IBM Support

Downloading and Installing or Upgrading Openssl and Openssh

Question & Answer


Question

How do I download, install, or upgrade openssl and openssh on AIX®?

Answer

1) Download the latest available "OpenSSL or OpenSSH n.n.n" for your AIX version from the following download link:  
 - Register for a user ID at the site if you do not have an account
NOTE: This download site is not managed by AIX Support. If you have problems accessing or registering at the site,  send an email to mktsystm@us.ibm.com describing the errors.
The following example is the latest version at the time of publishing. Always check the download site, and corresponding readme files for information pertaining to your AIX oslevel.
OpenSSL
    • (34779877)
OpenSSH
  • VRMF: 7.5.102.1801
    • OpenSSH_7.5.102.1801.tar.Z  (11765639)
***NOTE: OpenSSL must be installed first.
2) Create directory to hold OpenSSL and OpenSSH.
Example:
% mkdir /tmp/newOpenSSL
% mkdir /tmp/newOpenSSH
Transfer the compressed OpenSSL tar file to the /tmp/newOpenSSL directory.
Transfer the compressed OpenSSH tar file to the /tmp/newOpenSSH directory

3) If /etc/ssh exists before the upgrade of OpenSSH or AIX, make a backup of the directory.  Skip steps 3 and 9-10 if OpenSSH is not installed.
Important Notes
A) If you have an existing ssh configuration, make a copy of the /etc/ssh directory before installing the new ssh to preserve the ssh host keys. If this is a new installation of ssh, there will not be an /etc/ssh directory.

  % cp -pr /etc/ssh /etc/ssh_backup
B) Read the following technote for details about changes in OpenSSH Version 7. 

4) Prepare the OpenSSL software for installation.
% cd /tmp/newOpenSSL
% uncompress  
% tar -xvf
% cd <newly created OpenSSL directory if one was created>
5) Install the OpenSSL software.
% smitty install_all INPUT device / directory for software [.]
<enter> * INPUT device / directory for software . * SOFTWARE to install []
<....>
Select F4 or esc+4 to list the OpenSSL software.
Select with F7: openssl.base OpenSSL.license OpenSSL.man.en_US
<enter> ACCEPT new license agreements? yes
<enter>
6) Prepare the OpenSSH software for installation.
% cd /tmp/newOpenSSH
% uncompress OpenSSH_7.5.102.1801.tar.Z
% tar -xvf OpenSSH_7.5.102.1801.tar
7) Install the OpenSSH software.
% cd <newly created OpenSSH directory if one was created>
% smitty install_all INPUT device / directory for software [.]
<enter>
* INPUT device / directory for software .
* SOFTWARE to install []
<....>
Select F4 or esc+4 to list the OpenSSL software.
Select with F7: openssh.base OpenSSH.license OpenSSH.man.en_US OpenSSH.msg.EN_US OpenSSH.msg.en_US
<enter> ACCEPT new license agreements? yes
<enter>
8) If the installation was successful, sshd is now active.
% lssrc -g sshd
This should result in an "active" status, indicating it is ready to accept ssh connections

NOTE: SSHD is called from /etc/rc.d/rc2.d/Ssshd script at boot up. The Ssshd script is called from the l2 entry in /etc/inittab
 --> l2:2:wait:/etc/rc.d/rc2.d
9) Update the virtual AIX-rpm package.
Since many Open Source packages rely on OpenSSL, it is recommended to run the following command, which will update your virtual AIX-rpm package so the rpm installer will be aware of the new or updated libraries:
% /usr/sbin/updtvpkg

*** Skip steps 10 and 11 if this is a new SSH installation.
10) Restore or update ssh host keys and config files.
% cd /etc/ssh
Back up the newly installed ssh_config and sshd_config files.
% cp -p ssh_config ssh_config.orig_<today's_date>
% cp -p sshd_config sshd_config.orig_<today's_date>
Restore the /etc/ssh_backup host keys directory
% cd /etc/ssh_backup
% cp -pr cp ssh_host_*_key*  /etc/ssh
Update (or restore previous) sshd_config and ssh_config files
**It is recommended that you use the newly installed ssh_config and sshd_config files, and if there was any customization of the old files, you should manually add those changes to the new files. 
Alternatively (not recommended), you can restore the previous config files:
% cd /etc/ssh_backup
% cp -pr sshd_config ssh_config /etc/ssh
11) Stop and restart sshd to read the updated config files.
To stop sshd from the command line:
% stopsrc -s sshd
To start sshd from the command line:
% startsrc -s sshd
% lssrc -g sshd
This should result in an "active" status, indicating the system is ready to accept ssh connections.
SUPPORT

If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1.  Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2.  Capture any logs or data relevant to the situation.

3.  Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4.  Provide a clear, concise description of the issue.

5.  If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For guidance, see: Working with IBM AIX Support: Collecting snap data

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Not Applicable","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
15 September 2020

UID

isg3T1027135