How to install and upgrade OpenSSH server on FreeBSD

See all FreeBSD related FAQ
Another day I wrote about setting up ssh public key password-less authentication for FreeBSD server version 12/13 with an optional 2FA hardware USB key (FIDO 2) for additional protection. However, FIDO2 and key type ecdsa-sk and ed25519-sk are not supported by the OpenSSH client and server version shipped with FreeBSD 12 or 13. But, fear not, we can safely upgrade the OpenSSH version using ports collection. This page explains how to install and configure the latest portable version of the OpenSSH client and server on FreeBSD 13.

WARNING! It would be best to take some basic precautions if you are doing this on a remote server hosted at AWS or any other data center of your choice. Otherwise, you will end up losing access to TCP port 22.

Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements FreeBSD
Est. reading time 6 minutes

Finding out FreeBSD SSHD version

The excellent news is FreeBSD has the concept of a base operating system and 3rd party application. The default sshd version is:
command -v sshd
type sshd
# find version by sending ssh verbose command #
ssh -v user@localhost
ssh -V

Here is what I saw on my FreeBSD 13 box:

OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd  25 Mar 2021

Please note that the updated version of the OpenSSH portable version will be installed in the /usr/local/{bin,sbin,etc} directory, including the config files. So it will not overwrite the base version of the SSHD and ssh client. Let us upgrade to OpenSSH client and server version to 8.8 on FreeBSD Unix machine.

How to install and upgrade OpenSSH server on FreeBSD

  1. First, find out OpenSSH version and packages using the pkg command:
    pkg search openssh-po\*
    Check and Manually upgrading OpenSSH on FreeBSD

    Finding OpenSSH portable version

  2. Now, install openssh-portable on FreeBSD, run:
    pkg install openssh-portable
    # To install the port, run:
    cd /usr/ports/security/openssh-portable/
    make install clean

    How to install and upgrade OpenSSH server on FreeBSD

    Installing an updated version of the OpenSSH server on FreeBSD

  3. To enable this updated SSHD port version, add the line openssh_enable="YES" using the sysrc command. The second command will disable openssh in the base system:
    sysrc openssh_enable="YES"
    # disable base system sshd
    sysrc sshd_enable="NO"

    Enable OpenSSH sshd server on FreeBSD 13

    Enabling updated version of SSHD

  4. Now the tricky part. You can’t start an updated version of the OpenSSH without stopping existing sshd from the base system. However, it is an easy task if you have access to the actual FreeBSD console and are not doing this over ssh session. The trick is to configure OpenSSH at another TCP port and run with base sshd. So edit the config file:
    vi /usr/local/etc/ssh/sshd_config
    Set up the port to 2222
    Port 2222
    Save and close the file. Next, make sure you open TCP port 2222 using your firewall. For example, pf rule in your config would be:
    pass in inet proto tcp to $ext_if port 2222
    Change TCP SSH port on FreeBSD for OpenSSH

    Configure the openssh at another TCP port

  5. Finally, start the updated openssh, run:
    service openssh start
    Starting OpenSSH service on FreeBSD

    Starting the OpenSSH service

  6. Verify that updated version of the OpenSSH running using the sockstat command:
    sockstat -4 | grep :22
    ps aux | grep sshd
    # The updated version sshd
    service openssh status
    # The base system sshd
    service sshd onestatus

    Verify updated OpenSSH sshd version on FreeBSD 12 or 13

    Click to enlarge

Loggin into an updated version of sshd

The syntax for the ssh command (type on the client desktop):

ssh -i {~/path/to/private_key} -p {TCP_PORT} {user}@{server_ip_name}
ssh -i ~/.ssh/id_469_ecdsa_sk_backup -p 2222 vive@192.168.2.186

A note about configuration files for updated version of SSHD on FreeBSD

  • Directory: /usr/local/etc/ssh/
  • Server OpenSSH config file: /usr/local/etc/ssh/sshd_config
  • Client OpenSSH config file: /usr/local/etc/ssh/ssh_config

Starting/Restating the OpenSSH

Use the following service command:
service openssh restart
service openssh reload
service openssh status

How to switch back to TCP port # 22

The next time you reboot the FreeBSD server, it will only start OpenSSH at port 2222 and SSHD from the base system will be disabled. However, at run time or before reboot, you can change the TCP port as follows:
# stop sshd from bash system on port 22 #
service sshd openstop

Edit the /usr/local/etc/ssh/sshd_config and set Port to # 22 and then restart/reload the OpenSSH:
service openssh reload

