openssh - Free version of the SSH protocol suite ChangeLog

HOWTO


# OpenSSH 9.8p1 (2024-07-01)
# =============
# Slackware 14.0: openssh 6.1p1
# Slackware 14.1: openssh 6.3p1
# Slackware 14.2: openssh 7.2p2
# Slackware 15.0: openssh 8.8p1
#
# Also check for updated versions in Slackware's "patches" directory or
# Slackware-current | Slackware64-current if you don't go with installing
# it from source.

# OpenSSH Portable Release
# OpenSSH 9.8 relese notes (text, 9.8 only)
# OpenSSH Release Notes (HTML, all releases)
# OpenSSH portable ChangeLog file
# OpenSSH portable INSTALL file
# GitHub repository mirror

# Success building with OpenSSL 1.1.1 and 3.0

# If you want to uninstall OpenSSH or clean up files from an old version
# before installing a new one, skip down to the bottom.

# Prerequisites:
# Perl (optional?)
# sh-utils or coreutils
# util-linux
# groff
# zlib
# OpenSSL (now optional, but highly recommended for full feature support)
# shadow (optional)
# PAM (optional)
# XFree86 or X.org (optional; xauth for ssh's X forwarding)
# Kerberos (optional)
# S/Key (optional)
# If you are missing a /dev/random, you can use one of these:
#  PRNGD (Pseudo Random Number Generator Daemon)
#  EGD (Entropy Gathering Daemon)
# https://gnome.org/ (optional; for the Gnome passphrase requestor)
# LDNS (optional; for DNSSEC support)
# libedit (optional; for libedit support in sftp)

# If you're upgrading a remote machine, you may want to keep a 2nd ssh
# connection opened with root access (ssh as you, su or sudo to root) just
# in case something goes wrong.  If you're really worried, fire up telnet
# too :-)

# Note: As of 9.0, the 'scp' program uses SFTP instead of scp/rsh

# If you keep accounts and groups in LDAP or something like that, add a
# sshd user and group now, otherwise do this.  You obviously don't need to
# use uid and gid 33 as I do here, I only do that so they'll be the same on
# multiple server setups.
su
getent group | grep "^sshd:" > /dev/null 2>&1 || groupadd -g 33 sshd
id sshd > /dev/null 2>&1 || useradd -u 33 -g sshd sshd
exit

# cdn.openbsd.org used below is Fastly CDN.  See the mirrors list for other
# options:
# https://www.openssh.com/portable.html#http
# https://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/
# https://openbsd.mirror.constant.com/pub/OpenBSD/OpenSSH/portable/

# Get the tarball
cd
test -f installed/openssh-9.8p1.tar.gz &&
mv installed/openssh-9.8p1.tar.gz .
test ! -f openssh-9.8p1.tar.gz &&
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/\
openssh-9.8p1.tar.gz

# Verify tarball w/ cksum from coreutils >= 9.2:
echo "3YvQAqN5tdSZ37BQ3R+pr4Ap6ARh9LtsUjxJlz9aOfM=  openssh-9.8p1.tar.\
gz" | cksum -a sha256 -c

# Verify tarball w/ sha256sum (coreutils) or shasum (Perl) or OpenSSL
# It was provided in the announcement as base64 encoded binary instead of
# hex so some extra steps are required to get the same output:
#
# 3YvQAqN5tdSZ37BQ3R+pr4Ap6ARh9LtsUjxJlz9aOfM=
# ->
# sha256sum openssh-9.8p1.tar.gz | xxd -r -p | base64
# -or-
# shasum -a 256 openssh-9.8p1.tar.gz | xxd -r -p | base64
# -or-
# openssl sha256 -binary openssh-9.8p1.tar.gz | openssl base64
# ->
echo "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39\
f3  openssh-9.8p1.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
# [ If you can't get the key from a keyserver, get it here (or any mirror):
#   https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc ]
( gpg --list-keys 736060BA > /dev/null 2>&1 || gpg --recv-keys 736060BA ) &&
wget -nc https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/\
openssh-9.8p1.tar.gz.asc &&
  gpg --verify openssh-9.8p1.tar.gz.asc && rm openssh-9.8p1.tar.gz.asc

# Extract it
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssh-*" -exec rm -r {} \;
tar xzvf ~/openssh-9.8p1.tar.gz
cd openssh-9.8p1
test $UID = 0 && chown -R root:root .

