≡ Menu

How to upgrade OpenSSH 7.0 to 7.2 on a OpenBSD Unix and Linux

OpenSSH version 7.2 has been released. How do I install or upgrade my existing OpenSSH version to 7.2 on a OpenBSD unix operating system?

OpenSSH version 7.2 is primarily a bugfix release. The security fix include:
Fig.01: OpenSSH 7.2 running on my OpenBSD 7.2 server

Fig.01: OpenSSH 7.2 running on my OpenBSD 7.2 server

  1. ssh(1), sshd(8): remove unfinished and unused roaming code (was already forcibly disabled in OpenSSH 7.1p2).
  2. ssh(1): eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension.
  3. ssh(1), sshd(8): increase the minimum modulus size supported for diffie-hellman-group-exchange to 2048 bits.
  4. sshd(8): pre-auth sandboxing is now enabled by default (previous releases enabled it for new installations via sshd_config).
  5. See release note for more information.

Install / upgrade OpenSSH 7.2 on a OpenBSD unix system

The following commands are intended to be executed from a root shell. Find out the current version:
# uname -mrs
Sample outputs:

OpenBSD 5.8 amd64

# ssh -V
Sample outputs:

OpenSSH_7.0, LibreSSL 2.2.2

Download OpenSSH 7.2

Type the following command:
# cd /usr/src/
Use the ftp command to grab source code:
# ftp http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.2.tar.gz
Sample outputs:

Trying 129.128.5.191...
Requesting http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.2.tar.gz
100% |**************************************************|   746 KB    00:01
763928 bytes received in 1.42 seconds (524.85 KB/s)

If you are installing OpenSSH 7.2 on OpenBSD v5.7 or 5.8, you will need the the following patch:
# ftp http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openbsd58_7.2.patch
Sample outputs:

Trying 129.128.5.191...
Requesting http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openbsd58_7.2.patch
100% |**************************************************|  4461       00:00
4461 bytes received in 0.00 seconds (20.55 MB/s)

Extract tar ball

Use the tar command as follows to extract files:
# cd /usr/src/usr.bin
# tar xvsfz /openssh-7.2/ssh/ ../openssh-7.2.tar.gz

Sample outputs:

ssh
ssh/hostfile.c
ssh/LICENCE
ssh/Makefile
ssh/Makefile.inc
ssh/OVERVIEW
ssh/PROTOCOL
ssh/PROTOCOL.agent
ssh/PROTOCOL.certkeys
ssh/PROTOCOL.chacha20poly1305
ssh/PROTOCOL.key
ssh/PROTOCOL.krl
ssh/PROTOCOL.mux
ssh/README
ssh/addrmatch.c
ssh/atomicio.c
ssh/atomicio.h
ssh/auth-bsdauth.c
ssh/auth-chall.c
...
..
..
ssh/ssh-keyscan
ssh/ssh-keyscan/Makefile
ssh/ssh-keysign
ssh/ssh-keysign/Makefile
ssh/ssh-pkcs11-helper
ssh/ssh-pkcs11-helper/Makefile
ssh/sshd
ssh/sshd/Makefile

Apply patch to OpenBSD 5.7 or 5.8, enter:
# patch -p0 < /usr/src/openbsd58_7.2.patch
Sample outputs:

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|? lib/obj
|? scp/obj
|? sftp/obj
|? sftp-server/obj
|? ssh/obj
|? ssh-add/obj
|? ssh-agent/obj
|? ssh-keygen/obj
|? ssh-keyscan/obj
|? ssh-keysign/obj
|? ssh-pkcs11-helper/obj
|? sshd/obj
|Index: clientloop.c
|===================================================================
|RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v
|retrieving revision 1.284
|diff -u -p -r1.284 clientloop.c
|--- clientloop.c       8 Feb 2016 10:57:07 -0000       1.284
|+++ clientloop.c       25 Feb 2016 05:35:28 -0000
--------------------------
Patching file clientloop.c using Plan A...
Hunk #1 succeeded at 1497.
Hunk #2 succeeded at 1527.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: mux.c
|===================================================================
|RCS file: /cvs/src/usr.bin/ssh/mux.c,v
|retrieving revision 1.58
|diff -u -p -r1.58 mux.c
|--- mux.c      13 Jan 2016 23:04:47 -0000      1.58
|+++ mux.c      25 Feb 2016 05:35:29 -0000
--------------------------
Patching file mux.c using Plan A...
Hunk #1 succeeded at 1872.
Hunk #2 succeeded at 1984.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: scp.c
|===================================================================
|RCS file: /cvs/src/usr.bin/ssh/scp.c,v
|retrieving revision 1.184
|diff -u -p -r1.184 scp.c
|--- scp.c      27 Nov 2015 00:49:31 -0000      1.184
|+++ scp.c      25 Feb 2016 05:35:30 -0000
--------------------------
Patching file scp.c using Plan A...
Hunk #1 succeeded at 463.
Hunk #2 succeeded at 473.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: ssh-agent.c
|===================================================================
|RCS file: /cvs/src/usr.bin/ssh/ssh-agent.c,v
|retrieving revision 1.212
|diff -u -p -r1.212 ssh-agent.c
|--- ssh-agent.c        15 Feb 2016 09:47:49 -0000      1.212
|+++ ssh-agent.c        25 Feb 2016 05:35:30 -0000
--------------------------
Patching file ssh-agent.c using Plan A...
Hunk #1 succeeded at 1385.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: ssh-keysign.c
|===================================================================
|RCS file: /cvs/src/usr.bin/ssh/ssh-keysign.c,v
|retrieving revision 1.52
|diff -u -p -r1.52 ssh-keysign.c
|--- ssh-keysign.c      15 Feb 2016 09:47:49 -0000      1.52
|+++ ssh-keysign.c      25 Feb 2016 05:35:30 -0000
--------------------------
Patching file ssh-keysign.c using Plan A...
Hunk #1 succeeded at 170.
Hunk #2 succeeded at 235.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: sshd/Makefile
|===================================================================
|RCS file: /cvs/src/usr.bin/ssh/sshd/Makefile,v
|retrieving revision 1.88
|diff -u -p -r1.88 Makefile
|--- sshd/Makefile      14 Jan 2016 16:17:40 -0000      1.88
|+++ sshd/Makefile      25 Feb 2016 05:35:30 -0000
--------------------------
Patching file sshd/Makefile using Plan A...
Hunk #1 succeeded at 17.
done

Compile and install

Type the following commands:
# make obj && make cleandir && make depend && make && make install
Sample outputs:

===> lib
===> ssh
install -c -S -s  -o root -g bin  -m 555 ssh /usr/bin/ssh
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/ssh/../ssh.1 /usr/share/man/man1/ssh.1
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/ssh/../ssh_config.5 /usr/share/man/man5/ssh_config.5
===> sshd
install -c -S -s  -o root -g bin  -m 555 sshd /usr/sbin/sshd
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/sshd/../sshd.8 /usr/share/man/man8/sshd.8
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/sshd/../sshd_config.5 /usr/share/man/man5/sshd_config.5
===> ssh-add
install -c -S -s  -o root -g bin  -m 555 ssh-add /usr/bin/ssh-add
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/ssh-add/../ssh-add.1 /usr/share/man/man1/ssh-add.1
===> ssh-keygen
install -c -S -s  -o root -g bin  -m 555 ssh-keygen /usr/bin/ssh-keygen
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/ssh-keygen/../ssh-keygen.1 /usr/share/man/man1/ssh-keygen.1
===> ssh-agent
install -c -S -s  -o root -g _sshagnt  -m 2555 ssh-agent /usr/bin/ssh-agent
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/ssh-agent/../ssh-agent.1 /usr/share/man/man1/ssh-agent.1
===> scp
install -c -S -s  -o root -g bin  -m 555 scp /usr/bin/scp
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/scp/../scp.1 /usr/share/man/man1/scp.1
===> sftp-server
install -c -S -s  -o root -g bin  -m 555 sftp-server /usr/libexec/sftp-server
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/sftp-server/../sftp-server.8 /usr/share/man/man8/sftp-server.8
===> ssh-keysign
install -c -S -s  -o root -g bin  -m 4555 ssh-keysign /usr/libexec/ssh-keysign
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/ssh-keysign/../ssh-keysign.8 /usr/share/man/man8/ssh-keysign.8
===> ssh-keyscan
install -c -S -s  -o root -g bin  -m 555 ssh-keyscan /usr/bin/ssh-keyscan
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/ssh-keyscan/../ssh-keyscan.1 /usr/share/man/man1/ssh-keyscan.1
===> sftp
install -c -S -s  -o root -g bin  -m 555 sftp /usr/bin/sftp
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/sftp/../sftp.1 /usr/share/man/man1/sftp.1
===> ssh-pkcs11-helper
install -c -S -s  -o root -g bin  -m 555 ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper
install -c -o root -g bin -m 444  /usr/src/usr.bin/ssh/ssh-pkcs11-helper/../ssh-pkcs11-helper.8 /usr/share/man/man8/ssh-pkcs11-helper.8

Install new config files

First compare your existing config files using the diff command:
# diff sshd_config /etc/ssh/sshd_config
# diff ssh_config /etc/ssh/ssh_config

Make changes:
# vi ssh_config
# vi sshd_config

Install it:
# cp ssh_config sshd_config /etc/ssh

Restart sshd

Test sshd for the syntax errors:
# /etc/rc.d/sshd check
sshd(ok)

Restart the sshd server, enter:
# /etc/rc.d/sshd restart
sshd(ok)
sshd(ok)

Verify it

Find the OpenSSH version:
# ssh -V
OpenSSH_7.2, LibreSSL 2.2.2

A note about Linux user

You can compile and install from the source code or wait for your Linux distro to release an updated openssh version. For example, Arch Linux will release an update soon and can be installed using the pacman command:
$ sudo pacman -Syu
CentOS/RHEL/Debian and Ubuntu Linux LTS server stay stable for years and you will not able to install OpenSSH version 7.2. These distros keep the versions of the openssh package to the last stable major release. For further information about see OpenSSH project home page.

Share this tutorial on:
{ 2 comments… add one }
  • risc February 29, 2016, 8:24 am

    Time to track 5.8 stable, and learn rcctl. :)

    # rcctl check sshd
    sshd(ok)
    # rcctl restart sshd
    sshd(ok)
    sshd(ok)
    # ssh -V
    OpenSSH_7.2, LibreSSL 2.2.6
    #

Security: Are you a robot or human?

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , ,