OpenSSH Logo

Darren Tucker's OpenSSH Page

Fast links: Home Page Tinderbox Bugzilla openssh-unix-dev git (mindrot github)

I'm one of the OpenSSH developers, and occasionally I put up patches that are for testing or haven't been integrated yet. They can be downloaded here. Old patches (ones that have either integrated or abandoned) are archived. OpenSSH is a BSD-licensed SSH implementation, originally based on the last free SSH release.

The stuff I intend doing is listed on the To Do List.

OpenSSH patches

Some random unsorted patches.

AIX Package Builder

Starting from the existing Solaris buildpkg scripts and with some help from Ben Lindstrom and others, I wrote which allows the creation of AIX native SMIT/installp installable packages from compiled code. It has been included in contrib/aix in the OpenSSH distribution since 3.1p1.

Currently there are no updates to the package builder shipped with 3.7x or 3.8p1.

Multi-platform Password Expiry

Note: a subset of the functionality in these patches in included in OpenSSH 3.8 and 3.8p1 and up. In most cases, users requiring handling of expired passwords will no longer need these patches. The differences are documented in this post to openssh-unix-dev.

This is a series of patches against 3.6.1p2 and 3.7.1p2 that add password expiry support to OpenSSH. Currently the patch (#26) supports AIX, platform using /etc/shadow (which includes Solaris and Linux when openssh is configured without PAM, and SCO UnixWare), and PAM Platforms (including Solaris, Linux and HP-UX).

Note that the recent .bff packages supplied by IBM Developerworks also contain this functionality (based on pwexp22).

It works by executing /bin/passwd at the start of the session and includes "your password will expire on.." warnings.

The following people have made contributions to this patch (if I've missed someone please let me know):

The current patch supports AIX and /etc/shadow platforms (Solaris, UnixWare and possibly others). The series supported, at various times, ssh2's USERAUTH_PASSWD_CHANGEREQ and HP-UX's expiry, however the current patch does not, in a (possibly vain) attempt to keep the diff size down. If there is sufficient interest, these can be re-added later (these older patches can be found in the archive).

The basic procedure is (assuming you have both the tarball and patch in the current directory):

$ gzip -dc openssh-3.5p1.tar.gz | tar xf -
$ cd openssh-3.5p1
$ patch -p1 < ../openssh-3.5p1-passexpire17.patch
$ ./configure 
$ make

Note: These patches are in unified diff format and some vendor's patch programs can't deal with them. If you are so afflicted, try GNU patch. Because is patched, you must run autoreconf to re-build configure for the CVS patches. The patches against releases have already had configure rebuilt.

openssh-3.7.1p2-pwexp26.patch (gpg sig). Fixes compile errors and correctly (I hope!) detects root-forced password changes when password aging is disabled on HP-UX.

If you have been running OpenSSH on AIX for a while without this patch, some of your user accounts may have exceeded the "Weeks between password EXPIRATION and LOCKOUT" setting, and when sshd starts enforcing the password expiration rules, you may find many accounts are now locked out. To help in the transition, you can use this migration patch (which will apply to 3.6.1p2 with fuzz). This patch will reset the user's password then set the ADMCHG flag, then the user can change their password normally. The patch is not intended to be merged into the main tree, it is intended only as a transition aid.

OpenSSH SMIT-Installable BFF Packages for AIX

Note 2011-05-06: I have not needed these packages for many years and intend to discontinue updating them. The original goal was to to have an SSH package that could be installed out of the box on supported AIX versions. The versions in question are long unsupported, and with the removal of the random helper code after 5.8p2 this is no longer possible without an additional package of prngd. If you still have a use case for these please let me know (dtucker at dtucker dot net) why you use them, which AIX versions you use and whether or not they have either /dev/random or prngd.

My OpenSSH AIX binary packages are available for download here. Before you download them, please consider making your own. Everything you need is in the OpenSSH source distribution. If it's not possible for you to compile your own (or you're lazy and trusting :-) then you can download the packages below.

Any problems with these packages are likely to be my fault and should be reported directly to me.

The packages are built with the following commands:

./configure --with-tcp-wrappers=/usr/local --with-cflags=-fno-builtin-memset --with-cflags=-DBROKEN_GETADDRINFO
AIX_SRC=yes contrib/aix/

They use internal pseudo-random seeding (so have no prereqs) but will use egd or prngd (preferred) if either is available and has its socket in one of the standard locations.

All packages contain bffs for AIX 4 and AIX 5. The V4 packages are built on AIX 4.2.1 and should also work on any newer version including 4.3.3. (In March 2004, they were also reported to work on AIX 3.2!). The V5 packages are built on AIX 5.1 and should work on 5.1 and 5.2 (and, presumably, 5.3 although I've not tested it). As of version 4.5p1, by request there is also a PAM-enabled package for AIX 5.x.

