Installing OpenSSH and OpenSSL from ports*

* Note that this is a old article saved from a previous blog.

I had a few FreeBSD machine’s still running a old version of OpenSSH and OpenSSL, so it was about time to upgrade these to the latest version.

These were the current versions of OpenSSH and OpenSSL that I was running:

trouble@sun:$ openssl version
OpenSSL 0.9.7b 04 apr 2004
root@server:~# ssh -V
OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7b 04 apr 2004

There are multiple ways of upgrading these packages on FreeBSD, here I point out the way I like to use. First thing to do is setup telnetd so I can access the server using telnet, this way I won’t be lost if something goes wrong while updating OpenSSH to the latest version (Note that this is not needed if you do the upgrade local, but for me it will save me a 40KM trip to the colo).
Edit /etc/inetd.conf and enable the telnetd server:

trouble@sun:$ vi /etc/inetd.conf
Find the line:
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
And change it to:
telnet stream tcp nowait root /usr/libexec/telnetd telnetd

Then add inetd to the rc.conf so it will start at boot time (So you can give the server a powerboot if needed and use telnet again).

username@computername:$ vi /etc/rc.conf
Here add:
#———————————–
inetd_enable=”YES”
inetd_program=”/usr/sbin/inetd”
inetd_flags=”-wW -C 60
#———————————–

Now we need to start inetd and see if it works:

trouble@sun:$ /usr/sbin/inetd -wW -C 60

And to see if telnet works from a local machine:

trouble@earth:$ telnet SERVERIP
Trying SERVERIP…
Connected to SERVERIP.
Escape character is ‘^]’.

FreeBSD/i386 (HOSTNAME) (ttyp7)

login:

Good telnet is working now we can start the upgrade of OpenSSH and OpenSSL. Make sure you have cvsuped your ports tree to the latest version. First I will upgrade OpenSSL:

trouble@sun:$ cd /usr/ports/security/openssl
trouble@sun:$ make -DWITH_OPENSSL_PORT install

In version 5 you can’t upgrade OpenSSl over the base anymore so I backup the original versions so I can go back if anything is wrong and link the new version there.

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/sh
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /lib/libcrypto.so.3 /lib/libcrypto.so.3.bak
mv /usr/lib/libssl.so.3 /usr/lib/libssl.so.3.bak
 
chmod 000 /usr/bin/openssl.bak
chmod 000 /lib/libcrypto.so.3.bak
chmod 000 /usr/lib/libssl.so.3.bak
 
ln -s /usr/local/lib/libssl.so.3 /usr/bin/openssl /usr/bin/openssl
ln -s /usr/local/lib/libssl.so.3 /usr/crypto.so.3 /lib/libcrypto.so.3
ln -s /usr/local/lib/libssl.so.3 /usr/lib/libssl.so.3

chmod 000 /usr/bin/openssl.bak
chmod 000 /lib/libcrypto.so.3.bak
chmod 000 /usr/lib/libssl.so.3.bak

ln -s /usr/local/lib/libssl.so.3 /usr/bin/openssl /usr/bin/openssl
ln -s /usr/local/lib/libssl.so.3 /usr/crypto.so.3 /lib/libcrypto.so.3
ln -s /usr/local/lib/libssl.so.3 /usr/lib/libssl.so.3

Now OpenSSL should be the latest version:

root@server:~# openssl version
OpenSSL 0.9.7g 11 Apr 2005

Good that worked, now its time to upgrade OpenSSH:

trouble@sun:$ cd /usr/ports/security/openssh-portable
trouble@sun:$ make -DOPENSSH_OVERWRITE_BASE=yes install

After the installation you should set NO_OPENSSH=true in your make.conf so it won’t be overwritten if you upgrade your system.

trouble@sun:$ echo “NO_OPENSSH=true” >> /etc/make.conf

The ports version has got its binary’s in /usr/local/bin while the base ssh is installed in /usr/bin/ now you could set your path’s to look in /usr/local/bin first, but I like to backup the old version and link the new version for the original.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/bin/sh
mv /usr/bin/ssh /usr/bin/ssh.bak
mv /usr/bin/ssh-keyscan /usr/bin/ssh-keyscan.bak
mv /usr/libexec/ssh-keysign /usr/libexec/ssh-keysign.bak
mv /usr/bin/ssh-agent /usr/bin/ssh-agent.bak
mv /usr/sbin/sshd /usr/sbin/sshd.bak
 
chmod 000 /usr/bin/ssh.bak
chmod 000 /usr/bin/ssh-keyscan.bak
chmod 000 /usr/libexec/ssh-keysign.bak
chmod 000 /usr/bin/ssh-agent.bak
chmod 000 /usr/sbin/sshd.bak
 
ln -s /usr/local/bin/ssh /usr/bin/ssh
ln -s /usr/local/bin/ssh-keyscan /usr/bin/ssh-keyscan
ln -s /usr/local/libexec/ssh-keysign /usr/libexec/ssh-keysign
ln -s /usr/local/bin/ssh-agent /usr/bin/ssh-agent
ln -s /usr/local/sbin/sshd /usr/sbin/sshd

chmod 000 /usr/bin/ssh.bak
chmod 000 /usr/bin/ssh-keyscan.bak
chmod 000 /usr/libexec/ssh-keysign.bak
chmod 000 /usr/bin/ssh-agent.bak
chmod 000 /usr/sbin/sshd.bak

ln -s /usr/local/bin/ssh /usr/bin/ssh
ln -s /usr/local/bin/ssh-keyscan /usr/bin/ssh-keyscan
ln -s /usr/local/libexec/ssh-keysign /usr/libexec/ssh-keysign
ln -s /usr/local/bin/ssh-agent /usr/bin/ssh-agent
ln -s /usr/local/sbin/sshd /usr/sbin/sshd

Also the ports version has got a nice start/stop script that you can use, i’m going to use that instead of starting the sshd using rc.conf. First edit /etc/rc.conf and disable the SSH daemon:

trouble@sun:$ vi /etc/rc.conf
Add or edit:
sshd_enable=”NO”
sshd_program=”/usr/local/sbin/sshd”

Now move the sample sshd script and edit the file to use your old sshd config file:

trouble@sun:$ cd /usr/local/etc/rc.d
trouble@sun:$ mv sshd.sh.sample sshd.sh
trouble@sun:$
trouble@sun:$ vi sshd.sh
— Find line nr 4 (/usr/local/sbin/sshd)
—-And change it to:
/usr/local/sbin/sshd -f /etc/ssh/sshd_config

This will tell the new sshd to look at the config file in /etc/ssh/sshd_config. Now find your current sshd pid and kill it then start ssh using the script.

trouble@sun:$ ps ax | grep ssh
607 ?? Is 0:00.22 /usr/sbin/sshd
trouble@sun:$ kill -9 607
trouble@sun:$ /usr/local/etc/rc.d/sshd.sh start
trouble@sun:$ ps ax | grep ssh
901 ?? Ss 0:00.00 /usr/local/sbin/sshd -f /etc/ssh/sshd_config

So SSH is running again and should be the latest version:

trouble@sun:$ ssh -V
OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005

Now connect from your client again to your server, you should get a warning that the key is changed, add the new key and you should be running using the latest version of ssh.
Now kill the inetd deamon and if you want to remove it from the rc.conf (I keep it in there untill I have rebooted the machine to make sure it is working.

0

Add a Comment