Updating to OpenSSL 0.9.7d, OpenSSH 3.8.1p1 and Apache 2.0.49 on Redhat 8
First setup our environment:
Before we get started we will be compiling into /usr/local/lib which
is not the default library directory on Redhat.
Edit /etc/ld.so.conf
and put at the top of the file
/usr/local/lib
then as root run
# ldconfig
Now setup our LD_LIBRARY_CONFIG for configure (you want to add these to root's .profile)
# LD_LIBRARY_PATH=/usr/local/lib:/usr/lib:/usr/X11R6/lib:/usr/lib/sane:/usr/kerberos/lib:/usr/lib/qt-3.0.5/lib:/usr/lib/qt2/lib:/usr/lib/wine:/usr/lib/mysql; export LD_LIBRARY_PATH
# export LDFLAGS="-L/usr/local/lib -L/usr/lib -L/usr/X11R6/lib"
# mkdir /build (if not already created)
Now we need to remove old legacy rpms installed by Redhat if they exist:
Notes:
If rpm comnmand hangs you may have a corrupt rpm database.
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=73097
Stop the Apache server:
# /etc/init.d/httpd stop
Stopping httpd: [ OK ]
Copy the existing Apache configs
# mkdir /save
# cd /etc/httpd
# find . -print -depth | cpio -pvdm /save
Remove legacy Apache, MySQL and PHP (and their dependancies) rpm's:
rpm -e mod_perl-1.99_07-5
rpm -e mod_python-3.0.1-3
rpm -e mod_ssl-2.0.43-2
rpm -e mod_auth_mysql-1.11-12
rpm -e mod_auth_pgsql-0.9.12-14
rpm -e wordtrans-web-1.1pre12-7
rpm -e php-imap-4.2.2-17.2
rpm -e php-ldap-4.2.2-17.2
rpm -e php-manual-4.2.2-17.2
rpm -e php-mysql-4.2.2-17.2
rpm -e php-odbc-4.2.2-17.2
rpm -e php-pgsql-4.2.2-17.2
rpm -e php-snmp-4.2.2-17.2
rpm -e squirrelmail-1.2.11-1
rpm -e php-devel-4.2.2-17.2
rpm -e php-4.2.2-17.2
rpm -e redhat-config-httpd-1.0.1-18
rpm -e webalizer-2.01_10-11
rpm -e htdig-web-3.2.0-16.20021103
rpm -e nut-cgi-1.2.0-6
rpm -e namazu-cgi-2.0.12-5
rpm -e mailman-2.1.1-4
rpm -e mailman-2.0.13-3
rpm -e php-dbg-client-2.10-6
rpm -e php-dbg-server-2.10pl3-6
rpm -e php-manual-4.2.2-8.0.5
rpm -e php-imap-4.2.2-8.0.5
rpm -e asp2php-gtk-0.76.2-3
rpm -e php-devel-4.2.2-8.0.5
rpm -e php-odbc-4.2.2-8.0.5
rpm -e php-ldap-4.2.2-8.0.5
rpm -e php-dbg-client-2.10-6
rpm -e php-pgsql-4.2.2-8.0.5
rpm -e php-snmp-4.2.2-8.0.5
rpm -e asp2php-0.76.2-3
rpm -e php-dbg-base-2.10-4
rpm -e php-mysql-4.2.2-8.0.5
rpm -e squirrelmail-1.2.7-4
rpm -e php-4.2.2-8.0.5
rpm -e namazu-cgi-2.0.10-8
rpm -e nut-cgi-0.45.4-5
rpm -e mod_perl-1.99_05-3
rpm -e mod_python-3.0.0-10
rpm -e mod_auth_pgsql-0.9.12-11
rpm -e MyODBC-2.50.39-7
rpm -e httpd-manual-2.0.40-8
rpm -e redhat-config-httpd-1.0.1-13
rpm -e httpd-devel-2.0.40-8
rpm -e httpd-2.0.40-8
rpm -e mod_auth_mysql-1.11-10
rpm -e qt-MySQL-3.0.5-17
rpm -e libdbi-dbd-mysql-0.6.5-2
rpm -e mysql-devel-3.23.52-3
rpm -e perl-DBD-MySQL-2.1017-3 MySQL-python-0.9.1-4 mysql-server-3.23.52-3 mysql-3.23.52-3
Build zlib first:
# cd /build/zlib-1.1.4
# cp Makefile Makefile.orig
Edit Makefile that comes with zlib and change the line:
CC=cc
to
CC=gcc
# make
# make test
hello world
uncompress(): hello, hello!
gzread(): hello, hello!
gzgets() after gzseek: hello!
inflate(): hello, hello!
large_inflate(): OK
after inflateSync(): hello, hello!
inflate with dictionary: hello, hello!
