How to install and upgrade OpenSSH server on FreeBSD

WARNING! It would be best to take some basic precautions if you are doing this on a remote server hosted at AWS or any other data center of your choice. Otherwise, you will end up losing access to TCP port 22.

Finding out FreeBSD SSHD version

The excellent news is FreeBSD has the concept of a base operating system and 3rd party application. The default sshd version is:
command -v sshd
type sshd
# find version by sending ssh verbose command #
ssh -v user@localhost
ssh -V
Here is what I saw on my FreeBSD 13 box:

OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd  25 Mar 2021

Please note that the updated version of the OpenSSH portable version will be installed in the /usr/local/{bin,sbin,etc} directory, including the config files. So it will not overwrite the base version of the SSHD and ssh client. Let us upgrade to OpenSSH client and server version to 8.8 on FreeBSD Unix machine.

How to install and upgrade OpenSSH server on FreeBSD

1. First, find out OpenSSH version and packages using the pkg command:
   pkg search openssh-po\*
   
   

   Finding OpenSSH portable version

2. Now, install openssh-portable on FreeBSD, run:
   pkg install openssh-portable
# To install the port, run:
cd /usr/ports/security/openssh-portable/
make install clean

   
   

   Installing an updated version of the OpenSSH server on FreeBSD

3. To enable this updated SSHD port version, add the line openssh_enable="YES" using the sysrc command. The second command will disable openssh in the base system:
   sysrc openssh_enable="YES"
# disable base system sshd
sysrc sshd_enable="NO"
   
   

   Enabling updated version of SSHD

4. Now the tricky part. You can’t start an updated version of the OpenSSH without stopping existing sshd from the base system. However, it is an easy task if you have access to the actual FreeBSD console and are not doing this over ssh session. The trick is to configure OpenSSH at another TCP port and run with base sshd. So edit the config file:
   vi /usr/local/etc/ssh/sshd_config
   Set up the port to 2222
   Port 2222
   Save and close the file. Next, make sure you open TCP port 2222 using your firewall. For example, pf rule in your config would be:
   pass in inet proto tcp to $ext_if port 2222
   
   

   Configure the openssh at another TCP port

5. Finally, start the updated openssh, run:
   service openssh start
   
   

   Starting the OpenSSH service

6. Verify that updated version of the OpenSSH running using the sockstat command:
   sockstat -4 | grep :22
ps aux | grep sshd
# The updated version sshd
service openssh status
# The base system sshd
service sshd onestatus
   
   

   Click to enlarge

Loggin into an updated version of sshd

The syntax for the ssh command (type on the client desktop):

ssh -i {~/path/to/private_key} -p {TCP_PORT} {user}@{server_ip_name}
ssh -i ~/.ssh/id_469_ecdsa_sk_backup -p 2222 vive@192.168.2.186

A note about configuration files for updated version of SSHD on FreeBSD

• Directory: /usr/local/etc/ssh/
• Server OpenSSH config file: /usr/local/etc/ssh/sshd_config
• Client OpenSSH config file: /usr/local/etc/ssh/ssh_config

Starting/Restating the OpenSSH

Use the following service command:
service openssh restart
service openssh reload
service openssh status

How to switch back to TCP port # 22

The next time you reboot the FreeBSD server, it will only start OpenSSH at port 2222 and SSHD from the base system will be disabled. However, at run time or before reboot, you can change the TCP port as follows:
# stop sshd from bash system on port 22 #
service sshd openstop
Edit the /usr/local/etc/ssh/sshd_config and set Port to # 22 and then restart/reload the OpenSSH:
service openssh reload

Base vs OpenSSH ssh clients

One final issue was using ssh utilities from base os when I tried ssh command or ssh-keygen command. Because of PATH settings on FreeBSD /bin and /sbin will get higher preferences. For instance:

echo "$PATH"
type ssh
command -v ssh
ls -l /usr/local/bin/ssh

Luckily fix was easy:

# Update PATH and append to your ~/.tcshrc or ~/.login when using tcsh
setenv PATH /usr/local/bin:$PATH
 
# Or update .bash_profile or ~/.profile when using bash/sh 
export PATH=/usr/local/bin:$PATH
 
# Verify it
type ssh
command -v ssh

Another option is to create shell aliases. For example, here is I how one can list/create bash aliases using bash for loop:

for i in $(pkg info -l openssh-portable | grep '/usr/local/bin')
do 
   echo "alias ${i##*/}='$i'"
   # Append to ~/.profile 
   # echo "alias ${i##*/}='$i'" >> ~/.profile 
   #
done

Outputs:

alias scp='/usr/local/bin/scp'
alias sftp='/usr/local/bin/sftp'
alias ssh='/usr/local/bin/ssh'
alias ssh-add='/usr/local/bin/ssh-add'
alias ssh-agent='/usr/local/bin/ssh-agent'
alias ssh-keygen='/usr/local/bin/ssh-keygen'
alias ssh-keyscan='/usr/local/bin/ssh-keyscan'

Here is tcsh foreach loop example to create those aliases when using tcsh/csh:

# set array
set files= ( `pkg info -l openssh-portable | grep '/usr/local/bin'` )
# do dirty work here
foreach i ( $files )
 echo "alias `basename $i` $i" >> ~/.tcshrc
 # echo "alias `basename $i` $i" >> ~/.tcshrc
end
 
# verify it
alias

Sample outputs for tcsh:

h	(history 25)
j	(jobs -l)
la	(ls -aF)
lf	(ls -FA)
ll	(ls -lAF)
scp	/usr/local/bin/scp
sftp	/usr/local/bin/sftp
ssh	/usr/local/bin/ssh
ssh-add	/usr/local/bin/ssh-add
ssh-agent	/usr/local/bin/ssh-agent
ssh-keygen	/usr/local/bin/ssh-keygen
ssh-keyscan	/usr/local/bin/ssh-keyscan

Summing up

And that is how you install and configure an updated version of OpenSSH on your FreeBSD box. When you run the pkg command, it will automatically update to the latest available OpenSSH portable version:
pkg update
pkg upgrade
Do check the following FreeBSD and OpenSSH docs/manual pages using the man command:
man sshd_config
man service
man sysrc
man ssh
man sshd
man sockstat
man bash
man tcsh

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.