openssh - Free version of the SSH protocol suite
ChangeLog
| Web site: | https://www.openssh.com/portable.html |
| Repository: | https://anongit.mindrot.org/openssh.git |
| Wikipedia: | https://en.wikipedia.org/wiki/OpenSSH |
HOWTO
# OpenSSH 9.7p1 (2024-03-11)
# =============
# Slackware 14.0: openssh 6.1p1
# Slackware 14.1: openssh 6.3p1
# Slackware 14.2: openssh 7.2p2
# Slackware 15.0: openssh 8.8p1
#
# Also check for updated versions in Slackware's "patches" directory or
# Slackware-current | Slackware64-current if you don't go with installing
# it from source.
# OpenSSH Portable Release
# OpenSSH 9.7 relese notes (text, 9.7 only)
# OpenSSH Release Notes (HTML, all releases)
# OpenSSH portable ChangeLog file
# OpenSSH portable INSTALL file
# GitHub repository mirror
# Success building with OpenSSL 1.1.1 and 3.0
# If you want to uninstall OpenSSH or clean up files from an old version
# before installing a new one, skip down to the bottom.
# Prerequisites:
# Perl (optional?)
# sh-utils or coreutils
# util-linux
# groff
# zlib
# OpenSSL (now optional, but highly recommended for full feature support)
# shadow (optional)
# PAM (optional)
# XFree86 or X.org (optional; xauth for ssh's X forwarding)
# Kerberos (optional)
# S/Key (optional)
# If you are missing a /dev/random, you can use one of these:
# PRNGD (Pseudo Random Number Generator Daemon)
# EGD (Entropy Gathering Daemon)
# https://gnome.org/ (optional; for the Gnome passphrase requestor)
# LDNS (optional; for DNSSEC support)
# libedit (optional; for libedit support in sftp)
# If you're upgrading a remote machine, you may want to keep a 2nd ssh
# connection opened with root access (ssh as you, su or sudo to root) just
# in case something goes wrong. If you're really worried, fire up telnet
# too :-)
# Note: As of 9.0, the 'scp' program uses SFTP instead of scp/rsh
# If you keep accounts and groups in LDAP or something like that, add a
# sshd user and group now, otherwise do this. You obviously don't need to
# use uid and gid 33 as I do here, I only do that so they'll be the same on
# multiple server setups.
su
getent group | grep "^sshd:" > /dev/null 2>&1 || groupadd -g 33 sshd
id sshd > /dev/null 2>&1 || useradd -u 33 -g sshd sshd
exit
# cdn.openbsd.org used below is Fastly CDN. See the mirrors list for other
# options:
# https://www.openssh.com/portable.html#http
# https://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/
# https://openbsd.mirror.constant.com/pub/OpenBSD/OpenSSH/portable/
# Get the tarball
cd
test -f installed/openssh-9.7p1.tar.gz &&
mv installed/openssh-9.7p1.tar.gz .
test ! -f openssh-9.7p1.tar.gz &&
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/\
openssh-9.7p1.tar.gz
# Verify tarball w/ cksum from coreutils >= 9.2:
echo "SQQm92bYKidj/KzY2D6j1weYdQx70q/y5X3FZg93P/0= openssh-9.7p1.tar.\
gz" | cksum -a sha256 -c
# Verify tarball w/ sha256sum (coreutils) or shasum (Perl) or OpenSSL
# It was provided in the announcement as base64 encoded binary instead of
# hex so some extra steps are required to get the same output:
#
# SQQm92bYKidj/KzY2D6j1weYdQx70q/y5X3FZg93P/0=
# ->
# sha256sum openssh-9.7p1.tar.gz | xxd -r -p | base64
# -or-
# shasum -a 256 openssh-9.7p1.tar.gz | xxd -r -p | base64
# -or-
# openssl sha256 -binary openssh-9.7p1.tar.gz | openssl base64
# ->
echo "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773f\
fd openssh-9.7p1.tar.gz" | sha256sum -c
# Verify tarball w/ gpg:
# [ If you can't get the key from a keyserver, get it here (or any mirror):
# https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc ]
( gpg --list-keys 736060BA > /dev/null 2>&1 || gpg --recv-keys 736060BA ) &&
wget -nc https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/\
openssh-9.7p1.tar.gz.asc &&
gpg --verify openssh-9.7p1.tar.gz.asc && rm openssh-9.7p1.tar.gz.asc
# Extract it
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssh-*" -exec rm -r {} \;
tar xzvf ~/openssh-9.7p1.tar.gz
cd openssh-9.7p1
test $UID = 0 && chown -R root:root .
