# FreeBSD Openssh upgrade/update



## Janice (Feb 27, 2010)

Hello all,
I have looked high and low for a answer on google and can not seem to find the answer to this. I am looking to upgrade/update Openssh on my FreeBSD 7.0-RELEASE-p12 machine when I do a `ssh -V` i get:

```
OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb 2007
```
I understand that the latest version of my posting is: OpenSSH 5.3/5.3p1 released Oct 1, 2009

What is the proper way to update/upgrade this (OpenSSH and OpenSSL) to the latest version? Any advice at this point would be most appreciated.

Janice


----------



## DutchDaemon (Feb 27, 2010)

OpenSSH is tied in to your base system. You're not supposed to pick and choose. Consider hopping to FreeBSD 8, where OpenSSH is now at 
	
	



```
OpenSSH_5.2p1 FreeBSD-20090522, OpenSSL 0.9.8k 25 Mar 2009
```
Maybe FreeBSD 7.2 (or 7.3 RC/beta) will be enough.


----------



## Janice (Feb 27, 2010)

Thank you DutchDaemon for the lightning fast reply.
This would explain why the searches I have tried came up empty for the most part.
the only one I found that was even close was this: http://lists.freebsd.org/pipermail/freebsd-questions/2004-January/032814.html
but didn't feel that was exactly right and seemed dated.
janice


----------



## DutchDaemon (Feb 27, 2010)

That's very outdated, yes. There's no separate opensshd in ports anymore. Anyway, if there were any security patches for OpenSSH, they were probably MFC'ed back to your current patch level. For a really newer version of OpenSSH, you will have to freebsd-update to the latest release + patch level.


----------



## phoenix (Mar 1, 2010)

One can install security/openssh-portable, which has the latest version of OpenSSH.  This will be installed into /usr/local.  You can either change your PATH to put /usr/local ahead of /usr, or you can just rename the /usr/bin/ssh* tools.  That way, running "ssh" from the commandline will pick up the one from /usr/local/bin.

Be sure to set *sshd_enable="NO"* and *openssh_enable="YES"* in /etc/rc.conf.

The nice thing about using the ports version is that it includes the HPN (High Performance Networking) patches, including the "none" cipher (no encryption).  These can *really* speed up bulk transfers via scp/sftp.


----------



## Janice (Mar 2, 2010)

phoenix, That is good news. So basically when I install openssh-portable from ports it will be in essence seperate f4rom my original ssh? And will this have any impact on remote logins once the server has been rebooted? I mean after I put the entries in the rc.conf. I'm just a little confused on this (install) as I don't want to botch nothing up doing this as this seems like it is imperative it is done right. Again thank you,
Janice


----------



## Nightweaver (Mar 2, 2010)

If you wish your "new" OpenSSH to work as the "old" one just use the same config file. Nothing will change when it comes to remote logins. You will have two separate OpenSSH servers. The default one will not be running in this case though. Note, both SSH's are at the same version at the moment so there is no point in installing portable one.


----------



## phoenix (Mar 2, 2010)

Janice said:
			
		

> phoenix, That is good news. So basically when I install openssh-portable from ports it will be in essence seperate from my original ssh?



Correct.  OpenSSH installed as part of FreeBSD is under /usr with configuration under /etc/ssh.

OpenSSH installed via the ports tree is under /usr/local with configuration under /usr/local/etc/ssh.



> And will this have any impact on remote logins once the server has been rebooted?



Nope.  OpenSSH is OpenSSH is OpenSSH.  It works the same, regardless of whether it's installed with FreeBSD or via the ports tree.  It all uses the same /etc/passwd setup for user logins.



> I mean after I put the entries in the rc.conf. I'm just a little confused on this (install) as I don't want to botch nothing up doing this as this seems like it is imperative it is done right.



Install openssh-portable.  Edit rc.conf to have *sshd_enable="NO"* and *openssh_enable="YES"*.  Run */etc/rc.d/sshd forcestop* and */usr/local/etc/rc.d/openssh start*.  And try to login via SSH.


----------



## Janice (Mar 5, 2010)

This is great, 
Most superb help here might I say. I will be installing this coming weekend and I will finalize here on how everything went.Thank you DutchDaemon, phoenix, and NightWeaver as with these direction it looks a breeze.
Janice


----------



## deltatux (Jun 22, 2010)

phoenix said:
			
		

> The nice thing about using the ports version is that it includes the HPN (High Performance Networking) patches, including the "none" cipher (no encryption).  These can *really* speed up bulk transfers via scp/sftp.



Sorry for reviving this thread from the dead, but doesn't turning off encryption defeats the purpose of SSH/SFTP?

Cheers,
deltatux


----------



## phoenix (Jun 22, 2010)

If sending across public, untrusted networks, sure.  But for transfers on a LAN, or across a dedicated private network, it's nice to be able to triple your throughput.

Authentication is still encrypted.  Only the data transfer is unencrypted.  And it's only available if both the server and the client are HPN-enabled, and it requires a command-line option (no ssh_config or .ssh/config option).  So it's only enabled on a per-transfer basis.

Even if you don't enable the NONE cipher, though, the HPN patches can almost double your SSH/SCP/SFTP transfers.


----------



## dennylin93 (Jun 22, 2010)

I hope the OpenSSH devs integrate the HPN patch into the source in the future, but it probably won't happen.


----------



## ecpeachy (Jan 7, 2011)

phoenix said:
			
		

> Correct.  OpenSSH installed as part of FreeBSD is under /usr with configuration under /etc/ssh.
> 
> OpenSSH installed via the ports tree is under /usr/local with configuration under /usr/local/etc/ssh.
> 
> ...


How about downloading the Portable version from OpenSSH.org and compile it with 
	
	



```
--prefix=/usr --sysconfdir=/etc/ssh
```
 which should overwrite the installed version with the latest one


----------



## kaspian (Oct 20, 2011)

I have following question. Now openssh-portable is too old in ports, so there is no reason to use it. Is it possible to update only sshd without building world?


----------



## phoenix (Oct 20, 2011)

security/openssh-portable is in the process of being upgraded to 5.8p1 or thereabouts.


----------

