How to upgrade OpenSSH 7.0 to 7.2 on a OpenBSD Unix and Linux

O penSSH version 7.2 has been released. How do I install or upgrade my existing OpenSSH version to 7.2 on a OpenBSD unix operating system?

OpenSSH version 7.2 is primarily a bugfix release. The security fix include:

Fig.01: OpenSSH 7.2 running on my OpenBSD 7.2 server

ssh(1), sshd(8): remove unfinished and unused roaming code (was already forcibly disabled in OpenSSH 7.1p2). ssh(1): eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension. ssh(1), sshd(8): increase the minimum modulus size supported for diffie-hellman-group-exchange to 2048 bits. sshd(8): pre-auth sandboxing is now enabled by default (previous releases enabled it for new installations via sshd_config). See release note for more information . Install / upgrade OpenSSH 7.2 on a OpenBSD unix system

The following commands are intended to be executed from a root shell. Find out the current version:

# uname -mrs

Sample outputs:

OpenBSD 5.8 amd64 # ssh -V
Sample outputs: OpenSSH_7.0, LibreSSL 2.2.2 Download OpenSSH 7.2

Type the following command:

# cd /usr/src/

Use the ftp command to grab source code:

# ftp http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.2.tar.gz

Sample outputs:

Trying 129.128.5.191... Requesting http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.2.tar.gz 100% |**************************************************| 746 KB 00:01 763928 bytes received in 1.42 seconds (524.85 KB/s)

If you are installing OpenSSH 7.2 on OpenBSD v5.7 or 5.8, you will need the the following patch:

# ftp http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openbsd58_7.2.patch

Sample outputs:

Trying 129.128.5.191... Requesting http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openbsd58_7.2.patch 100% |**************************************************| 4461 00:00 4461 bytes received in 0.00 seconds (20.55 MB/s) Extract tar ball

Use the tar command as follows to extract files :

# cd /usr/src/usr.bin # tar xvsfz /openssh-7.2/ssh/ ../openssh-7.2.tar.gz

Sample outputs:

ssh ssh/hostfile.c ssh/LICENCE ssh/Makefile ssh/Makefile.inc ssh/OVERVIEW ssh/PROTOCOL ssh/PROTOCOL.agent ssh/PROTOCOL.certkeys ssh/PROTOCOL.chacha20poly1305 ssh/PROTOCOL.key ssh/PROTOCOL.krl ssh/PROTOCOL.mux ssh/README ssh/addrmatch.c ssh/atomicio.c ssh/atomicio.h ssh/auth-bsdauth.c ssh/auth-chall.c ... .. .. ssh/ssh-keyscan ssh/ssh-keyscan/Makefile ssh/ssh-keysign ssh/ssh-keysign/Makefile ssh/ssh-pkcs11-helper ssh/ssh-pkcs11-helper/Makefile ssh/sshd ssh/sshd/Makefile

Apply patch to OpenBSD 5.7 or 5.8, enter:

# patch -p0 < /usr/src/openbsd58_7.2.patch

Sample outputs:

Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |? lib/obj |? scp/obj |? sftp/obj |? sftp-server/obj |? ssh/obj |? ssh-add/obj |? ssh-agent/obj |? ssh-keygen/obj |? ssh-keyscan/obj |? ssh-keysign/obj |? ssh-pkcs11-helper/obj |? sshd/obj |Index: clientloop.c |=================================================================== |RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v |retrieving revision 1.284 |diff -u -p -r1.284 clientloop.c |--- clientloop.c 8 Feb 2016 10:57:07 -0000 1.284 |+++ clientloop.c 25 Feb 2016 05:35:28 -0000 -------------------------- Patching file clientloop.c using Plan A... Hunk #1 succeeded at 1497. Hunk #2 succeeded at 1527. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: mux.c |=================================================================== |RCS file: /cvs/src/usr.bin/ssh/mux.c,v |retrieving revision 1.58 |diff -u -p -r1.58 mux.c |--- mux.c 13 Jan 2016 23:04:47 -0000 1.58 |+++ mux.c 25 Feb 2016 05:35:29 -0000 -------------------------- Patching file mux.c using Plan A... Hunk #1 succeeded at 1872. Hunk #2 succeeded at 1984. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: scp.c |=================================================================== |RCS file: /cvs/src/usr.bin/ssh/scp.c,v |retrieving revision 1.184 |diff -u -p -r1.184 scp.c |--- scp.c 27 Nov 2015 00:49:31 -0000 1.184 |+++ scp.c 25 Feb 2016 05:35:30 -0000 -------------------------- Patching file scp.c using Plan A... Hunk #1 succeeded at 463. Hunk #2 succeeded at 473. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ssh-agent.c |=================================================================== |RCS file: /cvs/src/usr.bin/ssh/ssh-agent.c,v |retrieving revision 1.212 |diff -u -p -r1.212 ssh-agent.c |--- ssh-agent.c 15 Feb 2016 09:47:49 -0000 1.212 |+++ ssh-agent.c 25 Feb 2016 05:35:30 -0000 -------------------------- Patching file ssh-agent.c using Plan A... Hunk #1 succeeded at 1385. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ssh-keysign.c |=================================================================== |RCS file: /cvs/src/usr.bin/ssh/ssh-keysign.c,v |retrieving revision 1.52 |diff -u -p -r1.52 ssh-keysign.c |--- ssh-keysign.c 15 Feb 2016 09:47:49 -0000 1.52 |+++ ssh-keysign.c 25 Feb 2016 05:35:30 -0000 -------------------------- Patching file ssh-keysign.c using Plan A... Hunk #1 succeeded at 170. Hunk #2 succeeded at 235. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: sshd/Makefile |=================================================================== |RCS file: /cvs/src/usr.bin/ssh/sshd/Makefile,v |retrieving revision 1.88 |diff -u -p -r1.88 Makefile |--- sshd/Makefile 14 Jan 2016 16:17:40 -0000 1.88 |+++ sshd/Makefile 25 Feb 2016 05:35:30 -0000 -------------------------- Patching file sshd/Makefile using Plan A... Hunk #1 succeeded at 17. done Compile and install

