fumiyas/openssh-build-static.sh

ngaro · 2024-08-09T17:24:37Z

Improved version:

Build OpenSSH really static this time
Lot's of checks
Some bugfixes
Remove unnecessary code (including messing with sshd_config)
Less assumptions
Readable code
Build() function to skip things that happen multiple times
Comments to clarify what happens
Versions updated
Warn before running

#!/usr/bin/env sh

ZLIB_VERSION=1.3.1
OPENSSL_VERSION=3.2.0
OPENSSH_VERSION=V_9_6_P1

prefix="/opt/openssh" # Installation directory of OpenSSH 
top="$(pwd)"          # Directory where we will download and compile everything (current directory)
root="$top/root"      # Subdirectory where we will install everything.
build="$top/build"    # Subdirectory where we will compile everything.
dist="$top/dist"      # Subdirectory where we will download everything.

ZLIB_DIR="zlib-${ZLIB_VERSION}"
ZLIB_TGZ="$ZLIB_DIR.tar.gz"
ZLIB_URL="https://zlib.net/${ZLIB_TGZ}"
ZLIB_CHECKFILE="lib/libz.a"
#Make sure it ends up in $root/lib(64), --static is needed because zlib doesn't like that you build static if you don't mention it before
ZLIB_BUILD_COMMANDS="./configure --prefix=\"$root\" --static && make && make install"

OPENSSL_DIR="openssl-${OPENSSL_VERSION}"
OPENSSL_TGZ="$OPENSSL_DIR.tar.gz"
OPENSSL_URL="https://www.openssl.org/source/${OPENSSL_TGZ}"
OPENSSL_CHECKFILE="bin/openssl"
OPENSSL_BUILD_COMMANDS="./config --prefix=\"$root\" no-tests && make && make install" #Make sure it ends up in $root/lib(64) and don't waste time with tests

OPENSSH_DIR="openssh-portable-${OPENSSH_VERSION}"
OPENSSH_TGZ="$OPENSSH_DIR.tar.gz"
OPENSSH_URL="https://github.com/openssh/openssh-portable/archive/refs/tags/${OPENSSH_VERSION}.tar.gz"
OPENSSH_CHECKFILE="bin/ssh"
#Make sure it ends up in $root/bin, that it drops privileges and that it should use the OpenSSL instead of the one that comes with the ssh source code
OPENSSH_BUILD_COMMANDS="autoreconf && ./configure --prefix=\"$root\" --exec-prefix=\"$root\" --with-privsep-user=nobody --with-ssl-dir=\"$root\" && make && make install"

read -p "We will be working in $top, things might get messy (t)here. Press Ctrl+C to cancel now or Enter to continue" ignorethisvariable

set -uex    # Show each command before executing it and exits when a command returns a non-zero exit code or a variable is used without being set
umask 0077  # Make sure that no one except the owner can read, write, or execute newly created files

export "CPPFLAGS=-I$root/include -L. -fPIC -pthread"; export "CFLAGS=$CPPFLAGS" # Compiler will look for headers in $root/include, libraries in the current directory and generate position-independent code and use pthreads
export "LDFLAGS=-L$root/lib -L$root/lib64 -static" # Linker will look for libraries in $root/lib and $root/lib64 and link statically

#Check if everything needed is available
autoreconf --version || { echo "You still need to install autoconf"; exit 1; }
aclocal --version || { echo "You still need to install automake"; exit 1; }
curl --version || { echo "You still need to install curl"; exit 1; }
perl -v || { echo "You still need to install perl"; exit 1; } # OpenSSL's ./configure needs perl
make --version || { echo "You still need to install make"; exit 1; }
gcc --version || { echo "You still need to install gcc"; exit 1; }
[ -f /usr/include/linux/mman.h ] || { echo "You don't have the Linux kernel headers installed"; exit 1; }
echo "#include <stdio.h>" | gcc -E - -o /dev/null || { echo "You still need to install the C library development files"; exit 1; }

mkdir -p "$root" "$build" "$dist" # Create directories if they don't exist

build() {
    local name="$1"; local version="$2"; local dir="$3"; local tgz="$4"; local url="$5"; local checkfile="$6"; local buildcommands="$7"
    if [ ! -f "$root/$checkfile" ]; then # Only skip this stage if we have already have a correctly $name $version
        echo "---- Building $name $version -----"
        rm -rf "$build/$dir" # Remove garbage from previous failed builds
        if [ ! -f "$dist/$tgz" ]; then # If we didn't download the source code yet
            curl --output $dist/$tgz --location $url  # Download the source code
        fi
        tar -C $build -xzf $dist/$tgz || { echo "Extracting $dist/$tgz failed, probably because the download failed"; exit 1; } # Extract the source code
        cd "$build"/$dir
        eval $buildcommands || { echo "Building $name $version failed"; exit 1; }
    else
        echo "---- We already have $name $version -----"
    fi
    cd "$top"
}