# If you use PAM, add --with-pam to the configure line below.
# If LDNS is installed, add --with-ldns to the configure line below and
# you may need to put CPPFLAGS=-I/usr/local/ssl/include at the beginning if
# you have OpenSSL < 1.1.0 entirely installed under the /usr/local/ssl
# prefix
# If libedit is installed, add --with-libedit to configure
# If you newly installed a source-based OpenSSL under /usr/local or
# /usr/local/ssl (< 1.1.0), and you also have the Slackware package(s)
# installed, you will probably be OK with openssl-solibs being installed,
# but probably not also the regular openssl package.
# If your OpenSSL is fully installed under the < 1.1.0 default prefix of
# /usr/local/ssl (works with lib64 too):
test -d /usr/local/ssl/include &&
./configure --prefix=/usr --sysconfdir=/etc/ssh --datarootdir=/usr \
--with-ssl-dir=/usr/local/ssl --with-libedit --with-ldns
# ...and if not:
test ! -d /usr/local/ssl/include &&
./configure --prefix=/usr --sysconfdir=/etc/ssh --datarootdir=/usr \
--with-libedit --with-ldns
# Build it
make
# Become root to clean up old files and to install it
su
# Back up your existing configuration
mkdir -p -m 0700 ~/backup/ssh
test -d /etc/ssh && cp -a /etc/ssh/* ~/backup/ssh/
test ! -d /etc/ssh &&
( cd /usr/local/etc
cp -a ssh_* sshd_* ~/backup/ssh/ )
# Remove the Slackware package, if there is one
test -x /sbin/removepkg && /sbin/removepkg openssh
# Install the new version. 'make install' will not overwrite existing
# configuration files.
make install
# If using privsep (you should be, and it's the default as of 3.3p1)
test ! -d /var/empty &&
( mkdir -p -m 0755 /var/empty ; chown root:sys /var/empty )
# This will copy sample configuration files from the source directory
# to /etc/ssh as *.dist To actually use one, rename it minus the trailing
# .dist The .dist one will be mostly commented-out lines.
# See 'man sshd_config' for more information about /etc/ssh/sshd_config
# See 'man ssh_config' for more information about /etc/ssh/ssh_config
cp -p ssh_config /etc/ssh/ssh_config.dist
cp -p sshd_config /etc/ssh/sshd_config.dist
chown -R root:root /etc/ssh
find /etc/ssh -mindepth 1 -type f -exec chmod 644 {} \;
chmod 600 /etc/ssh/sshd_config /etc/ssh/*_key /etc/ssh/*.dist
# I used to run diff here to compare existing vs .dist, but these days
# the .dist one is mostly commented-out lines, so I only do that if
# there is a backup sshd_config.old to compare it to when upgrading and
# changing it. Make sure you read the release notes and/or ChangeLog
# whenever upgrading to see if you need to update the configuration files.
# A few tidbits about /etc/ssh/sshd_config:
# If you're not using IPv6: AddressFamily inet
# If you don't want to allow root to ssh: PermitRootLogin no
# If you only want to allow user jason to ssh: AllowUsers jason
# If you only want to allow login with keys, no password entry (instead of
# both of them): PasswordAuthentication no
# Also check out the Max* options for limits on what potential attackers can
# get away with.
# Ideally they can't even get to sshd because of your firewall or
# because it is only listening on (ListenAddress) a reserved IP address on
# your internal network.
# If you're using PAM, and you built PAM support into OpenSSH (--with-pam),
# you'll need to put "UsePAM yes" in /etc/ssh/sshd_config before it will
# use it. You will also need a /etc/pam.d/ssh You'll find a generic one
# in contrib/sshd.pam.generic
test -d /etc/pam.d &&
( test -f /etc/pam.d/ssh && cp /etc/pam.d/ssh.old
cp contrib/sshd.pam.generic /etc/pam.d/ssh )
