• Openssh For Windows
• Openssh 7.6p1
• Openssh 7.6p1 Vulnerability
• Openssh 7.6

Chocolatey is software management automation for Windows that wraps installers, executables, zips, and scripts into compiled packages. Chocolatey integrates w/SCCM, Puppet, Chef, etc. Chocolatey is trusted by businesses to manage software deployments.

Packages|Tools|aixtools.openbsd.openssh.8.0.0.1601.I
Report Issues (via Forums) and/or TWEET:@aixtools

• To upgrade openssh from 7.6 to 8.0 on Ubuntu 18.04 (bionic), I followed the instructions given here: How to Install OpenSSH 8.0 Server from Source in Linux. The version I started with: $ ssh -V OpenSSH7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017.
• Aug 19, 2019 OpenSSH is a free and open source, full implementation of the SSH protocol 2.0.It provides a number of tools for securely accessing and managing remote computer systems, and managing authentications keys, such as ssh (a secure replacement for telnet), scp, sftp (secure replacement for ftp), ssh-keygen, ssh-copy-id, ssh-add, and more.

MD5 Checksum

Packages|Tools|aixtools.openbsd.openssh.7.9.0.1601.I
Report Issues (via Forums) and/or TWEET:@aixtools

MD5 Checksum

Package Details

--Michael Felt (talk) 12:04, 25 November 2019 (CET) As I get ready to post OpenSSH-8.1p1 I have moved OpenSSH-7.9p1 back to the top, for those who need OpenSSS-7.X for some reason. The recommendation will be to update to OpenSSH-8.1 though - and that shall be built against openssh.base-1.0.2.2000 (or later).

--Michael Felt (talk) 18:18, 19 April 2019 (CEST) And - here it is - OpenSSH-8.0 with all reference to SSHp1 removed from the code! Enjoy!

History

--Michael Felt (talk) 14:49, 8 November 2018 (CET) A bit late (and skipped packaging of version 7.8p1), but here is openssh-7.9p1

--Michael Felt (talk) 16:43, 21 April 2018 (CEST) Latest version out today. I made a small change to the install scripts - mainly, the rc2.d/Ssshd start script makes sure the /dev/*random devices exist - to prevent 'PRNG not found' errors.

--Michael Felt (talk) 12:33, 20 October 2017 (CEST) new packaging - cosmetic - the 'contents' are unchanged, but the installp scripts have less noise - now 'verbose' messages are printed when the environment variable VERBOSE is defined to any string.

--Michael Felt (talk) 18:16, 13 October 2017 (CEST) have a new packaging (VRMF 7.6.0.1602) - and now includes PAM support AND, more importantly (to me) - fixes a problem that prevented X11 forwarding secure tunnels (off by default) automated connections. The problem was because sshd was looking for xauth at /usr/X11R6/bin/xauth - wheil on AIX it is at /usr/bin/X11/xauth.

--Michael Felt (talk) 21:05, 5 October 2017 (CEST) Spent some time on buildaix and additional support scripts so that the ssh_config and sshd_config files are saved/restored.

--Michael Felt (talk) 11:27, 6 October 2017 (CEST) The helper scripts can be better - so I'll still be repackaging the support scripts - which will mean a new MD5 number later. So, if you have anything special in either /var/openssh/etc/ssh_config of /var/openssh/etc/ssh_config - set those aside first and then update.

OpenSSH-7.5p1

--Michael Felt (talk) 17:35, 15 May 2017 (UTC) See https://www.openssh.com/releasenotes.html#7.5p1 for the release notes. Note: requires openssl.base-1.0.2!

• If you are updating I recommend you make a backup of /var/openssh/etc before making an updates - in particular of any changes made to either ssh_config or sshd_config. There can be major differences between the different versions (i.e., of only the defaults) and your changes may be overwritten (something for me to work on in the future - TODO!)
• Fixed - AFTER you install openssh-7.3p1 (aka openssh-7.3.0.1601). After because the earlier versions uninstall parts are still removing sshd_config and ssh_config.

OpenSSH-7.4p1

--Michael Felt (talk) 20:16, 2 February 2017 (UTC) Changed the packaging so that the unintended hard dependency on aixtools.zlib.1.2.10 is no more. aixtools.zlib.1.2.11.1 is highly recommended!

