posted by Justin Piszcz on Mon 7th Jun 2004 05:37 UTC

"Relink, Page 3/5"

Example: Install OpenSSH and OpenSSL

Step 01: Download the OpenSSL and OpenSSH source tarballs

jpiszcz@jpt2:~$ wget ftp://ftp.openssl.org/source/openssl-0.9.7d.tar.gz
--23:20:12--  ftp://ftp.openssl.org/source/openssl-0.9.7d.tar.gz
           => `openssl-0.9.7d.tar.gz'
Resolving ftp.openssl.org... 195.27.176.155
Connecting to ftp.openssl.org[195.27.176.155]:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /source ... done.
==> PORT ... done.    ==> RETR openssl-0.9.7d.tar.gz ... done.
Length: 2,798,433 (unauthoritative)

100%[====================================>] 2,798,433     90.19K/s    ETA 00:00

23:20:45 (86.64 KB/s) - `openssl-0.9.7d.tar.gz' saved [2798433]

jpiszcz@jpt2:~$
jpiszcz@jpt2:~$ wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.8.1p1.tar.gz

--23:23:05--  ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.8.1p1.tar.gz
           => `openssh-3.8.1p1.tar.gz'
Resolving ftp.openbsd.org... 129.128.5.191
Connecting to ftp.openbsd.org[129.128.5.191]:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /pub/OpenBSD/OpenSSH/portable ... done.
==> PORT ... done.    ==> RETR openssh-3.8.1p1.tar.gz ... done.
Length: 817,932 (unauthoritative)

100%[====================================>] 817,932       23.20K/s    ETA 00:00

23:23:29 (42.98 KB/s) - `openssh-3.8.1p1.tar.gz' saved [817932]

jpiszcz@jpt2:~$ 

Step 02: Decompress the tarballs

jpiszcz@jpt2:~$ tar zxf openssl-0.9.7d.tar.gz
jpiszcz@jpt2:~$ tar zxf openssh-3.8.1p1.tar.gz
jpiszcz@jpt2:~$

Step 03: Run ./config

For OpenSSL, it has its own 'config' script, earlier versions seemed to have supported a prefix option, but the newest does not.
jpiszcz@jpt2:~$ cd openssl-0.9.7d
jpiszcz@jpt2:~/openssl-0.9.7d$ ./config
Operating system: i686-whatever-linux2
Configuring for linux-pentium
.. various tests here ..
jpiszcz@jpt2:~/openssl-0.9.7d$

Step 03: Edit Makefile

jpiszcz@jpt2:~$ cd openssl-0.9.7d
jpiszcz@jpt2:~/openssl-0.9.7d$ vi Makefile
The part you need to change is here:
# INSTALL_PREFIX is for package builders so that they can configure
# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
# Normally it is left empty.
INSTALL_PREFIX=
INSTALLTOP=/usr/local/ssl

Change INSTALL_PREFIX= to INSTALL_PREFIX=/app
and 
INSTALLTOP= to INSTALLTOP=/openssl-0.9.7d

So when done, it should look like this:

# INSTALL_PREFIX is for package builders so that they can configure
# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
# Normally it is left empty.
INSTALL_PREFIX=/app
INSTALLTOP=/openssl-0.9.7d

Step 04: Run make to compile the program

jpiszcz@jpt2:~/openssl-0.9.7d$ /usr/bin/time make -j2
Some users may be curious to why I used the -j2 option (especially when I only have a single CPU in my machine), running make with no -j2 option is perfectly fine. Instead of one thread for compiling, running make with the -j2 (jobs: 2) option, it runs two jobs simultaneously. Therefore make -j2 usually results in faster compilation times depending upon what you are compiling.

Some may also be curious as to why this is? Well that has to do with the Linux process scheduler and that is a topic for another day.

Step 05: Run make install

jpiszcz@jpt2:~/openssl-0.9.7d$ make install
.. various installer information here ..
make[1]: Entering directory `/home/jpiszcz/openssl-0.9.7d/tools'
make[1]: Leaving directory `/home/jpiszcz/openssl-0.9.7d/tools'
installing libcrypto.a
installing libssl.a
cp openssl.pc /app/openssl-0.9.7d/lib/pkgconfig
chmod 644 /app/openssl-0.9.7d/lib/pkgconfig/openssl.pc
jpiszcz@jpt2:~/openssl-0.9.7d$ 

Step 06: Shared or Static?

This is a also a discussion for another time, however most programs in Linux are built using shared libraries as it offers many benefits over building them statically, please Google search for more information about why this is so.

We want a shared OpenSSL library! By default, OpenSSL 0.9.7d does not compile or install a shared library. To remedy this problem:

jpiszcz@jpt2:~/openssl-0.9.7d$ make build-shared
+ rm -f libcrypto.so.0
+ rm -f libcrypto.so
+ rm -f libcrypto.so.0.9.7
+ rm -f libssl.so.0
+ rm -f libssl.so
+ rm -f libssl.so.0.9.7
libs='-L. '; for i in crypto ssl; do \
if [ "crypto ssl" = "ssl" -a -n "" ]; then \
        libs=" $libs"; \
fi; \
( set -x; gcc  \
        -shared -o lib$i.so.0.9.7 \
        -Wl,-soname=lib$i.so.0.9.7 \
        -Wl,-Bsymbolic \
        -Wl,--whole-archive lib$i.a \
        -Wl,--no-whole-archive $libs -ldl -lc ) || exit 1; \
libs="-l$i $libs"; \
done
+ gcc -shared -o libcrypto.so.0.9.7 -Wl,-soname=libcrypto.so.0.9.7 -Wl,-Bsymbolic \
 -Wl,--whole-archive libcrypto.a -Wl,--no-whole-archive -L. -ldl -lc
+ gcc -shared -o libssl.so.0.9.7 -Wl,-soname=libssl.so.0.9.7 -Wl,-Bsymbolic -Wl, \
--whole-archive libssl.a -Wl,--no-whole-archive -lcrypto -L. -ldl -lc
+ rm -f libcrypto.so.0
+ ln -s libcrypto.so.0.9.7 libcrypto.so.0
+ rm -f libcrypto.so
+ ln -s libcrypto.so.0 libcrypto.so
+ rm -f libssl.so.0
+ ln -s libssl.so.0.9.7 libssl.so.0
+ rm -f libssl.so
+ ln -s libssl.so.0 libssl.so
jpiszcz@jpt2:~/openssl-0.9.7d$

Step 07: Install the shared library

If you thought make install will do it, you will be mistaken. Simply move the libraries to the app/lib directory and relink!
jpiszcz@jpt2:~/openssl-0.9.7d$ mv *.so* /app/openssl-0.9.7d/lib
jpiszcz@jpt2:~/openssl-0.9.7d$ relink # I had previously relinked
  6 link(s) installed                 # before moving the libraries.
jpiszcz@jpt2:~/openssl-0.9.7d$        # This only the library
                                      # related files are relinked
                                      # at this time. 
Congratulations, you have successfully built and installed OpenSSL with shared libraries! Now for OpenSSH...

Step 08: Installing OpenSSH

In recent versions, a user (sshd) by default is required by OpenSSH.

Slackware 9.1 by default has this user added, if this user is not added, you must add it.

jpiszcz@jpt2:~/openssl-0.9.7d$ grep -i sshd /etc/passwd
sshd:x:33:33:sshd:/:
jpiszcz@jpt2:~/openssl-0.9.7d$
Next, view the available options to compile OpenSSH.

jpiszcz@jpt2:~/openssl-0.9.7d$ cd ~/openssh-3.8.1p1
jpiszcz@jpt2:~/openssh-3.8.1p1$ ./configure --help
`configure' configures this package to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR           user executables [EPREFIX/bin]
  --sbindir=DIR          system admin executables [EPREFIX/sbin]
  --libexecdir=DIR       program executables [EPREFIX/libexec]
  --datadir=DIR          read-only architecture-independent data [PREFIX/share]
  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
  --libdir=DIR           object code libraries [EPREFIX/lib]
  --includedir=DIR       C header files [PREFIX/include]
  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
  --infodir=DIR          info documentation [PREFIX/info]
  --mandir=DIR           man documentation [PREFIX/man]

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       build programs to run on HOST [BUILD]

Optional Features:
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --disable-largefile     omit support for large files
  --disable-strip         Disable calling strip(1) on install
  --disable-etc-default-login       Disable using PATH from /etc/default/login no
  --disable-lastlog       disable use of lastlog even if detected no
  --disable-utmp          disable use of utmp even if detected no
  --disable-utmpx         disable use of utmpx even if detected no
  --disable-wtmp          disable use of wtmp even if detected no
  --disable-wtmpx         disable use of wtmpx even if detected no
  --disable-libutil       disable use of libutil (login() etc.) no
  --disable-pututline     disable use of pututline() etc. (uwtmp) no
  --disable-pututxline    disable use of pututxline() etc. (uwtmpx) no

Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --without-rpath         Disable auto-added -R linker paths
  --with-osfsia           Enable Digital Unix SIA
  --with-cflags           Specify additional flags to pass to compiler
  --with-cppflags         Specify additional flags to pass to preprocessor
  --with-ldflags          Specify additional flags to pass to linker
  --with-libs             Specify additional libraries to link with
  --with-zlib=PATH        Use zlib in PATH
  --without-zlib-version-check Disable zlib version check
  --with-skey[=PATH]      Enable S/Key support
                            (optionally in PATH)
  --with-tcp-wrappers[=PATH]      Enable tcpwrappers support
                            (optionally in PATH)
  --with-pam              Enable PAM support
  --with-ssl-dir=PATH     Specify path to OpenSSL installation
  --with-rand-helper      Use subprocess to gather strong randomness
  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT
  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)
  --with-entropy-timeout  Specify entropy gathering command timeout (msec)
  --with-privsep-user=user Specify non-privileged user for privilege separation
  --with-sectok           Enable smartcard support using libsectok
  --with-opensc=PFX       Enable smartcard support using OpenSC
  --with-kerberos5=PATH   Enable Kerberos 5 support
  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
  --with-xauth=PATH       Specify path to xauth program
  --with-mantype=man|cat|doc  Set man page type
  --with-md5-passwords    Enable use of MD5 passwords
  --without-shadow        Disable shadow password support
  --with-ipaddr-display   Use ip address instead of hostname in \$DISPLAY
  --with-default-path=    Specify default \$PATH environment for server
  --with-superuser-path=  Specify different path for super-user
  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses
  --with-bsd-auth         Enable BSD auth support
  --with-pid-dir=PATH     Specify location of ssh.pid file
  --with-lastlog=FILE|DIR specify lastlog location common locations

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>
  CPPFLAGS    C/C++ preprocessor flags, e.g. -I<include dir> if you have
              headers in a nonstandard directory <include dir>
  CPP         C preprocessor

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

jpiszcz@jpt2:~/openssh-3.8.1p1$

Step 09: Configure the OpenSSH build

jpiszcz@jpt2:~/openssh-3.8.1p1$ ./configure --prefix=/app/openssh-3.8.1p1
.. configure status ..
Important output from configure to pay attention to:
checking OpenSSL header version... 90704f (OpenSSL 0.9.7d 17 Mar 2004)
checking OpenSSL library version... 90704f (OpenSSL 0.9.7d 17 Mar 2004)
checking whether OpenSSL's headers match the library... yes
checking for crypt in -lcrypt... yes
checking whether OpenSSL's PRNG is internally seeded... yes

If this does not detect your version of OpenSSL, some programs
may need --with-ssl-dir=PATH     Specify path to OpenSSL installation

Without the --with-ssl-dir option specified, we get:
Preprocessor flags:
      Linker flags:

This shows that it is building off of your distribution's inclusion of OpenSSL (somewhere in /usr).

In the previous text, I described the GCC environmental variables, this allows configure to find 70-90% of your applications in /app without having to use such an option (--with-ssl-dir). However, for some applications, it may be necessary to tell them explicitly where the appropriate application or library is located.

For example: ./configure --prefix=/app/openssh-3.8.1p1 \
                         --with-ssl-dir=/app/openssl-0.9.7d
Therefore the --with-ssl-dir is required for OpenSSH if you want it to compile off of the version that you have just installed in /app. Not all programs require this, another solution is to remove all duplicate software on your system and just keep everything in /app.

