Question & Answer
Question
How do I download, install, or upgrade OpenSSL and OpenSSH on AIX?
Answer
1) Download the latest available "OpenSSL or OpenSSH n.n.n" for your AIX version from the following download links:
- OpenSSH: https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssh
- OpenSSL: https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssl
To see all available packages: https://www.ibm.com/resources/mrs/assets?source=aixbp
** You need an IBMid to access this site.
NOTE: This download site is not managed or supported by AIX Support. If you have problems accessing the site, or downloading images, send an email to mktsystm@us.ibm.com describing the errors. They will contact you to resolve any support issues.
2) Create a directory to hold OpenSSL and OpenSSH.
Example:
|
% mkdir /tmp/newOpenSSL
% mkdir /tmp/newOpenSSH
|
- Transfer the compressed OpenSSL tar file to the /tmp/newOpenSSL directory.
- Transfer the compressed OpenSSH tar file to the /tmp/newOpenSSH directory.
3) If /etc/ssh exists before the upgrade of OpenSSH or AIX, make a backup of the directory. Skip steps 3 and 9-10 if OpenSSH is not installed.
| Important Notes |
|---|
|
A) If you have an existing ssh configuration, make a copy of the /etc/ssh directory before installing the new ssh to preserve the ssh host keys. If this is a new installation of ssh, there will not be an /etc/ssh directory.
% cp -pr /etc/ssh /etc/ssh_backup B) Read the following technote for details about changes in OpenSSH Version 7.
|
4) Prepare the OpenSSL software for installation.
|
% cd /tmp/newOpenSSL
% uncompress openssl-N.N.NNN.NNNN.tar.Z
% tar -xvf openssl-N.N.NNN.NNNN.tar
% cd <newly created OpenSSL directory if one was created>
|
5) Install the OpenSSL software.
|
% smitty install_all INPUT device / directory for software [.]
<enter> * INPUT device / directory for software . * SOFTWARE to install []
<....>
Select F4 or esc+4 to list the OpenSSL software.
Select with F7: openssl.base openSSL.license openSSL.man.en_US
<enter> ACCEPT new license agreements? yes
<enter>
Or use the command line:
% installp -qaXFY -d . openssl.base openssl.license openssl.man.en_US
|
6) Prepare the OpenSSH software for installation.
|
% cd /tmp/newOpenSSH
% uncompress OpenSSH_N.N.NNN.NNNN.tar.Z
% tar -xvf OpenSSH_N.N.NNN.NNNN.tar
|
7) Install the OpenSSH software.
|
% cd <newly created OpenSSH directory if one was created>
% smitty install_all INPUT device / directory for software [.]
<enter>
* INPUT device / directory for software .
* SOFTWARE to install []
<....>
Select F4 or esc+4 to list the OpenSSL software.
Select with F7: openssh.base openssh.license openssh.man.en_US openssh.msg.EN_US openssh.msg.en_US
<enter> ACCEPT new license agreements? yes
<enter>
Or use the command line:
% installp -qaXFY -d . openssh.base openssh.license openssh.man.en_US openssh.msg.EN_US openssh.msg.en_US
|
8) If the installation was successful, sshd is now active.
| % lssrc -g ssh |
- This should result in an "active" status, indicating it is ready to accept ssh connections
- NOTE: SSHD is called from /etc/rc.d/rc2.d/Ssshd script at boot up.
- The Ssshd script is called from the l2 entry in /etc/inittab --> l2:2:wait:/etc/rc.d/rc2.d
- NOTE: SSHD is called from /etc/rc.d/rc2.d/Ssshd script at boot up.
9) Update the virtual AIX-rpm package (Required for OpenSSL versions lower than 1.0.2.2101)
Since many Open Source packages rely on OpenSSL, it is recommended to run the following command, which will update your virtual AIX-rpm package so the rpm installer will be aware of the new or updated libraries:
| % /usr/sbin/updtvpkg |
*** Skip steps 10 and 11 if this is a new SSH installation.
10) Restore or update ssh host keys and config files.
| % cd /etc/ssh |
- Back up the newly installed ssh_config and sshd_config files.
|
% cp -p ssh_config ssh_config.orig_<today's_date>
% cp -p sshd_config sshd_config.orig_<today's_date>
|
- Restore the /etc/ssh_backup host keys directory
|
% cd /etc/ssh_backup
% cp -pr ssh_host_*_key* /etc/ssh
|
- Update (or restore previous) sshd_config and ssh_config files
**It is recommended that you use the newly installed ssh_config and sshd_config files, and if there was any customization of the old files, you should manually add those changes to the new files.
- Alternatively (not recommended), you can restore the previous config files:
|
% cd /etc/ssh_backup
% cp -pr sshd_config ssh_config /etc/ssh
|
11) Stop and restart sshd to read the updated config files.
- To stop sshd from the command line:
| % stopsrc -s sshd |
- To start sshd from the command line:
| % startsrc -s sshd % lssrc -g ssh |
This should result in an "active" status, indicating the system is ready to accept ssh connections.
| SUPPORT |
|---|
|
If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract. 1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. 5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzvAAA","label":"AIX Open Source-\u003EOPENSSH\/OPENSSL"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 September 2023
UID
isg3T1027135