build "ZLIB" "$ZLIB_VERSION" "$ZLIB_DIR" "$ZLIB_TGZ" "$ZLIB_URL" "$ZLIB_CHECKFILE" "$ZLIB_BUILD_COMMANDS"
build "OpenSSL" "$OPENSSL_VERSION" "$OPENSSL_DIR" "$OPENSSL_TGZ" "$OPENSSL_URL" "$OPENSSL_CHECKFILE" "$OPENSSL_BUILD_COMMANDS"
build "OpenSSH" "$OPENSSH_VERSION" "$OPENSSH_DIR" "$OPENSSH_TGZ" "$OPENSSH_URL" "$OPENSSH_CHECKFILE" "$OPENSSH_BUILD_COMMANDS"

echo "Everything done. You can find the statically linked OpenSSH binaries in $root/bin"

bronze1man · 2024-12-09T06:48:36Z

@ngaro not working on ubuntu 2004 ZLIB_VERSION=1.3.1 OPENSSL_VERSION=3.4.0 OPENSSH_VERSION=V_9_9_P1

Building OpenSSH V_9_9_P1 failed
/usr/bin/ld: ./libssh.a(ssh-pkcs11.o): in function `pkcs11_register_provider':
ssh-pkcs11.c:(.text+0x4873): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: ./libssh.a(misc.o): in function `subprocess':
misc.c:(.text+0x7dc2): warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: ./libssh.a(misc.o): in function `tilde_expand':
misc.c:(.text+0x2c73): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: ssh.o: in function `main':
ssh.c:(.text+0x1cba): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: ssh.o: in function `resolve_host':
ssh.c:(.text+0x48c): warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /tmp/hgmSi/root/lib64/libcrypto.a(libcrypto-lib-bio_sock.o): in function `BIO_gethostbyname':
bio_sock.c:(.text+0x3ca): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: readconf.o: in function `default_ssh_port':
readconf.c:(.text+0xb0c): warning: Using 'getservbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /tmp/hgmSi/root/lib64/libcrypto.a(libcrypto-lib-dso_dlfcn.o): in function `dlfcn_pathbyaddr':
dso_dlfcn.c:(.text+0x88b): undefined reference to `dladdr'
collect2: error: ld returned 1 exit status
make: *** [Makefile:215: ssh] Error 1
+ echo Building OpenSSH V_9_9_P1 failed
+ exit 1

javaonekenobi · 2025-01-18T19:43:43Z

Thanks a lot for your script, you saved my life :-) RHEL 9.5 native ssh breaks connecting to the ILO of an HP server, I had to recompile a statically linked more recent version.

lbt-boa · 2025-11-19T13:19:35Z

I just built with @ngaro 's script using:
ZLIB_VERSION=1.3.1
OPENSSL_VERSION=3.5.2
OPENSSH_VERSION=V_9_9_P2

Note that the build benefits hugely from editing the plain make in each of the *_BUILD_COMMANDS to "make -j16" (or whatever your cpu count is)

The way the script is written is not strictly correct.

--prefix is intended to describe the directory the package will finally reside in. So a user install would typically have /usr/local and an OS level would use / or /usr

then DESTDIR is used in the install phase to install to a certain dir. This dir is often packaged up (eg rpm/deb) and forms the overlay for installations.

	#!/bin/sh

	set -u
	set -e
	umask 0077

	prefix="/opt/openssh"
	top="$(pwd)"
	root="$top/root"
	build="$top/build"

	export CPPFLAGS="-I$root/include -L."

	rm -rf "$root" "$build"
	mkdir -p "$root" "$build"

	gzip -dc dist/zlib-*.tar.gz \|(cd "$build" && tar xf -)
	cd "$build"/zlib-*
	./configure --prefix="$root" --static
	make
	make install
	cd "$top"

	gzip -dc dist/openssl-*.tar.gz \|(cd "$build" && tar xf -)
	cd "$build"/openssl-*
	./config --prefix="$root" no-shared
	make
	make install
	cd "$top"

	gzip -dc dist/openssh-*.tar.gz \|(cd "$build" && tar xf -)
	cd "$build"/openssh-*
	cp -p "$root"/lib/*.a .
	[ -f sshd_config.orig ] \|\| cp -p sshd_config sshd_config.orig
	sed \
	-e 's/^#\(PubkeyAuthentication\) .*/\1 yes/' \
	-e '/^# *Kerberos/d' \
	-e '/^# *GSSAPI/d' \
	-e 's/^#\([A-Za-z]Authentication\) ./\1 no/' \
	sshd_config.orig \
	>sshd_config \
	;
	./configure --prefix="$prefix" --with-privsep-user=nobody --with-privsep-path="$prefix/var/empty"
	make
	#make install
	cd "$top"

fumiyas/openssh-build-static.sh

Select an option

No results found

Select an option

No results found

ngaro commented Aug 9, 2024

Uh oh!

bronze1man commented Dec 9, 2024

Uh oh!

javaonekenobi commented Jan 18, 2025

Uh oh!

lbt-boa commented Nov 19, 2025

Uh oh!