Skip to content

Instantly share code, notes, and snippets.

@eruffaldi

eruffaldi/openssh-build-static.sh

Forked from fumiyas/openssh-build-static.sh
Last active January 4, 2024 07:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save eruffaldi/85254616dc14071f02dd8d43554a50a1 to your computer and use it in GitHub Desktop.
Save eruffaldi/85254616dc14071f02dd8d43554a50a1 to your computer and use it in GitHub Desktop.
Download ZIP
Build OpenSSH with static linked zlib and OpenSSL libraries
Raw
openssh-build-static.sh
#!/usr/bin/env bash
# Dependencies: curl gcc make autoconf
#
# Changes: 2024-01-03 Emanuele Ruffald
# Updated to latest libraries, modified for building openssh, added some if for debugging
set -uex
umask 0077
ZLIB_VERSION=1.3
OPENSSL_VERSION=3.2.0
OPENSSH_VERSION=V_9_6_P1
prefix="/opt/openssh"
top="$(pwd)"
root="$top/root"
build="$top/build"
dist="$top/dist"
export "CPPFLAGS=-I$root/include -L. -fPIC"
export "CFLAGS=-I$root/include -L. -fPIC"
export "LDFLAGS=-L$root/lib -L$root/lib64"
#COMMENT THIS for debugging the script. Each stage will cache download and build
rm -rf "$root" "$build" "$dist"
mkdir -p "$root" "$build" "$dist"
if [ ! -f "build/zlib-$ZLIB_VERSION/minigzip" ]; then
echo "---- Building ZLIB -----"
if [ ! -f "$dist/zlib-$ZLIB_VERSION.tar.gz" ]; then
curl --output $dist/zlib-$ZLIB_VERSION.tar.gz --location https://zlib.net/zlib-$ZLIB_VERSION.tar.gz
gzip -dc $dist/zlib-*.tar.gz |(cd "$build" && tar xf -)
fi
cd "$build"/zlib-*
./configure --prefix="$root" --static
make
make install
cd "$top"
fi
if [ ! -f "build/openssl-$OPENSSL_VERSION/wow" ]; then
echo "---- Building OpenSSL -----"
if [ ! -f "$dist/openssl-$OPENSSL_VERSION.tar.gz" ]; then
curl --output $dist/openssl-$OPENSSL_VERSION.tar.gz --location https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz
gzip -dc $dist/openssl-*.tar.gz |(cd "$build" && tar xf -)
fi
cd "$build"/openssl-*
./config --prefix="$root" no-shared no-tests
make
make install
cd "$top"
fi
if [ ! -f "$dist/openssh-$OPENSSH_VERSION.tar.gz" ]; then
curl --output $dist/openssh-$OPENSSH_VERSION.tar.gz --location https://github.com/openssh/openssh-portable/archive/refs/tags/$OPENSSH_VERSION.tar.gz
fi
gzip -dc $dist/openssh-*.tar.gz |(cd "$build" && tar xf -)
cd "$build"/openssh-*
cp -p "$root"/lib/*.a .
[ -f sshd_config.orig ] || cp -p sshd_config sshd_config.orig
sed \
-e 's/^#\(PubkeyAuthentication\) .*/\1 yes/' \
-e '/^# *Kerberos/d' \
-e '/^# *GSSAPI/d' \
-e 's/^#\([A-Za-z]*Authentication\) .*/\1 no/' \
sshd_config.orig \
>sshd_config \
;
export PATH=$root/bin:$PATH
autoreconf
./configure LIBS="-lpthread" "--prefix=$root" "--exec-prefix=$root" --with-privsep-user=nobody --with-privsep-path="$prefix/var/empty" "--with-ssl-dir=$root"
make
cd "$top"
@eruffaldi
Copy link
Author

Tested on Ubuntu 22.04 the ldd on sshd provides the dependencies on libc and libcrypt:

linux-vdso.so.1 (0x00007ffe74d60000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f330d960000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f330d738000)
/lib64/ld-linux-x86-64.so.2 (0x00007f330dff4000)
'''

The libc dependency can be removed by using ulibc, while libcrypt could be sourced by Debian.

For debian, the libcrypt is provided by the libxcrypt upstream (https://packages.debian.org/source/sid/libxcrypt) with source here: https://salsa.debian.org/md/libxcrypt/

@eruffaldi
Copy link
Author

Thanks to the original gist. The use case of this gist is for a system in which OpenSSH needs to be updated but the rest of the OS libraries cannot be updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment