Build OpenSSH with static linked zlib and OpenSSL libraries

openssh-build-static.sh

#!/bin/sh

set -u
set -e
umask 0077

prefix="/opt/openssh"
top="$(pwd)"
root="$top/root"
build="$top/build"

export CPPFLAGS="-I$root/include -L."

rm -rf "$root" "$build"
mkdir -p "$root" "$build"

gzip -dc dist/zlib-*.tar.gz |(cd "$build" && tar xf -)
cd "$build"/zlib-*
./configure --prefix="$root" --static
make
make install
cd "$top"

gzip -dc dist/openssl-*.tar.gz |(cd "$build" && tar xf -)
cd "$build"/openssl-*
./config --prefix="$root" no-shared
make
make install
cd "$top"

gzip -dc dist/openssh-*.tar.gz |(cd "$build" && tar xf -)
cd "$build"/openssh-*
cp -p "$root"/lib/*.a .
[ -f sshd_config.orig ] || cp -p sshd_config sshd_config.orig
sed \
  -e 's/^#\(PubkeyAuthentication\) .*/\1 yes/' \
  -e '/^# *Kerberos/d' \
  -e '/^# *GSSAPI/d' \
  -e 's/^#\([A-Za-z]*Authentication\) .*/\1 no/' \
  sshd_config.orig \
  >sshd_config \
;
./configure --prefix="$prefix" --with-privsep-user=nobody --with-privsep-path="$prefix/var/empty"
make
#make install
cd "$top"

@ngaro not working on ubuntu 2004 ZLIB_VERSION=1.3.1 OPENSSL_VERSION=3.4.0 OPENSSH_VERSION=V_9_9_P1

Building OpenSSH V_9_9_P1 failed
/usr/bin/ld: ./libssh.a(ssh-pkcs11.o): in function `pkcs11_register_provider':
ssh-pkcs11.c:(.text+0x4873): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: ./libssh.a(misc.o): in function `subprocess':
misc.c:(.text+0x7dc2): warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: ./libssh.a(misc.o): in function `tilde_expand':
misc.c:(.text+0x2c73): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: ssh.o: in function `main':
ssh.c:(.text+0x1cba): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: ssh.o: in function `resolve_host':
ssh.c:(.text+0x48c): warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /tmp/hgmSi/root/lib64/libcrypto.a(libcrypto-lib-bio_sock.o): in function `BIO_gethostbyname':
bio_sock.c:(.text+0x3ca): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: readconf.o: in function `default_ssh_port':
readconf.c:(.text+0xb0c): warning: Using 'getservbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /tmp/hgmSi/root/lib64/libcrypto.a(libcrypto-lib-dso_dlfcn.o): in function `dlfcn_pathbyaddr':
dso_dlfcn.c:(.text+0x88b): undefined reference to `dladdr'
collect2: error: ld returned 1 exit status
make: *** [Makefile:215: ssh] Error 1
+ echo Building OpenSSH V_9_9_P1 failed
+ exit 1

Thanks a lot for your script, you saved my life :-) RHEL 9.5 native ssh breaks connecting to the ILO of an HP server, I had to recompile a statically linked more recent version.

I just built with @ngaro 's script using:
ZLIB_VERSION=1.3.1
OPENSSL_VERSION=3.5.2
OPENSSH_VERSION=V_9_9_P2

Note that the build benefits hugely from editing the plain make in each of the *_BUILD_COMMANDS to "make -j16" (or whatever your cpu count is)

The way the script is written is not strictly correct.

--prefix is intended to describe the directory the package will finally reside in. So a user install would typically have /usr/local and an OS level would use / or /usr

then DESTDIR is used in the install phase to install to a certain dir. This dir is often packaged up (eg rpm/deb) and forms the overlay for installations.