--Michael Felt (talk) 22:10, 19 January 2017 (UTC) packaged as aixtools.openbsd.openssh.7.4.0.1601.

OpenSSH-7.3p1

--Michael Felt (talk) 13:08, 15 August 2016 (UTC) packaged as aixtools.openbsd.openssh.7.3.0.1601

OpenSSH-7.2p2

--Michael Felt (talk) 22:51, 6 June 2016 (UTC) packaged as aixtools.openbsd.openssh.7.2.0.1701.I

OpenSSH-7.2p1

--Michael Felt (talk) 11:09, 6 June 2016 (UTC)Now that I understand the differences - this is the preferred OpenSSH as it has done away with TLS1.1 and earlier (by default).

What problems can you expect? That your OpenSSH clients are not yet ready to work with the strict ciphers, hmac, etc.

OpenSSH-7.1p1

--Michael Felt (talk) 08:45, 16 October 2015 (UTC)

• Patched to fix a pre_install script syntax that occurred when /bin/false was not already one of your defined shells.

I am not yet - happy - with my understanding of the changes to the default behavior regarding root login in OpenSSH-7.1. Like myself, you may prefer the behavior of the 6.9p1 release.

OLD Versions

That time when one of my HP-UX servers lost half of it's RAM (and how to connect to an HP iLO 2 with modern OpenSSH (7.6+))

Published: 06-06-2018 | Author: Remy van Elst | Text only version of this article

❗ This post is over two years old. It may no longer be up to date. Opinions may have changed.

Table of Contents

• iLO Management Processor hardware information

One of my favorite sayings is: 'Hardware is stupid, move everything to thecloud!'. The cloud is just someone elses computer, but at least I'm notresponsible for the hardware anymore, since hardware breaks. When a VM breaks,because you use configuration management and version control, just roll out anew one. We all know that's not true, but still, the thought of it is nice. Aman can have hopes and dreams, even if the harsh reality shoots them down everytime.

Last week one of the HP-UX machines had a failing disk and this week it'sback with a whole new issue. After it was rebooted (due to issues with theservices running on it), the Event Monitoring Service (EMS) sent an emailregarding RAM issues and after manual checking it seems the machine lost half ofit's RAM.

It should have 16 GB and now it only has 8 GB. You might imagine my suprise.This post goes into my troubleshooting, since I was not able to go to themachine, shut it down and check if the RAM was still there or note part numbers.I'll cover the use of cstm (Support Tool Manager), how to connect to the HP iLO(out of band access) with modern OpenSSH (7.2) and the steps I took to gatherinformation on what might have happened.

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

This machine is not under monitoring yet, therefore it is regularly visited andchecked manually. You could call that monitoring as well, but I rather haveIcinga (or any other tool) doing work for me. An intern doing said things is notconsidered a tool, sadly (this is a joke). The machine furthermore is part of anolder setup (10 years) and is being replaced, so there is not a lot of budget ortime allocated. I like to learn new things, so I seize the oppertunity to expandmy UNIX knowledge, thus allocating some of my own time to research (andhopefully fix) these issues. Read my other HP-UX articles as well if youlike that kind of stuff.

Now that you know some background, let's dive in.

DRAM failure on DIMM XX, deallocate rank

It all started with this nice email from the HP-UX system:

The HP-UX error message is not very helpful, since no actual DIMM location isgiven:

The machine has no DIMM slot XX. The purchase order stated that the machine camewith 16 GB of RAM installed. It now only reported 8 GB of memory.

My first thought was to search the part number and purchase replacement modules(or search our own stash of 'old stuff'), then doing my regular procedure withRAM issues, only executing the next step if the previous action did not resolvethe issue. I've had my fair share of Dell hardware issues (looking at you,noncritical raid controller error after upgrading OpenManage...) so my procedurehas proven itself.

• Apply all available firmware updates for the hardware
• Do a DIMM swap (slot XX to slot YY) to see if the error is in the slot or in the DIMM
• Replace the DIMM
• Replace the motherboard and CPU
• Contact the manufacturer for warranty

Since this machine is not under a support contract anymore, step 1 and 5 are offthe table. HP requires an active support contract to get firmware updates. I donot have access to replacement DIMM's and I was not able to go to the machine todo a DIMM swap (or note part numbers).

The only thing left to do was to dig into the issue and gather as much loggingand information as possible, to prepare for a visit to the machine.

However, first I ended up researching a term unfamiliar to me, Memory Ranks.

Memory Ranking

I had never heard of the term Rank in RAM context, but Wikipedia came tothe rescue:

Sometimes memory modules are designed with two or more independent sets ofDRAM chips connected to the same address and data buses; each such set is calleda rank.

There is even an article on Memory Ranking:

A memory rank is a set of DRAM chips connected to the same chip select, whichare therefore accessed simultaneously.

That still didn't tell me much, how correct it might be. This site had avery helpfull and practical explanation:

The term 'rank' simply refers to a 64-bit chunk of data. In its simplest form,a DIMM with DRAM chips on just one side would contain a single 64-bit chunk ofdata and would be called a single-rank (1R) module. DIMMs with chips on bothsides often contain at least two 64-bit chunks of data and are referred to asdual-rank (2R) modules. Some DIMMs can have DRAM chips on both sides but areconfigured so that they contain two 64-bit data chunks on each sidefour intotaland are referred to as quad-rank (4R) modules. Quad-rank DIMMs run at amaximum PC3-8500 (DDR3-1066) speed in current architecture.

Now that I had a better understanding of what a memory rank is, my suspicion isthat there is one failed memory module and the rest of the modules (after thatfailed module) are not loaded anymore.

Support Tool Manager

Using cstm I hope to find the part number of the DIMM's so I can at leastorder a few replacement modules. According to multiple HPe forumpostsctsm should report the part number with this command:

It did gave me a better idea of the physical memory layout.

According to this post, the output with part number should look like this:

But, as can be seen, no part numbers in my output. I guess it's a versiondifference. I found another command to get ALL the hardware in the machine:

but except for a ton of output, it did not contain any part number. The post didreference the following:

The MP referred here is the 'HP Integrated Lights Out Management Processor',shortly known as the iLO. Dell calls them iDrac (integrated Dell remote accesscontroller) and on a SuperMicro server it's just called IPMI or OOB (out of bandaccess). It provides a way to power on/off and troubleshoot the server when youcannot access it, often also a remote console.

Since I was not able to go to the machine and reboot into some kind of BIOS oriLO console, I had to resort to connecting via the web or SSH. The web interfacewas useless on gathering RAM information, so SSH was my last resort.

SSH with modern OpenSSH (7.6) to an HP iLO2

With good hope I connected to the iLO IP from my Ubuntu 18.04 box. Only to begreeted by a happy little error message:

Time to configure some old settings. In my ~/.ssh/config file I started withthe following:

Openssh For Windows

But of course, just a KeyAlgorithm is not enough:

Let's add that ciphersuite to my ~/.ssh/config:

We know that the setting did something, because now it just fails with nohelpful error:

Lucky for me, the iLO 2 was horribly old and insecure in 2013 already, as thispost shows. With OpenSSH 6.2 there were problems connecting to the iLO,back then. I'm on OpenSSH 7.6 so let's hope that their fix works for me as well.

In a firmware update for the iLO2 some of these bugs are fixed, but not all of them, and quoting Oscar A. Perez (who lists 'Senior Embedded System Engineer, 100% committed to make Embedded Systems reliable, safe and secure' on it's LinkedIn for 15 years, so I guess probably is legit), it will be hard to fix in the future due to the limited iLO 2 memory:

I had to make lots of changes to the mpSSH server code to get it to work withthe new OpenSSH 6.2p1. I hope this is the last time we have to make changes likethis one. iLO2 memory is very limited and already full so, we won't be able tospin new firmware releases, every time the OpenSSH folks decide to increase thesize of the payload during Key Exchange.

Lower on in the post I do find the correct OpenSSH options to connect. I missedthe HostKeyAlgorithms and the MACs. The complete, working configuration inmy ~/.ssh/config file looks like this:

A one-liner with these options:

*Do note that a better solution here is to upgrade the hardware and get it under a support contract.

iLO Management Processor hardware information

Logging in gives me a few options to work with:

The forum post stated to go into the Command Menu:

(Use Ctrl-B to return to MP main menu.)

