---

HOWTO

# OpenSSH 9.2p1
# =============
# Slackware 14.0: openssh 6.1p1
# Slackware 14.1: openssh 6.3p1
# Slackware 14.2: openssh 7.2p2
# Slackware 15.0: openssh 8.8p1
#
# Also check for updated versions in Slackware's "patches" directory or
# Slackware-current | Slackware64-current if you don't go with installing
# it from source.

# If you want to uninstall OpenSSH or clean up files from an old version
# before installing a new one, skip down to the bottom.

# Prerequisites:
# Perl (optional?)
# sh-utils or coreutils
# util-linux
# groff
# zlib
# OpenSSL (now optional, but highly recommended for full feature support)
# shadow (optional)
# PAM (optional)
# XFree86 or X.org (optional; xauth for ssh's X forwarding)
# Kerberos (optional)
# S/Key (optional)
# If you are missing a /dev/random, you can use one of these:
#  PRNGD (Pseudo Random Number Generator Daemon)
#  EGD (Entropy Gathering Daemon)
# https://gnome.org/ (optional; for the Gnome passphrase requestor)
# LDNS (optional; for DNSSEC support)
# libedit (optional; for libedit support in sftp)

# If you're upgrading a remote machine, you may want to keep a 2nd ssh
# connection opened with root access (ssh as you, su to root) just in case
# something goes wrong.  If you're really worried, fire up telnet too :-)

# Note: As of 9.0, the 'scp' program uses SFTP instead of scp/rsh

# If you keep accounts and groups in LDAP or something like that, add a
# sshd user and group now, otherwise do this.  You obviously don't need to
# use uid and gid 33 as I do here, I only do that so they'll be the same on
# multiple server setups.
su
getent group | grep "^sshd:" > /dev/null 2>&1 || groupadd -g 33 sshd
id sshd > /dev/null 2>&1 || useradd -u 33 -g sshd sshd
exit

# cdn.openbsd.org used below is Fastly CDN.  See the mirrors list for other
# options:
# https://www.openssh.com/portable.html#http

# Get the source
cd
test -f installed/openssh-9.2p1.tar.gz &&
mv installed/openssh-9.2p1.tar.gz .
test ! -f openssh-9.2p1.tar.gz &&
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz

# Verify tarball w/ sha256sum:
# It was provided in the announcement as base64 encoded binary instead of
# hex so some extra steps are required to get the same output:
#
# P2bb8WVftF9Q4cVtpiqwEhjCKIB7ITONY068351xz0Y=
# ->
# sha256sum openssh-9.2p1.tar.gz | xxd -r -p | base64
# -or-
# openssl sha256 -binary openssh-9.2p1.tar.gz | openssl base64
# ->
echo "3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46  openssh-9.2p1.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
# [ If you can't get the key from a keyserver, get it here (or any mirror):
#   https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc ]
( gpg --list-keys 736060BA > /dev/null 2>&1 || gpg --recv-keys 736060BA ) &&
wget -nc https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz.asc &&
  gpg --verify openssh-9.2p1.tar.gz.asc && rm openssh-9.2p1.tar.gz.asc

# Extract it
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssh-*" -exec rm -r {} \;
tar xzvf ~/openssh-9.2p1.tar.gz
cd openssh-9.2p1
test $UID = 0 && chown -R root:root .

# If you use something really old like Slackware 7.0 (and also don't use
# PAM), you may need to add --use-md5-passwords to the ./configure line
# If you still use Slackware 7.0 in 2023, that may be the least of your
# issues
#
# If you use PAM, add --with-pam to the configure line below.

