How to Install OpenSSL-3.3.0 and OpenSSH-9.7p1 on Ubuntu LTS 24 Server

CAUTION DON'T DO IT DIRECTLY ON LIVE PRODUCTION SERVER

When managing a server, security is paramount, and two critical tools for maintaining secure communication are OpenSSL and OpenSSH. OpenSSL provides essential cryptographic functions, while OpenSSH offers secure remote login capabilities. This guide will walk you through the installation of OpenSSL-3.3.0 and OpenSSH-9.7p1 on an Ubuntu LTS 24 server.

Installing OpenSSL-3.3.0

OpenSSL is a robust toolkit that provides essential cryptographic functions for securing communications. Here's how to install it on your Ubuntu server:

Step 1: Download OpenSSL

First, download the OpenSSL source package:

wget https://www.openssl.org/source/openssl-3.3.0.tar.gz

tar -xvzf openssl-3.3.0.tar.gz

cd openssl-3.3.0

Step 2: Configure OpenSSL

Next, configure the build environment:

./config --prefix=/usr         \

         --openssldir=/etc/ssl \

         --libdir=lib          \

         shared                \

         zlib-dynamic

Step 3: Compile OpenSSL

Compile the package:

make

Step 4: Test OpenSSL

Testing the build is important to ensure everything is working correctly. Note that one test (30-test_afalg.t) might fail under certain conditions and can be ignored if it does:

HARNESS_JOBS=$(nproc) make test

Step 5: Install OpenSSL

Install OpenSSL and move the documentation to a versioned directory:

sed -i '/INSTALL_LIBS/s/libcrypto.a libssl.a//' Makefile

make MANSUFFIX=ssl install

mv -v /usr/share/doc/openssl /usr/share/doc/openssl-3.3.0

cp -vfr doc/* /usr/share/doc/openssl-3.3.0

Installing OpenSSH-9.7p1

OpenSSH is essential for secure remote login. Here's how to install it on your Ubuntu server:

Step 1: Download OpenSSH

Download the OpenSSH source package:

wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz

tar -xvzf openssh-9.7p1.tar.gz

cd openssh-9.7p1

Step 2: Prepare the Environment

Prepare the environment for OpenSSH:

install -v -g sys -m700 -d /var/lib/sshd

groupadd -g 50 sshd

useradd -c 'sshd PrivSep' \

        -d /var/lib/sshd  \

        -g sshd           \

        -s /bin/false     \

        -u 50 sshd

Step 3: Configure OpenSSH

Configure the build environment:

./configure --prefix=/usr                            \

            --sysconfdir=/etc/ssh                    \

            --with-privsep-path=/var/lib/sshd        \

            --with-default-path=/usr/bin             \

            --with-superuser-path=/usr/sbin:/usr/bin \

            --with-pid-dir=/run

Step 4: Compile OpenSSH

Compile the package:

make

Step 5: Test OpenSSH

You can test the build with:

make -j1 tests

Step 6: Install OpenSSH

Install OpenSSH and its associated files:

make install

install -v -m755 contrib/ssh-copy-id /usr/bin

install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1

install -v -m755 -d /usr/share/doc/openssh-9.7p1

install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-9.7p1

Step 7: Configure OpenSSH

Edit the /etc/ssh/sshd_config to enhance security. For example, disable root login via SSH:

echo "PermitRootLogin no" >> /etc/ssh/sshd_config

To enable passwordless login, generate and distribute SSH keys:

ssh-keygen

ssh-copy-id -i ~/.ssh/id_ed25519.pub REMOTE_USERNAME@REMOTE_HOSTNAME

You can further secure SSH by disabling password authentication:

echo "PasswordAuthentication no" >> /etc/ssh/sshd_config

echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config

Step 8: Enable PAM (Optional)

If using PAM, configure it as follows:

sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd

chmod 644 /etc/pam.d/sshd

echo "UsePAM yes" >> /etc/ssh/sshd_config

Step 9: Start SSH Service

Ensure that the SSH service starts on boot:

systemctl enable sshd

systemctl start sshd

Conclusion

By following these steps, you will have installed and configured OpenSSL-3.3.0 and OpenSSH-9.7p1 on your Ubuntu LTS 24 server, enhancing its security for encrypted communications. Regularly update these tools to keep your system secure.