# If you use PAM, add --with-pam to the configure line below.

# If LDNS is installed, add --with-ldns to the configure line below and
# you may need to put CPPFLAGS=-I/usr/local/ssl/include at the beginning if
# you have OpenSSL < 1.1.0 entirely installed under the /usr/local/ssl
# prefix

# If libedit is installed, add --with-libedit to configure

# If you newly installed a source-based OpenSSL under /usr/local or
# /usr/local/ssl (< 1.1.0), and you also have the Slackware package(s)
# installed, you will probably be OK with openssl-solibs being installed,
# but probably not also the regular openssl package.

# If your OpenSSL is fully installed under the < 1.1.0 default prefix of
# /usr/local/ssl (works with lib64 too):
test -d /usr/local/ssl/include &&
./configure --prefix=/usr --sysconfdir=/etc/ssh --datarootdir=/usr \
--with-ssl-dir=/usr/local/ssl --with-libedit --with-ldns

# ...and if not:
test ! -d /usr/local/ssl/include &&
./configure --prefix=/usr --sysconfdir=/etc/ssh --datarootdir=/usr \
--with-libedit --with-ldns

# Build it
make

# Become root to clean up old files and to install it
su

# Back up your existing configuration
mkdir -p -m 0700 ~/backup/ssh
test -d /etc/ssh && cp -a /etc/ssh/* ~/backup/ssh/
test ! -d /etc/ssh &&
( cd /usr/local/etc
   cp -a ssh_* sshd_* ~/backup/ssh/ )

# Remove the Slackware package, if there is one
test -x /sbin/removepkg && /sbin/removepkg openssh

# Install the new version.  'make install' will not overwrite existing
# configuration files.
make install

# If using privsep (you should be, and it's the default as of 3.3p1)
test ! -d /var/empty &&
( mkdir -p -m 0755 /var/empty ; chown root:sys /var/empty )

# This will copy sample configuration files from the source directory
# to /etc/ssh as *.dist  To actually use one, rename it minus the trailing
# .dist  The .dist one will be mostly commented-out lines.
# See 'man sshd_config' for more information about /etc/ssh/sshd_config
# See 'man ssh_config' for more information about /etc/ssh/ssh_config
cp -p ssh_config /etc/ssh/ssh_config.dist
cp -p sshd_config /etc/ssh/sshd_config.dist
chown -R root:root /etc/ssh
find /etc/ssh -mindepth 1 -type f -exec chmod 644 {} \;
chmod 600 /etc/ssh/sshd_config /etc/ssh/*_key /etc/ssh/*.dist

# I used to run diff here to compare existing vs .dist, but these days
# the .dist one is mostly commented-out lines, so I only do that if
# there is a backup sshd_config.old to compare it to when upgrading and
# changing it.  Make sure you read the release notes and/or ChangeLog
# whenever upgrading to see if you need to update the configuration files.

# A few tidbits about /etc/ssh/sshd_config:
# If you're not using IPv6:  AddressFamily inet
# If you don't want to allow root to ssh:  PermitRootLogin no
# If you only want to allow user jason to ssh:  AllowUsers jason
# If you only want to allow login with keys, no password entry (instead of
#  both of them): PasswordAuthentication no
# Also check out the Max* options for limits on what potential attackers can
# get away with.

# Ideally they can't even get to sshd because of your firewall or
# because it is only listening on (ListenAddress) a reserved IP address on
# your internal network.

# If you're using PAM, and you built PAM support into OpenSSH (--with-pam),
# you'll need to put "UsePAM yes" in /etc/ssh/sshd_config before it will
# use it.  You will also need a /etc/pam.d/ssh  You'll find a generic one
# in contrib/sshd.pam.generic
test -d /etc/pam.d &&
( test -f /etc/pam.d/ssh && cp /etc/pam.d/ssh.old
   cp contrib/sshd.pam.generic /etc/pam.d/ssh )
#
# You may want to add this line (if your browser word-wraps it, put it all
# on one line) to it:
# session    required    /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0066
# It will set PAM to auto-create a home directory for anyone that logs in
# that doesn't already have one.  If you have a recent version of Linux-PAM,
# read through 'man pam_mkhomedir'.
#
# If you use PAM with padl's pam_ldap, you can find a sample one for sshd in
# pam_ldap's source tree, or here:
# https://englanders.us/pub/linux/misc/sshd.ldap
# (though that one may be older)