Base vs OpenSSH ssh clients

One final issue was using ssh utilities from base os when I tried ssh command or ssh-keygen command. Because of PATH settings on FreeBSD /bin and /sbin will get higher preferences. For instance:

echo "$PATH"
type ssh
command -v ssh
ls -l /usr/local/bin/ssh

Base vs OpenSSH ssh problem
Luckily fix was easy:

# Update PATH and append to your ~/.tcshrc or ~/.login when using tcsh
setenv PATH /usr/local/bin:$PATH
 
# Or update .bash_profile or ~/.profile when using bash/sh 
export PATH=/usr/local/bin:$PATH
 
# Verify it
type ssh
command -v ssh

Another option is to create shell aliases. For example, here is I how one can list/create bash aliases using bash for loop:

for i in $(pkg info -l openssh-portable | grep '/usr/local/bin')
do 
   echo "alias ${i##*/}='$i'"
   # Append to ~/.profile 
   # echo "alias ${i##*/}='$i'" >> ~/.profile 
   #
done

Outputs:

alias scp='/usr/local/bin/scp'
alias sftp='/usr/local/bin/sftp'
alias ssh='/usr/local/bin/ssh'
alias ssh-add='/usr/local/bin/ssh-add'
alias ssh-agent='/usr/local/bin/ssh-agent'
alias ssh-keygen='/usr/local/bin/ssh-keygen'
alias ssh-keyscan='/usr/local/bin/ssh-keyscan'

Here is tcsh foreach loop example to create those aliases when using tcsh/csh:

# set array
set files= ( `pkg info -l openssh-portable | grep '/usr/local/bin'` )
# do dirty work here
foreach i ( $files )
 echo "alias `basename $i` $i" >> ~/.tcshrc
 # echo "alias `basename $i` $i" >> ~/.tcshrc
end
 
# verify it
alias

Sample outputs for tcsh:

h	(history 25)
j	(jobs -l)
la	(ls -aF)
lf	(ls -FA)
ll	(ls -lAF)
scp	/usr/local/bin/scp
sftp	/usr/local/bin/sftp
ssh	/usr/local/bin/ssh
ssh-add	/usr/local/bin/ssh-add
ssh-agent	/usr/local/bin/ssh-agent
ssh-keygen	/usr/local/bin/ssh-keygen
ssh-keyscan	/usr/local/bin/ssh-keyscan

Summing up

And that is how you install and configure an updated version of OpenSSH on your FreeBSD box. When you run the pkg command, it will automatically update to the latest available OpenSSH portable version:
pkg update
pkg upgrade

Do check the following FreeBSD and OpenSSH docs/manual pages using the man command:
man sshd_config
man service
man sysrc
man ssh
man sshd
man sockstat
man bash
man tcsh

This entry is 5 of 23 in the Linux/Unix OpenSSH Tutorial series. Keep reading the rest of the series:
  1. Top 20 OpenSSH Server Best Security Practices
  2. How To Set up SSH Keys on a Linux / Unix System
  3. OpenSSH Config File Examples For Linux / Unix Users
  4. Audit SSH server and client config on Linux/Unix
  5. How to install and upgrade OpenSSH server on FreeBSD
  6. Ubuntu Linux install OpenSSH server
  7. Install OpenSSH server on Alpine Linux (including Docker)
  8. Debian Linux Install OpenSSH SSHD Server
  9. Configure OpenSSH To Listen On an IPv6 Address
  10. OpenSSH Server connection drops out after few minutes of inactivity
  11. Display banner/message before OpenSSH authentication
  12. Force OpenSSH (sshd) to listen on selected multiple IP address only
  13. OpenSSH Change a Passphrase With ssh-keygen command
  14. Reuse SSH Connection To Speed Up Remote Login Process Using Multiplexing
  15. Check Syntax Errors before Restarting SSHD Server
  16. Change the ssh port on Linux or Unix server
  17. OpenSSH Deny or Restrict Access To Users and Groups
  18. Linux OpenSSH server deny root user access / log in
  19. Disable ssh password login on Linux to increase security
  20. SSH ProxyCommand example: Going through one host to reach server
  21. OpenSSH Multiplexer To Speed Up OpenSSH Connections
  22. Install / Append SSH Key In A Remote Linux / UNIX Servers Authorized_keys
  23. Use ssh-copy-id with an OpenSSH Server Listening On a Different Port

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.