The ending (most important output is listed):

configure: creating ./config.status
config.status: creating Makefile
config.status: creating openbsd-compat/Makefile
config.status: creating scard/Makefile
config.status: creating ssh_prng_cmds
config.status: creating config.h
config.status: config.h is unchanged

OpenSSH has been configured with the following options:
                     User binaries: /app/openssh-3.8.1p1/bin
                   System binaries: /app/openssh-3.8.1p1/sbin
               Configuration files: /app/openssh-3.8.1p1/etc
                   Askpass program: /app/openssh-3.8.1p1/libexec/ssh-askpass
                      Manual pages: /app/openssh-3.8.1p1/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/app/openssh-3.8.1p1/bin
                    Manpage format: doc
                       PAM support: no
                 KerberosV support: no
                 Smartcard support: no
                     S/KEY support: no
              TCP Wrappers support: no
              MD5 password support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY

              Host: i686-pc-linux-gnu
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
Preprocessor flags: -I/app/openssl-0.9.7d/include
      Linker flags: -L/app/openssl-0.9.7d/lib
         Libraries:   -lresolv -lcrypto -lutil -lz -lnsl  -lcrypt

jpiszcz@jpt2:~/openssh-3.8.1p1$

As you can now see, it will build off of the correct library.

Step 10 - Install OpenSSH

gcc -o ssh-add ssh-add.o -L. -Lopenbsd-compat/ -L/app/openssl-0.9.7d/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
gcc -o ssh-keygen ssh-keygen.o -L. -Lopenbsd-compat/ -L/app/openssl-0.9.7d/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
gcc -o ssh-keyscan ssh-keyscan.o -L. -Lopenbsd-compat/ -L/app/openssl-0.9.7d/lib -lssh -lopenbsd-compat -lssh -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
gcc -o ssh-keysign ssh-keysign.o readconf.o -L. -Lopenbsd-compat/ -L/app/openssl-0.9.7d/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
gcc -o ssh-agent ssh-agent.o -L. -Lopenbsd-compat/ -L/app/openssl-0.9.7d/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
gcc -o scp scp.o progressmeter.o -L. -Lopenbsd-compat/ -L/app/openssl-0.9.7d/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
gcc -o ssh-rand-helper ssh-rand-helper.o -L. -Lopenbsd-compat/ -L/app/openssl-0.9.7d/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
gcc -o sftp-server sftp-server.o sftp-common.o -L. -Lopenbsd-compat/ -L/app/openssl-0.9.7d/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt gcc -o sftp progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o -L. -Lopenbsd-compat/ -L/app/openssl-0.9.7d/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
jpiszcz@jpt2:~/openssh-3.8.1p1$ make install
.. installer information here ..
mkdir /app/openssh-3.8.1p1/etc
Generating public/private rsa1 key pair.
Your identification has been saved in /app/openssh-3.8.1p1/etc/ssh_host_key.
Your public key has been saved in /app/openssh-3.8.1p1/etc/ssh_host_key.pub.
The key fingerprint is:
35:57:5e:88:34:9f:96:32:4b:69:21:4a:f2:48:06:be jpiszcz@jpt2
Generating public/private dsa key pair.
Your identification has been saved in /app/openssh-3.8.1p1/etc/ssh_host_dsa_key.
Your public key has been saved in /app/openssh-3.8.1p1/etc/ssh_host_dsa_key.pub.
The key fingerprint is:
28:4f:27:7a:6d:46:6b:18:ef:2a:35:d4:61:6c:4a:94 jpiszcz@jpt2
Generating public/private rsa key pair.
Your identification has been saved in /app/openssh-3.8.1p1/etc/ssh_host_rsa_key.
Your public key has been saved in /app/openssh-3.8.1p1/etc/ssh_host_rsa_key.pub.
The key fingerprint is:
71:fd:be:27:73:1f:91:fa:f3:a1:f7:a6:9c:5f:e3:b4 jpiszcz@jpt2
/app/openssh-3.8.1p1/sbin/sshd -t -f /app/openssh-3.8.1p1/etc/sshd_config
jpiszcz@jpt2:~/openssh-3.8.1p1$

You may get an error about /var/empty, if you do, this is how you fix it:
root@jpt2:~# chmod 700 /var/empty
root@jpt2:~# chown root:root /var/empty
NOTE: You *MUST* fix the error about /var/empty if you get one or the ssh daemon will not work properly.

Step 12 - Run relink!

jpiszcz@jpt2:~/openssh-3.8.1p1$ relink
  44 link(s) installed
jpiszcz@jpt2:~/openssh-3.8.1p1$
Table of contents
  1. "Relink, Page 1/5"
  2. "Relink, Page 2/5"
  3. "Relink, Page 3/5"
  4. "Relink, Page 4/5"
  5. "Relink, Page 5/5"
e p (0)    27 Comment(s)

Technology White Papers

See More