Type the following commands:

# make obj && make cleandir && make depend && make && make install

Sample outputs:

===> lib ===> ssh install -c -S -s -o root -g bin -m 555 ssh /usr/bin/ssh install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/ssh/../ssh.1 /usr/share/man/man1/ssh.1 install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/ssh/../ssh_config.5 /usr/share/man/man5/ssh_config.5 ===> sshd install -c -S -s -o root -g bin -m 555 sshd /usr/sbin/sshd install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/sshd/../sshd.8 /usr/share/man/man8/sshd.8 install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/sshd/../sshd_config.5 /usr/share/man/man5/sshd_config.5 ===> ssh-add install -c -S -s -o root -g bin -m 555 ssh-add /usr/bin/ssh-add install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/ssh-add/../ssh-add.1 /usr/share/man/man1/ssh-add.1 ===> ssh-keygen install -c -S -s -o root -g bin -m 555 ssh-keygen /usr/bin/ssh-keygen install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/ssh-keygen/../ssh-keygen.1 /usr/share/man/man1/ssh-keygen.1 ===> ssh-agent install -c -S -s -o root -g _sshagnt -m 2555 ssh-agent /usr/bin/ssh-agent install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/ssh-agent/../ssh-agent.1 /usr/share/man/man1/ssh-agent.1 ===> scp install -c -S -s -o root -g bin -m 555 scp /usr/bin/scp install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/scp/../scp.1 /usr/share/man/man1/scp.1 ===> sftp-server install -c -S -s -o root -g bin -m 555 sftp-server /usr/libexec/sftp-server install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/sftp-server/../sftp-server.8 /usr/share/man/man8/sftp-server.8 ===> ssh-keysign install -c -S -s -o root -g bin -m 4555 ssh-keysign /usr/libexec/ssh-keysign install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/ssh-keysign/../ssh-keysign.8 /usr/share/man/man8/ssh-keysign.8 ===> ssh-keyscan install -c -S -s -o root -g bin -m 555 ssh-keyscan /usr/bin/ssh-keyscan install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/ssh-keyscan/../ssh-keyscan.1 /usr/share/man/man1/ssh-keyscan.1 ===> sftp install -c -S -s -o root -g bin -m 555 sftp /usr/bin/sftp install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/sftp/../sftp.1 /usr/share/man/man1/sftp.1 ===> ssh-pkcs11-helper install -c -S -s -o root -g bin -m 555 ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper install -c -o root -g bin -m 444 /usr/src/usr.bin/ssh/ssh-pkcs11-helper/../ssh-pkcs11-helper.8 /usr/share/man/man8/ssh-pkcs11-helper.8 Install new config files

First compare your existing config files using the diff command:

# diff sshd_config /etc/ssh/sshd_config # diff ssh_config /etc/ssh/ssh_config

Make changes:

# vi ssh_config # vi sshd_config

Install it:

# cp ssh_config sshd_config /etc/ssh Restart sshd

Test sshd for the syntax errors :

# /etc/rc.d/sshd check
sshd(ok)

Restart the sshd server , enter:

# /etc/rc.d/sshd restart
sshd(ok)
sshd(ok) Verify it

Find the OpenSSH version:

# ssh -V
OpenSSH_7.2, LibreSSL 2.2.2 A note about linux user

You can compile and install from the source code or wait for your Linux distro to release an updated openssh version. For example, Arch Linux will release an update soon and can be installed using the pacman command:

$ sudo pacman -Syu

CentOS/RHEL/Debian and Ubuntu Linux LTS server stay stable for years and you will not able to install OpenSSH version 7.2. These distros keep the versions of the openssh package to the last stable major release. For further information about see OpenSSH project home page.

Share this tutorial on: