs-devel autoconf automake fipscheck-devel gcc groff \
gtk2-devel krb5-devel libcap-ng-devel libedit-devel libselinux-devel libX11-devel \
make man ncurses-devel nss-devel openldap-devel openssl-devel pam-devel perl \
perl-podlators rpm-build rpmdevtools tcp_wrappers-devel util-linux xauth

1.2. Get the sources and patches

If you do not have any rpmbuild directories already, create them now.
```
$ mkdir -p ~/rpmbuild/SOURCES ~/rpmbuild/SPECS ~/rpmbuild/RPMS
```
Download the OpenSSH sources for your particular minor version of RHEL/CentOS/SL into the SOURCES directory. The sources are available at the following locations:
RHEL/CentOS/SL 6
RHEL/CentOS/SL 7
- CentOS 7.3: http://vault.centos.org/7.3.1611/updates/Source/SPackages/openssh-6.6.1p1-33.el7_3.src.rpm
- CentOS 7.2: http://vault.centos.org/7.2.1511/updates/Source/SPackages/openssh-6.6.1p1-25.el7_2.src.rpm
Navigate to the SOURCES directory and extract the source from the RPM.
RHEL/CentOS/SL 6
RHEL/CentOS/SL 6
$ cd ~/rpmbuild/SOURCES && rpm -ivh openssh-5.3p1-*.src.rpm
RHEL/CentOS/SL 7
RHEL/CentOS/SL 7
$ cd ~/rpmbuild/SOURCES && rpm -ivh openssh-6.*.src.rpm

Download the Moonshot patches into the SOURCES directory:

RHEL/CentOS/SL 6

CentOS 6 to CentOS 6.7

$ curl -o openssh-gssapi-generic.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-5.3p1-gssapi-generic.patch?api=v2 && \
curl -o openssh-nulluser.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-5.3p1-nulluser.patch?api=v2

CentOS 6.8

$ curl -o openssh-gssapi-generic.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-5.3p1-gssapi-generic.patch?api=v2 && \
curl -o openssh-nulluser.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-5.3p1-nulluser-118.patch?api=v2

RHEL/CentOS/SL 7

CentOS 7.2

$ curl -o openssh-gssapi-generic-6x.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-gssapi-generic-6x.patch?api=v2 && \
curl -o openssh-nulluser-6x.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-nulluser-6x.patch?api=v2

CentOS 7.3

$ curl -o openssh-gssapi-generic-6x.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-gssapi-generic-6x.patch?api=v2 && \
curl -o openssh-nulluser-6x.patch https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-nulluser-6.6.1p1-33.patch?api=v2

Navigate to the SPECS directory and download the Moonshot-enabled OpenSSH spec file for your particular version of RHEL/CentOS/SL. The sources are available at the following locations:
RHEL/CentOS/SL 6
- CentOS 6.8: openssh-5.3p1-118.spec
- CentOS 6.7: openssh-5.3p1-114.spec
- CentOS 6.6: openssh-5.3p1-104.spec
- CentOS 6.5: openssh-5.3p1-94.spec
- CentOS 6.4: openssh-5.3p1-84.spec
RHEL/CentOS/SL 7
- CentOS 7.3: openssh-6.6.1p1-33.spec
- CentOS 7.2: openssh-6.6.1p1-25.spec
Rename the file you downloaded to "openssh.spec", overwriting the existing copy:
(For CentOS 6.6)
```
$ mv openssh-5.3p1-104.spec openssh.spec
```

1.3. Build OpenSSH

Now we're ready to build the Moonshot-enabled version of OpenSSH.

Make sure you're in the SPECS directory and execute an RPM build.
```
$ rpmbuild -bb openssh.spec
```
If the build was successful, in your ~/rpmbuild/RPMS/x86_64 directory you should find RPMs for the following:
1. - openssh
  - openssh-askpass
  - openssh-clients
  - openssh-ldap
  - openssh-server
  - pam_ssh_agent_auth

2. Installation Instructions

2.1. Add the Moonshot libraries.

If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on a Linux Server.

2.2. Ensure that your hostname is correct

The channel bindings check requires that the hostname of your SSH server match the hostname people are SSHing to. That is, the output of the "hostname" command should match the FQDN of the server. If it doesn't, change the relevant line in /etc/sysconfig/network to make it so.

2.3. Installation Instructions

Establish first which of the above OpenSSH packages are installed and note them down:
```
$ yum list installed |grep openssh
```
Change to the ~/rpmbuild/RPMS/x86_64 directory that contains your packages and install the packages by using the yum downgrade command by listing the RPM for each of the packages listed in Step 1 above:
(for CentOS 7.3)
```
$ yum downgrade openssh-6.6.1p1-33.el7.centos.x86_64.rpm openssh-clients-6.6.1p1-33.el7.centos.x86_64.rpm \
openssh-server-6.6.1p1-33.el7.centos.x86_64.rpm
```
Your packages should now be installed correctly.

3. Configuration Instructions

The configuration instructions for this version of the OpenSSH server are unchanged from those in the repository.

Building OpenSSH Server on RHEL/CentOS/SL from source