# If LDNS is installed, add --with-ldns to the configure line below and
# you may need to put CPPFLAGS=-I/usr/local/ssl/include at the beginning if
# you have OpenSSL < 1.1.0 installed under the /usr/local/ssl prefix

# If libedit is installed, add --with-libedit to configure

# Previous versions required a patch like this one from Slackware, but
# it does now support OpenSSL 1.1.0
# https://github.com/openssh/openssh-portable/pull/48
# ftp://ftp.slackware.com/pub/slackware/slackware64-current/source/# n/openssh/openssl-1.1.0.patch.gz

# If you newly installed a source-based OpenSSL under /usr/local or
# /usr/local/ssl (< 1.1.0), and you also have the Slackware package(s)
# installed, you will probably be OK with openssl-solibs being installed,
# but probably not also the regular openssl package.

# If your OpenSSL is fully installed under the < 1.1.0 default prefix of
# /usr/local/ssl (works with lib64 too):
test -d /usr/local/ssl/include &&
./configure --prefix=/usr --sysconfdir=/etc/ssh --datarootdir=/usr --with-ssl-dir=/usr/local/ssl --with-libedit --with-ldns

# ...and if not:
test ! -d /usr/local/ssl/include &&
./configure --prefix=/usr --sysconfdir=/etc/ssh --datarootdir=/usr --with-libedit --with-ldns

# Build it
make

# Become root to clean up old files and to install it
su

# Back up your existing configuration
mkdir -p -m 0700 ~/backup/ssh
test -d /etc/ssh && cp -a /etc/ssh/* ~/backup/ssh/
test ! -d /etc/ssh &&
( cd /usr/local/etc
   cp -a ssh_* sshd_* ~/backup/ssh/ )

# Remove the Slackware package, if there is one
test -x /sbin/removepkg && /sbin/removepkg openssh

# Install the new version.  'make install' will not overwrite existing
# configuration files.
make install

# If using privsep (you should be, and it's the default as of 3.3p1)
test ! -d /var/empty &&
( mkdir -p -m 0755 /var/empty ; chown root:sys /var/empty )

# This will copy sample configuration files from the source directory
# to /etc/ssh as *.dist  To actually use one, rename it minus the trailing
# .dist  This will allow you to compare if you are upgrading:
# ( cd /etc/ssh ; diff -u sshd_config.dist sshd_config 2>&1 | less )
cp -p ssh_config /etc/ssh/ssh_config.dist
cp -p sshd_config /etc/ssh/sshd_config.dist
chown -R root:root /etc/ssh
find /etc/ssh -mindepth 1 -type f -exec chmod 644 {} \;
chmod 600 /etc/ssh/sshd_config /etc/ssh/*_key /etc/ssh/*.dist

# A few tidbits about /etc/ssh/sshd_config:
# If you're not using IPv6:  AddressFamily inet
# If you don't want to allow root to ssh:  PermitRootLogin no
# If you only want to allow user jason to ssh:  AllowUsers jason
# If you only want to allow login with keys, no password entry (instead
#  of both of them): PasswordAuthentication no
# Also check out ('man sshd_config') MaxAuthTries and MaxStartups for
# limits on what potential attackers can get away with.

# If you're using PAM, and you built PAM support into OpenSSH (--with-pam),
# you'll need to put "UsePAM yes" in /etc/ssh/sshd_config before it will
# use it.  You will also need a /etc/pam.d/ssh  You'll find a generic one
# in contrib/sshd.pam.generic
test -d /etc/pam.d &&
( test -f /etc/pam.d/ssh && cp /etc/pam.d/ssh.old
   cp contrib/sshd.pam.generic /etc/pam.d/ssh )
#
# You may want to add this line (if your browser word-wraps it, put it all
# on one line) to it:
# session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0066
# It will set PAM to auto-create a home directory for anyone that logs in
# that doesn't already have one.  If you have a recent version of Linux-PAM,
# read through 'man pam_mkhomedir'.
#
# If you use PAM with padl's pam_ldap, you can find a sample one for sshd in
# pam_ldap's source tree, or here:
# http://englanders.us/pub/linux/misc/sshd.ldap
# (though that one may be older)

# Slackware 8.1 and up have an /etc/rc.d/rc.inet2 that will start
# /etc/rc.d/rc.sshd on boot-up if it exists.  In addition to the one below
# you may also want to try contrib/redhat/sshd.init in the source, which
# is intended to use as /etc/init.d/ssh with the /etc/rc?.d/* symlinks.
# If you want a /etc/rc.d/rc.sshd, here's the one that comes with (at least)
# Slackware 9.0 through 11.0:
cd /etc/rc.d
test -f rc.sshd &&
( mv -f rc.sshd rc.sshd.old ; chmod 600 rc.sshd.old )
wget http://englanders.us/pub/linux/misc/notmine/rc.sshd &&
chmod 700 rc.sshd

# Use the rc.sshd script to (re)start the master sshd process.  The
# Slackware one will leave the sshd process running that your ssh client is
# connected to (if you're ssh'd into the machine you're upgrading ssh on),
# so you won't get booted out.
test -x /etc/rc.d/rc.sshd && /etc/rc.d/rc.sshd restart

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# If you find that you are no longer able to ssh to foo.example.com using
# a key, and ssh prompts you for a password, you can put something like the
# following in ~/.ssh/config or create a new, stronger key pair.  Example:
#Host foo.example.com
#        HostkeyAlgorithms ssh-dss
#        PubkeyAcceptedKeyTypes ssh-dss
#        PasswordAuthentication no
#
# As of 7.1 ssh-dss is disabled by default.  ssh-keygen will create a 2,048
# bit RSA key by default (without -t or -b).  ssh protocol v1 is disabled by
# default as well.  For more info, see:
# http://www.openssh.com/legacy.html

# ssh-rsa will no longer be supported.  See ./ChangeLog and
# 'man sshd_config'

# Become your non-root user again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssh-*.tar.*
mv openssh-9.2p1.tar.gz installed/

## Make sure ssh reports the correct version:
## OpenSSH_9.2p1, OpenSSL 1.1.1t  7 Feb 2023
ssh -V


# If you ever want to uninstall OpenSSH (?), this should do it.  The
# 'make uninstall' should do it, the rest is just in case.  I cover
# /usr/local here too because way back this used the default prefix.
# Obviously you don't want to do this if you're logged in remotely with
# ssh :-)
cd
su
test -x /etc/rc.d/rc.sshd && /etc/rc.d/rc.sshd stop
sleep 2
killall sshd 2> /dev/null
sleep 2
killall -9 sshd 2> /dev/null
test -d src/openssh-* && ( cd src/openssh-* ; make uninstall )
for pfx in /usr /usr/local;
do
  ( cd ${pfx}/bin
    rm -f scp sftp slogin ssh ssh-add ssh-agent ssh-keygen ssh-keyscan )
  test -d ${pfx}/etc &&
   ( cd ${pfx}/etc
     rm -f moduli ssh_*.dist sshd_*.dist ssh_config ssh_host*key       ssh_host*key.pub ssh_prng_cmds sshd_config )
  ( cd ${pfx}/libexec
    rm -f sftp-server ssh-keysign ssh-pkcs11-helper ssh-rand-helper )
  ( cd ${pfx}/man/man1
    rm -f scp.1 sftp.1 slogin.1 ssh.1 ssh-add.1 ssh-agent.1 ssh-keygen.1      ssh-keyscan.1 )
  ( cd ${pfx}/man/man5
    rm -f ssh_config.5 sshd_config.5 )
  ( cd ${pfx/man/man8
    rm -f sftp-server.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-rand-helper.8      sshd.8 )
  rm -f ${pfx}/sbin/sshd ${pfx}/share/Ssh.bin
done
test -d /etc/ssh && rm -r /etc/ssh
rm -f /etc/rc.d/rc.sshd
exit
find ~/src -maxdepth 1 -type d -name "openssh-*" -exec rm -r {} \;
rm -f ~/installed/openssh-*.tar.*