Then to enter the following command:

The output contains a long, long list of hardware. You can find it at the bottomof this article. We are interested in the RAM parts. To my pleasent suprise itdid list the actual RAM in the machine, the 16 GB, including the part numbers.The Operating system does not see the Ext1 DIMM's, the iLO does:

Ext0

The cstm output showed me that Ext0 is filled with 4 DIMM's of 2 GB each:

The ILO confirms that:

I cannot easily find a replacement for this part number, but it comes up in a HPforum post as a Samsung 2GB module.

Ext1

Ext1 according to the operating system is empty:

Openssh 7.6p1

The iLO thinks differently:

So the DIMM's are still in the system, and of all places, Amazon sellsthese DIMM's. The type is 2GB DDR2 PC2-5300 667MHz 240pin ECC, which isexactly what I need to order a replacement or look into our hardware stash. Ittook me a good hour, but the part number and some more type information has beenfound.

I still need to figure out which specific DIMM broke, but that is not in theabove output.

iLO Event Log

In the iLO menu, I also saw SL: Show Event Logs. Maybe that will tell mespecifically which DIMM could be the culprit.

Let's view the System Event log, using option E:

Just give me everything, D it is:

Filtering out all the logs (reboots were expected), focussing on the DIMM parts:

Not much help, no clear DIMM location yet. But, I did search around and foundthis HP support page titled 'HP Integrity rx3600 Servers - BOOT DECONFIGCPU Can Be Caused by Memory Dimm Failure'. In the log output there are theselines, looking a lot like the above output:

In this part I do see a pattern in the Data Field column, the only thingchanging looks an awfull lot like a memory location:

• 00 0A
• 00 0B
• 00 1A
• 00 1B
• 01 0A
• 01 0B
• 01 1A
• 01 AB

Comparing that to the DIMM layout output from earlier:

Not exactly the same but good enough, since it's a different server (the aboveoutput seems to be for the 8 port memory carrier board). This postconfirms my suspicion on the HEX values corresponding to the DIMM Slots.

HP Integrity rx3600 Server User Service Guide

The HP Integrity rx3600 Server User Service Guide, chapter 5Troubleshooting, subsection CPU, Memory and SBA, subsection Troubleshootingrx3600 memory has a picture of the 24 slot memory carrier board:

I know this server has 2 24 slot memory carrier boards due to the full output ofthe hardware list, it states 4 12 DIMM Memory Extender components.

The service guide also lists the error message:

• IPMI events: Type E0h, 4000d:26d MEM CHIPSPARE DEALLOC_RANK
• Cause: An SDRAM is failing on the DIMM.
• Notes: The failing DIMM quad will be deallocated.

Furthermore, the service manual states this:

In chapter 6. 'Removing and replacing server components', there are 11 pages(185-196), with picutes and example configurations, on replacing the DIMM's. Italso has Memory loading guidelines:

Use the following rules and guidelines when installing memory:

• Install DIMMs in pairs in the 8-DIMM memory carrier and in quads in the 24-DIMM memory carrier.
• Ensure all DIMMs within a pair or quad are identical.
• Install quads in order of capacity from largest to smallest. For example, install all 2 GB quads before 1 GB or smaller quads, and install all 1 GB quads before 512 MB quads.
• Side 0 must have equal or greater memory capacity than side 1.
• Install DIMM pairs or quads based on the following rules:
  • 1. Load pairs or quads into the memory carrier in order, starting with slot 0 and ending with slot 2.
  • 2. Install the first pair or quad in side 0.
  • 3. Install the second pair or quad in side 1.
  • 4. For the remaining pairs or quads:
    • a. If both sides of the memory carrier contain the same capacity of memory, install the next pair or quad in side 0.
    • b. If side 0 contains more memory capacity than side 1, install the next quad in side 1.
    • c. If side 1 is full, install the remaining quads in side 0.

(Nested lists in Markdown are fun)

The guide even has a list of Customer Replacable parts including HP andreplacement part numbers. For my 2GB memory module, it would be AD328A, forsale on lots of places.

Conclusion

Combining all the knowledge and logging, my best guess is that the followingslots have issues:

• Side 1 Slot 0B
• Side 1 Slot 0C

Openssh 7.6p1 Vulnerability

Replacement DIMM's are ordered and on their way, soon to be replaced in thecorrect order. Let's hope that the machine get's the other half of it's RAM backand the problem is fixed.

Reference, complete output of MP:CM> df -nc -a

Openssh 7.6