How do I download, install, or upgrade OpenSSL and OpenSSH on AIX?

1. Download the OpenSSL package to your workstation or host computer.
   1. To get the package, go to the AIX® Web Download Pack Programs website.
   2. If you are registered to download the packages, sign in and accept the license agreement.
   3. If you are not registered to download the packages, complete the registration process and accept the license agreement. After registering, you are redirected to the download page.
   4. Select the package for download: openSSL and click Continue.
   5. Select any version of the package and click Download now.
2. Download the OpenSSH software by completing the following steps:

   NoteAlternatively, you can install the software from the AIX Expansion Pack.

   1. From your workstation (or host computer), go to the SourceFORGE.net Web site.
   2. Click Download OpenSSH on AIX to view the latest file releases.
   3. Select the appropriate download package and click Download.
   4. Click the openssh package (tar.Z file) to continue with the download.

 

1) Download the latest available "OpenSSL or OpenSSH n.n.n" for your AIX version from the following download link:  

https://www-01.ibm.com/marketing/iwm/platform/mrs/assets?source=aixbp

 

 - Register for a user ID at the site if you do not have an account

 

NOTE: This download site is not managed by AIX Support. If you have problems accessing or registering at the site, please send an email to mktsystm@us.ibm.com describing the errors.>

 

The following example is the latest version at the time of publishing. Always check the download site, and corresponding readme files for information pertaining to your AIX oslevel.

openssl VRMF: 1.0.2.1801 (1.0.2r) openssl-1.0.2.1801.tar.Z  (34779877) openssh VRMF: 7.5.102.1801 OpenSSH_7.5.102.1801.tar.Z  (11765639) ***NOTE: OpenSSL must be installed first.

2) Create directory to hold openssl and openssh.

Example:

% mkdir /tmp/newopenssl % mkdir /tmp/newopenssh

 

Transfer the compressed OpenSSL tar file to the /tmp/newopenssl directory.

Transfer the compressed OpenSSH tar file to the /tmp/newopenssh directory

3) If /etc/ssh exists before the upgrade of OpenSSH or AIX, make a back up of the directory.  Skip steps 3 and 9-10 if OpenSSH is not installed.

 

Important Notes

A) If you have an existing ssh configuration, make a copy of the /etc/ssh directory before installing the new ssh to preserve the ssh host keys. If this is a new installation of ssh there will not be an /etc/ssh directory.   % cp -pr /etc/ssh /etc/ssh_backup   B) Read the following technote for details about changes in OpenSSH Version 7.  https://www.ibm.com/support/pages/ibm-aix-various-ssh-problems-after-upgrading-openssh-7x

4) Prepare the openssl software for installation.

% cd /tmp/newopenssl % uncompressopenssl-1.0.2.1801.tar.Z  % tar -xvfopenssl-1.0.2.1801.tar % cd <newly created openssl directory if one was created>

 

5) Install the openssl software.

% smitty install_all INPUT device / directory for software [.] <enter> * INPUT device / directory for software . * SOFTWARE to install [] <....> Select F4 or esc+4 to list the openssl software. Select with F7: openssl.base openssl.license openssl.man.en_US <enter> ACCEPT new license agreements? yes <enter>

 

6) Prepare the openssh software for installation.

% cd /tmp/newopenssh % uncompress OpenSSH_7.5.102.1801.tar.Z % tar -xvf OpenSSH_7.5.102.1801.tar

 

7) Install the openssh software.

% cd <newly created openssh directory if one was created> % smitty install_all INPUT device / directory for software [.] <enter> * INPUT device / directory for software . * SOFTWARE to install [] <....> Select F4 or esc+4 to list the openssl software. Select with F7: openssh.base openssh.license openssh.man.en_US openssh.msg.EN_US openssh.msg.en_US <enter> ACCEPT new license agreements? yes <enter>

 

8) If the installation was successful, sshd is now active.

 

% lssrc -g sshd

This should result in an "active" status, indicating it is ready to accept ssh connections

NOTE: SSHD is called from /etc/rc.d/rc2.d/Ssshd script at boot up. The Ssshd script is called from the l2 entry in /etc/inittab
 --> l2:2:wait:/etc/rc.d/rc2.d

 

9) Update the virtual AIX-rpm package.

Since many Open Source packages rely on OpenSSL, it recommended to run the following command, which will update your virtual AIX-rpm package so the rpm installer will be aware of the new or updated libraries:

% /usr/sbin/updtvpkg

*** Skip steps 10 and 11 if this is a new SSH installation.

 

10) Restore or update ssh host keys and config files.

% cd /etc/ssh

 

Backup the newly installed ssh_config and sshd_config files.

% cp -p ssh_config ssh_config.orig_<today's_date> % cp -p sshd_config sshd_config.orig_<today's_date>

 

Restore the /etc/ssh_backup host keys directory

% cd /etc/ssh_backup % cp -pr cp ssh_host_*_key*  /etc/ssh

 

Update (or restore previous) sshd_config and ssh_config files

 

**It is recommended that you use the newly installed ssh_config and sshd_config files, and if there was any customization of the old files, you should manually add those changes to the new files. 

 

Alternatively (not recommended), you can restore the previous config files:

% cd /etc/ssh_backup % cp -pr sshd_config ssh_config /etc/ssh

 

11) Stop and restart sshd to read the updated config files.

To stop sshd from the command line:

% stopsrc -s sshd

 

To start sshd from the command line:

% startsrc -s sshd % lssrc -g sshd

This should result in an "active" status, indicating the system is ready to accept ssh connections.