# Slackware 8.1 and up have an /etc/rc.d/rc.inet2 that will start
# /etc/rc.d/rc.sshd on boot-up if it exists.
#
# The rc.sshd from Slackware 8.1 and the one from 15.0 only has one
# relatively minor update to add support for putting commandline options
# for sshd in /etc/default/sshd
#
# If you don't have one, here you can get Slackware64 15.0's rc.sshd:
test ! -e /etc/rc.d/rc.sshd &&
( wget -nc http://ftp.slackware.com/pub/slackware/slackware64-15.0/source/\
n/openssh/rc.sshd
   cp -a rc.sshd /etc/rc.d/rc.sshd
   chmod 700 /etc/rc.d/rc.sshd )

# An alternative to rc.sshd, you may also want to try
# contrib/redhat/sshd.init in the source, which is intended to be used as
# /etc/init.d/ssh with the /etc/rc?.d/* symlinks.

# Use the rc.sshd script to (re)start the master sshd process.  The
# Slackware one will leave the sshd process running that your ssh client is
# connected to (if you're ssh'd into the machine you're upgrading ssh on),
# so you won't get booted out.  If you're 1,000 miles away from the server
# and nobody is available in person, maybe a 2nd reminder about temporary
# telnet...
test -x /etc/rc.d/rc.sshd && /etc/rc.d/rc.sshd restart

# As of 7.1 ssh-dss is disabled by default.
# If you find that you are no longer able to ssh to foo.example.com using
# a key, and ssh prompts you for a password, you can put something like the
# following in ~/.ssh/config or create a new, stronger key pair.  Example:
#Host foo.example.com
#        HostkeyAlgorithms ssh-dss
#        PubkeyAcceptedKeyTypes ssh-dss
#        PasswordAuthentication no
#
# https://www.openssh.com/legacy.html

# ssh-keygen will now create a Ed25519 key by default

# DSA will only be a compile time option in 2024 and removed completely in
# 2025
# As of 9.8, configure with --enable-dsa-keys is required

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Become your non-root user again
exit

## Make sure ssh reports the correct version:
## OpenSSH_9.8p1, OpenSSL <version>  <date>
ssh -V

# Save the tarball for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssh-*.tar.*
mv openssh-9.8p1.tar.gz installed/


# If you ever want to uninstall OpenSSH (why?), this should do it.  The
# 'make uninstall' should do it, the rest is just in case.  I cover
# /usr/local here too because way back this used the default prefix.
# Obviously you don't want to do this if you're logged in remotely with
# ssh :-)
cd
su
test -x /etc/rc.d/rc.sshd && /etc/rc.d/rc.sshd stop
sleep 2
killall sshd 2> /dev/null
sleep 2
killall -9 sshd 2> /dev/null
test -d src/openssh-* && ( cd src/openssh-* ; make uninstall )
for pfx in /usr /usr/local;
do
  ( cd ${pfx}/bin
    rm -f scp sftp slogin ssh ssh-add ssh-agent ssh-keygen ssh-keyscan )
  test -d ${pfx}/etc &&
   ( cd ${pfx}/etc
     rm -f moduli ssh_*.dist sshd_*.dist ssh_config ssh_host*key \
      ssh_host*key.pub ssh_prng_cmds sshd_config )
  ( cd ${pfx}/libexec
    rm -f sftp-server ssh-keysign ssh-pkcs11-helper ssh-rand-helper )
  ( cd ${pfx}/man/man1
    rm -f scp.1 sftp.1 slogin.1 ssh.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 \
     ssh-keyscan.1 )
  ( cd ${pfx}/man/man5
    rm -f ssh_config.5 sshd_config.5 )
  ( cd ${pfx/man/man8
    rm -f sftp-server.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-rand-helper.8 \
     sshd.8 )
  rm -f ${pfx}/sbin/sshd ${pfx}/share/Ssh.bin
done
test -d /etc/ssh && rm -r /etc/ssh
rm -f /etc/rc.d/rc.sshd
exit
find ~/src -maxdepth 1 -type d -name "openssh-*" -exec rm -r {} \;
rm -f ~/installed/openssh-*.tar.*

List of HOWTOs

Web page itself last updated: 2023-12-20 8:06pm (EST -0500)
HOWTO last updated: 2024-07-01 6:48pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.
[HTML5]