*** zlib test OK ***
# make install
Compile OpenSSL
Grab the source from http://www.openssl.org/source/openssl-0.9.7d.tar.gz
or
http://www.csse.monash.edu.au/~debbiep/palm/update-episodes/
http://ws.harcourt.com/pub/soft/src/openssl-0.9.7d.tar.gz
and save it into /build/openssl-0.9.7d.tar.gz
uncompress and untar
# cd /build/openssl-0.9.7d
# ./config --prefix=/usr/local --openssldir=/usr/local/openssl shared
# make
# make test
# make install
# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
# ldconfig
# openssl version
OpenSSL 0.9.7d 17 Mar 2004
Build OpenSSH
First create the priv. speration dir:
# mkdir -p /var/chroot/sshd
# chown root:root /var/chroot
# chown root:root /var/chroot/sshd
# chmod 700 /var/chroot/sshd
Create the Privilege separation user sshd:
# userdel sshd
# groupdel sshd
# groupadd -g 5101 sshd
# useradd -d /var/chroot/sshd -g sshd -u 5101 -m sshd
# chown root /var/chroot/sshd
# chgrp root /var/chroot/sshd
Verify
# id sshd
uid=5101(sshd) gid=5101(sshd) groups=5101(sshd)
Build OpenSSH
# cd /build/openssh-3.8.1p1
# ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --with-ssl-dir=/build/openssl-0.9.7d --with-privsep-user=sshd --with-privsep-path=/var/chroot/sshd
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Privilege separation chroot path: /var/chroot/sshd
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Manpage format: doc
PAM support: no
KerberosV support: no
Smartcard support: no
S/KEY support: no
TCP Wrappers support: no
MD5 password support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
Preprocessor flags: -I/build/openssl-0.9.7d/include
Linker flags: -L/build/openssl-0.9.7d -L/usr/local/lib -L/usr/lib -L/usr/X11R6/lib
Libraries: -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
# make
# make install
Verify the installation is good:
# ssh -V
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
Generate the keys if they do not already exists:
# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
Now build Apache:
# cd /build/httpd-2.0.49
# export SSL_BASE=/usr/local/openssl
# LIBS="-lpthread"; export LIBS
# LDFLAGS="-lpthread"; export LDFLAGS
# unset CFLAGS
# ./configure --prefix=/usr/local/httpd \
--enable-ssl --with-ssl=/usr/local/openssl \
--enable-so \
--enable-mods-shared=all \
--enable-access=shared --enable-auth=shared --enable-auth_anon=shared \
--enable-auth_dbm=shared --enable-auth_digest=shared --enable-include=shared \
--enable-log_config=shared --enable-env=shared --enable-mime_magic=shared \
--enable-cern_meta=shared --enable-expires=shared --enable-headers=shared \
--enable-usertrack=shared --enable-unique_id=shared --enable-setenvif=shared \
--enable-mime=shared --enable-dav=shared --enable-status=shared \
--enable-autoindex=shared --enable-asis=shared --enable-info=shared \
--enable-cgi=shared --enable-dav_fs=shared --enable-vhost_alias=shared \
--enable-negotiation=shared --enable-dir=shared --enable-imap=shared \
--enable-actions=shared --enable-speling=shared --enable-userdir=shared \
--enable-alias=shared --enable-rewrite=shared --enable-proxy=shared \
--enable-proxy_ftp=shared --enable-proxy_http=shared \
--enable-proxy_connect=shared --enable-rule=SHARED_CORE \
--verbose
# make
# make install
Shutdown the old Apache:
# /etc/init.d/httpd stop
Finally fixup Apache:
# mkdir -p /var/run/httpd
# chown apache:apache /var/run/httpd
# chmod 755 /var/run/httpd
# mkdir /usr/local/httpd/conf.d
# cp /usr/local/httpd/conf/httpd.conf /usr/local/httpd/conf/httpd.conf.orig
Move the ssl include file to conf.d:
# mv /usr/local/httpd/conf/ssl.conf /usr/local/httpd/conf.d/ssl.conf
Edit /usr/local/httpd/conf/httpd.conf
Change the line:
ServerAdmin you@your.address
to
ServerAdmin nicadmin@harcourt.com
and the line:
#ServerName new.host.name:80
to
ServerName my.host.com:80
or similiar
and the lines:
User nobody
Group #-1
to
User apache
Group apache
Add the below lines underneath the Listen statement:
# Load config files from the config directory "/usr/local/httpd/conf.d".
#
Include /usr/local/httpd/conf.d/*.conf
Change the PidFile line to:
PidFile /var/run/httpd/httpd.pid
Comment out the original ssl include lines:
#
# Include conf/ssl.conf
#
or
#
#LoadModule ssl_module modules/mod_ssl.so
#
Save and exit.
Edit the ssl.conf file /usr/local/httpd/conf.d/ssl.conf and add the following
line near the top above all other statements:
LoadModule ssl_module modules/mod_ssl.so
Remove the lines:
and
Comment out the following lines since we are using virtual hosting:
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
#SSLEngine on
and
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
#SSLCertificateFile /usr/local/httpd/conf/ssl.crt/server.crt
#SSLCertificateFile /usr/local/httpd/conf/ssl.crt/server-dsa.crt
and
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /usr/local/httpd/conf/ssl.key/server.key
and
#
and
#
Save and exit.
Try to start the server again:
# /usr/local/httpd/bin/apachectl startssl
# ps -ef | grep http
nobody 17474 17470 0 19:28:28 ? 0:00 /usr/local/httpd/bin/httpd -k start
root 17470 1 14 19:28:25 ? 0:03 /usr/local/httpd/bin/httpd -k start
nobody 17475 17470 0 19:28:28 ? 0:00 /usr/local/httpd/bin/httpd -k start
nobody 17471 17470 0 19:28:28 ? 0:00 /usr/local/httpd/bin/httpd -k start
nobody 17473 17470 0 19:28:28 ? 0:00 /usr/local/httpd/bin/httpd -k start
nobody 17472 17470 0 19:28:28 ? 0:00 /usr/local/httpd/bin/httpd -k start
Now update the init script:
# mv /etc/init.d/httpd /etc/init.d/httpd.orig_redhat
Create the file /etc/init.d/httpd with the following lines:
#!/bin/bash
#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /var/run/httpd/httpd.pid
# config: /usr/local/httpd/conf/httpd.conf
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/local/httpd/bin/apachectl
httpd=/usr/local/httpd/bin/httpd
prog=httpd
RETVAL=0
# check for 1.3 configuration
check13 () {
CONFFILE=/usr/local/httpd/conf/httpd.conf
GONE="(ServerType|BindAddress|Port|AddModule|ClearModuleList|"
GONE="${GONE}AgentLog|RefererLog|RefererIgnore|FancyIndexing|"
GONE="${GONE}AccessConfig|ResourceConfig)"
if grep -Eiq "^[[:space:]]*($GONE)" $CONFFILE; then
echo
echo 1>&2 " Apache 1.3 configuration directives found"
echo 1>&2 " please read /usr/share/doc/httpd-2.0.40/migration.html"
failure "Apache 1.3 config directives test"
echo
exit 1
fi
}
# The semantics of these two functions differ from the way apachectl does
# things -- attempting to start while running is a failure, and shutdown
# when not running is also a failure. So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $"Starting $prog: "
check13 || exit 1
daemon $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/httpd
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/httpd /var/run/httpd/httpd.pid
}
reload() {
echo -n $"Reloading $prog: "
check13 || exit 1
killproc $httpd -HUP
RETVAL=$?
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f /var/run/httpd/httpd.pid ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}"
exit 1
esac
exit $RETVAL
Save and exit.
# chmod +x /etc/init.d/httpd
# chkconfig --add httpd
# chkconfig --level 1 httpd off
# chkconfig --level 2 httpd off
# chkconfig --level 3 httpd on