#
# You may want to add this line (if your browser word-wraps it, put it all
# on one line) to it:
# session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0066
# It will set PAM to auto-create a home directory for anyone that logs in
# that doesn't already have one. If you have a recent version of Linux-PAM,
# read through 'man pam_mkhomedir'.
#
# If you use PAM with padl's pam_ldap, you can find a sample one for sshd in
# pam_ldap's source tree, or here:
# https://englanders.us/pub/linux/misc/sshd.ldap
# (though that one may be older)
# Slackware 8.1 and up have an /etc/rc.d/rc.inet2 that will start
# /etc/rc.d/rc.sshd on boot-up if it exists.
#
# The rc.sshd from Slackware 8.1 and the one from 15.0 only has one
# relatively minor update to add support for putting commandline options
# for sshd in /etc/default/sshd
#
# If you don't have one, here you can get Slackware64 15.0's rc.sshd:
test ! -e /etc/rc.d/rc.sshd &&
( wget -nc http://ftp.slackware.com/pub/slackware/slackware64-15.0/source/\
n/openssh/rc.sshd
cp -a rc.sshd /etc/rc.d/rc.sshd
chmod 700 /etc/rc.d/rc.sshd )
# An alternative to rc.sshd, you may also want to try
# contrib/redhat/sshd.init in the source, which is intended to be used as
# /etc/init.d/ssh with the /etc/rc?.d/* symlinks.
# Use the rc.sshd script to (re)start the master sshd process. The
# Slackware one will leave the sshd process running that your ssh client is
# connected to (if you're ssh'd into the machine you're upgrading ssh on),
# so you won't get booted out. If you're 1,000 miles away from the server
# and nobody is available in person, maybe a 2nd reminder about temporary
# telnet...
test -x /etc/rc.d/rc.sshd && /etc/rc.d/rc.sshd restart
# As of 7.1 ssh-dss is disabled by default.
# If you find that you are no longer able to ssh to foo.example.com using
# a key, and ssh prompts you for a password, you can put something like the
# following in ~/.ssh/config or create a new, stronger key pair. Example:
#Host foo.example.com
# HostkeyAlgorithms ssh-dss
# PubkeyAcceptedKeyTypes ssh-dss
# PasswordAuthentication no
#
# https://www.openssh.com/legacy.html
# ssh-keygen will now create a Ed25519 key by default
# DSA will only be a compile time option later in 2024 and removed
# completely in 2025
# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .
# Become your non-root user again
exit
## Make sure ssh reports the correct version:
## OpenSSH_9.7p1, OpenSSL <version> <date>
ssh -V
# Save the tarball for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssh-*.tar.*
mv openssh-9.7p1.tar.gz installed/
# If you ever want to uninstall OpenSSH (why?), this should do it. The
# 'make uninstall' should do it, the rest is just in case. I cover
# /usr/local here too because way back this used the default prefix.
# Obviously you don't want to do this if you're logged in remotely with
# ssh :-)
cd
su
test -x /etc/rc.d/rc.sshd && /etc/rc.d/rc.sshd stop
sleep 2
killall sshd 2> /dev/null
sleep 2
killall -9 sshd 2> /dev/null
test -d src/openssh-* && ( cd src/openssh-* ; make uninstall )
for pfx in /usr /usr/local;
do
( cd ${pfx}/bin
rm -f scp sftp slogin ssh ssh-add ssh-agent ssh-keygen ssh-keyscan )
test -d ${pfx}/etc &&
( cd ${pfx}/etc
rm -f moduli ssh_*.dist sshd_*.dist ssh_config ssh_host*key \
ssh_host*key.pub ssh_prng_cmds sshd_config )
( cd ${pfx}/libexec
rm -f sftp-server ssh-keysign ssh-pkcs11-helper ssh-rand-helper )
( cd ${pfx}/man/man1
rm -f scp.1 sftp.1 slogin.1 ssh.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 \
ssh-keyscan.1 )
( cd ${pfx}/man/man5
rm -f ssh_config.5 sshd_config.5 )
( cd ${pfx/man/man8
rm -f sftp-server.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-rand-helper.8 \
sshd.8 )
rm -f ${pfx}/sbin/sshd ${pfx}/share/Ssh.bin
done
test -d /etc/ssh && rm -r /etc/ssh
rm -f /etc/rc.d/rc.sshd
exit
find ~/src -maxdepth 1 -type d -name "openssh-*" -exec rm -r {} \;
rm -f ~/installed/openssh-*.tar.*
List of HOWTOs
Web page itself last updated: 2023-12-20 8:06pm (EDT -0400)
HOWTO last updated: 2024-03-17 8:45pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.
HOWTO last updated: 2024-03-17 8:45pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.
![[HTML5]](HTML5_Logo_64-black.png){kind=logo}
