# OpenSSH 9.5p1
# =============
# Slackware 14.0: openssh 6.1p1
# Slackware 14.1: openssh 6.3p1
# Slackware 14.2: openssh 7.2p2
# Slackware 15.0: openssh 8.8p1
#
# Also check for updated versions in Slackware's "patches" directory or
# Slackware-current | Slackware64-current if you don't go with installing
# it from source.
# Success building with OpenSSL 1.1.1 and 3.0
# If you want to uninstall OpenSSH or clean up files from an old version
# before installing a new one, skip down to the bottom.
# Prerequisites:
# Perl (optional?)
# sh-utils or coreutils
# util-linux
# groff
# zlib
# OpenSSL (now optional, but highly recommended for full feature support)
# shadow (optional)
# PAM (optional)
# XFree86 or X.org (optional; xauth for ssh's X forwarding)
# Kerberos (optional)
# S/Key (optional)
# If you are missing a /dev/random, you can use one of these:
# PRNGD (Pseudo Random Number Generator Daemon)
# EGD (Entropy Gathering Daemon)
# https://gnome.org/ (optional; for the Gnome passphrase requestor)
# LDNS (optional; for DNSSEC support)
# libedit (optional; for libedit support in sftp)
# If you're upgrading a remote machine, you may want to keep a 2nd ssh
# connection opened with root access (ssh as you, su or sudo to root) just
# in case something goes wrong. If you're really worried, fire up telnet
# too :-)
# Note: As of 9.0, the 'scp' program uses SFTP instead of scp/rsh
# If you keep accounts and groups in LDAP or something like that, add a
# sshd user and group now, otherwise do this. You obviously don't need to
# use uid and gid 33 as I do here, I only do that so they'll be the same on
# multiple server setups.
su
getent group | grep "^sshd:" > /dev/null 2>&1 || groupadd -g 33 sshd
id sshd > /dev/null 2>&1 || useradd -u 33 -g sshd sshd
exit
# Get the tarball
cd
test -f installed/openssh-9.5p1.tar.gz &&
mv installed/openssh-9.5p1.tar.gz .
test ! -f openssh-9.5p1.tar.gz &&
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/\
openssh-9.5p1.tar.gz
# Verify tarball w/ sha256sum:
# It was provided in the announcement as base64 encoded binary instead of
# hex so some extra steps are required to get the same output:
#
# 8Cbnt5un+1QPdRgq+W3IqPHbOV+SK7yfbKYDZyaGCGs=
# ->
# sha256sum openssh-9.5p1.tar.gz | xxd -r -p | base64
# -or-
# openssl sha256 -binary openssh-9.5p1.tar.gz | openssl base64
# ->
echo "f026e7b79ba7fb540f75182af96dc8a8f1db395f922bbc9f6ca60367268608\
6b openssh-9.5p1.tar.gz" | sha256sum -c
# Verify tarball w/ gpg:
# [ If you can't get the key from a keyserver, get it here (or any mirror):
# https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc ]
( gpg --list-keys 736060BA > /dev/null 2>&1 || gpg --recv-keys 736060BA ) &&
wget -nc https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/\
openssh-9.5p1.tar.gz.asc &&
gpg --verify openssh-9.5p1.tar.gz.asc && rm openssh-9.5p1.tar.gz.asc
# Extract it
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssh-*" -exec rm -r {} \;
tar xzvf ~/openssh-9.5p1.tar.gz
cd openssh-9.5p1
test $UID = 0 && chown -R root:root .
# If you use PAM, add --with-pam to the configure line below.
# If LDNS is installed, add --with-ldns to the configure line below and
# you may need to put CPPFLAGS=-I/usr/local/ssl/include at the beginning if
# you have OpenSSL < 1.1.0 installed under the /usr/local/ssl prefix
# If libedit is installed, add --with-libedit to configure
# If you newly installed a source-based OpenSSL under /usr/local or
# /usr/local/ssl (< 1.1.0), and you also have the Slackware package(s)
# installed, you will probably be OK with openssl-solibs being installed,
# but probably not also the regular openssl package.
# If your OpenSSL is fully installed under the < 1.1.0 default prefix of
# /usr/local/ssl (works with lib64 too):
test -d /usr/local/ssl/include &&
./configure --prefix=/usr --sysconfdir=/etc/ssh --datarootdir=/usr \
--with-ssl-dir=/usr/local/ssl --with-libedit --with-ldns
# ...and if not:
test ! -d /usr/local/ssl/include &&
./configure --prefix=/usr --sysconfdir=/etc/ssh --datarootdir=/usr \
--with-libedit --with-ldns
# Build it
make
# Become root to clean up old files and to install it
su
# Back up your existing configuration
mkdir -p -m 0700 ~/backup/ssh
test -d /etc/ssh && cp -a /etc/ssh/* ~/backup/ssh/
test ! -d /etc/ssh &&
( cd /usr/local/etc
cp -a ssh_* sshd_* ~/backup/ssh/ )
# Remove the Slackware package, if there is one
test -x /sbin/removepkg && /sbin/removepkg openssh
# Install the new version. 'make install' will not overwrite existing
# configuration files.
make install
# If using privsep (you should be, and it's the default as of 3.3p1)
test ! -d /var/empty &&
( mkdir -p -m 0755 /var/empty ; chown root:sys /var/empty )
# This will copy sample configuration files from the source directory
# to /etc/ssh as *.dist To actually use one, rename it minus the trailing
# .dist This will allow you to compare if you are upgrading:
# ( cd /etc/ssh ; diff -u sshd_config.dist sshd_config 2>&1 | less )
cp -p ssh_config /etc/ssh/ssh_config.dist
cp -p sshd_config /etc/ssh/sshd_config.dist
chown -R root:root /etc/ssh
find /etc/ssh -mindepth 1 -type f -exec chmod 644 {} \;
chmod 600 /etc/ssh/sshd_config /etc/ssh/*_key /etc/ssh/*.dist
# A few tidbits about /etc/ssh/sshd_config:
# If you're not using IPv6: AddressFamily inet
# If you don't want to allow root to ssh: PermitRootLogin no
# If you only want to allow user jason to ssh: AllowUsers jason
# If you only want to allow login with keys, no password entry (instead
# of both of them): PasswordAuthentication no
# Also check out ('man sshd_config') MaxAuthTries and MaxStartups for
# limits on what potential attackers can get away with.
# If you're using PAM, and you built PAM support into OpenSSH (--with-pam),
# you'll need to put "UsePAM yes" in /etc/ssh/sshd_config before it will
# use it. You will also need a /etc/pam.d/ssh You'll find a generic one
# in contrib/sshd.pam.generic
test -d /etc/pam.d &&
( test -f /etc/pam.d/ssh && cp /etc/pam.d/ssh.old
cp contrib/sshd.pam.generic /etc/pam.d/ssh )
#
# You may want to add this line (if your browser word-wraps it, put it all
# on one line) to it:
# session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0066
# It will set PAM to auto-create a home directory for anyone that logs in
# that doesn't already have one. If you have a recent version of Linux-PAM,
# read through 'man pam_mkhomedir'.
#
# If you use PAM with padl's pam_ldap, you can find a sample one for sshd in
# pam_ldap's source tree, or here:
# http://englanders.us/pub/linux/misc/sshd.ldap
# (though that one may be older)
# Slackware 8.1 and up have an /etc/rc.d/rc.inet2 that will start
# /etc/rc.d/rc.sshd on boot-up if it exists. In addition to the one below
# you may also want to try contrib/redhat/sshd.init in the source, which
# is intended to use as /etc/init.d/ssh with the /etc/rc?.d/* symlinks.
# If you want a /etc/rc.d/rc.sshd, here's the one that comes with (at least)
# Slackware 9.0 through 11.0:
cd /etc/rc.d
test -f rc.sshd &&
( mv -f rc.sshd rc.sshd.old ; chmod 600 rc.sshd.old )
wget http://englanders.us/pub/linux/misc/notmine/rc.sshd &&
chmod 700 rc.sshd
# Use the rc.sshd script to (re)start the master sshd process. The
# Slackware one will leave the sshd process running that your ssh client is
# connected to (if you're ssh'd into the machine you're upgrading ssh on),
# so you won't get booted out. If you're 1,000 miles away from the server
# and nobody is available in person, maybe a 2nd reminder about temporary
# telnet...
test -x /etc/rc.d/rc.sshd && /etc/rc.d/rc.sshd restart
# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .
# If you find that you are no longer able to ssh to foo.example.com using
# a key, and ssh prompts you for a password, you can put something like the
# following in ~/.ssh/config or create a new, stronger key pair. Example:
#Host foo.example.com
# HostkeyAlgorithms ssh-dss
# PubkeyAcceptedKeyTypes ssh-dss
# PasswordAuthentication no
#
# As of 7.1 ssh-dss is disabled by default. ssh-keygen will create a 2,048
# bit RSA key by default (without -t or -b). ssh protocol v1 is disabled by
# default as well. For more info, see:
# http://www.openssh.com/legacy.html
# ssh-rsa will no longer be supported. See ./ChangeLog and
# 'man sshd_config'
# Become your non-root user again
exit
# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssh-*.tar.*
mv openssh-9.5p1.tar.gz installed/
## Make sure ssh reports the correct version:
## OpenSSH_9.5p1, OpenSSL <version> <date>
ssh -V
# If you ever want to uninstall OpenSSH (?), this should do it. The
# 'make uninstall' should do it, the rest is just in case. I cover
# /usr/local here too because way back this used the default prefix.
# Obviously you don't want to do this if you're logged in remotely with
# ssh :-)
cd
su
test -x /etc/rc.d/rc.sshd && /etc/rc.d/rc.sshd stop
sleep 2
killall sshd 2> /dev/null
sleep 2
killall -9 sshd 2> /dev/null
test -d src/openssh-* && ( cd src/openssh-* ; make uninstall )
for pfx in /usr /usr/local;
do
( cd ${pfx}/bin
rm -f scp sftp slogin ssh ssh-add ssh-agent ssh-keygen ssh-keyscan )
test -d ${pfx}/etc &&
( cd ${pfx}/etc
rm -f moduli ssh_*.dist sshd_*.dist ssh_config ssh_host*key \
ssh_host*key.pub ssh_prng_cmds sshd_config )
( cd ${pfx}/libexec
rm -f sftp-server ssh-keysign ssh-pkcs11-helper ssh-rand-helper )
( cd ${pfx}/man/man1
rm -f scp.1 sftp.1 slogin.1 ssh.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 \
ssh-keyscan.1 )
( cd ${pfx}/man/man5
rm -f ssh_config.5 sshd_config.5 )
( cd ${pfx/man/man8
rm -f sftp-server.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-rand-helper.8 \
sshd.8 )
rm -f ${pfx}/sbin/sshd ${pfx}/share/Ssh.bin
done
test -d /etc/ssh && rm -r /etc/ssh
rm -f /etc/rc.d/rc.sshd
exit
find ~/src -maxdepth 1 -type d -name "openssh-*" -exec rm -r {} \;
rm -f ~/installed/openssh-*.tar.*