The tarballs contain .bff installable packages and gpg (signed with this key) and MD5 or SHA1 signatures.

openssh-5.8p2 Has sftp libedit support and a PAM-enabled package for AIX 5.x.
Built with gcc-4.1.1, zlib-1.2.3, openssl-0.9.7m, tcpwrappers-7.6 and libedit-20060829-2.9.
openssh-5.8p2-1 Has sftp libedit support and a PAM-enabled package for AIX 5.x.
Built with gcc-4.1.1, zlib-1.2.5, openssl-1.0.0d, tcpwrappers-7.6 and libedit-20060829-2.9.

Versions prior to 5.8p2 were affected by a potential private host key disclosure via the random helper and have been removed.

You can also review the history of previous packages.


IBM have made packages available for AIX5L on the Bonus Pack CD. The original images are based on 2.9.9p2 (with fixes), while the current ones available from the link below are based on 4.3p1. The images are available for download from Sourceforge: openssh-aix (formerly IBM DeveloperWorks).

Bull Freeware are publishing OpenSSH packages again. These are dynamically linked against openssl and libz (unlike the ones here) so will use somewhat less memory, but are sensitive to changes in the libraries. They require egd (Entropy Gathering Daemon), so may start sessions a little quicker than the packages here when used without prngd. Unlike the packages here, they have several prerequisites. (openssl, zlib, egd, perl).

Diagnosing "Your OpenSSL headers do not match your library" errors

This is generally caused by OpenSSH's configure picking up an older version of OpenSSL headers or libraries. You can use the following procedure to help identify the cause.

Apply this patch if it hasn't been incorporated into your version of OpenSSH (it's included in 3.5p1 and above). Run make -f distprep && ./configure.

The output of configure will tell you the versions of the OpenSSL headers and libraries that were picked up:

checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
checking whether OpenSSL's headers match the library... no
configure: error: Your OpenSSL headers do not match your library

Now run This should identify the headers and libraries present and their versions. You should be able to identify the libraries and headers used and adjust your CFLAGS or remove incorrect versions. The output will show OpenSSL's internal version identifier and should look something like:

$ ./ 
Searching for OpenSSL header files.
0x0090604fL /usr/include/openssl/opensslv.h
0x0090604fL /usr/local/ssl/include/openssl/opensslv.h

Searching for OpenSSL shared library files.
0x0090602fL /lib/
0x0090602fL /lib/
0x0090581fL /usr/lib/
0x0090602fL /usr/lib/
0x0090581fL /usr/lib/
0x0090600fL /usr/lib/
0x0090600fL /usr/lib/

Searching for OpenSSL static library files.
0x0090602fL /usr/lib/libcrypto.a
0x0090604fL /usr/local/ssl/lib/libcrypto.a

In this example, I gave configure no extra flags, so it's picking up the OpenSSL header from /usr/include/openssl (90604f) and the library from /usr/lib/ (90602f).

SSH LBX Script Sets up SSH and LBX to play nicely together. To use, adjust to local conditions then ". ./".

Portable diffs

Diffs between portable releases

Other SSH Links

A table showing the percent_expand tokens supported by OpenSSH's ssh(1) and sshd(8).

IETF Secure Shell Working Group (includes draft RFCs) ietf-ssh mailing list archive.

OpenSSH Portable Tinderbox. Shows current build and test status of the current code.

OpenSSH Bugzilla bug tracking system.


openssh-unix-dev mailing list archive.

Daniel J. Barrett and Richard E. Silverman wrote SSH: The Definitive Guide, known as "The Snail book". Particularly useful is the online FAQ newsgroup

Other SSH related links

Shun-ichi Goto's connect ProxyCommand. Supports connections via SOCKS4/4a/5 and HTTP CONNECT protocols.

Pluggable Authentication Modules original RFC
XOpen Single Sign On (XSSO) Specification HTML PDF
Linux PAM Documentation SourceForge page
Solaris PAM documentation
Writing Solaris PAM modules
FreeBSD PAM documentation. (OpenPAM)
Some PAM gotchas, and why PAM and SSH don't play nice together

Blowfish image

Other crypto links

Peter Gutmann's Crypto page

Daemon image

Unix Programming Links

GNU Autoconf Manual (PDF). OpenSSH uses autoconf for its build-time configuration.

PortaWiki documenting portability issues. Run by Stuart Smith of MySQL with contributions from others, including yours truly.

Single Unix Specification SUSv2 SUSv3 (obnoxious registration required)

Valid HTML 4.01!

Page last modified: $Date: 2022-05-25 $