Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Updating OpenSSH client and server on Windows

Daniel Nashed  20 November 2021 11:00:20

I ran into this when working on a project integrating Domino and Veeam.

The restore operation needs to issue a mount command from the Domino server OS to the Veeam server invoking a PowerShell script.

In error situations the PowerShell commands could not write their error messages to STDERR -- no matter how much I tried to redirect the output via 2>&1 or similar methods.


STDERR output worked well on my Win2022 machine, but failed on Win2019.

The limitation is fixed in newer OpenSSH versions.


It turned out that Microsoft is not updating the OpenSSH server installed with Windows to later versions automatically.

You have to download and install/update it manually to get a current version of SSH and the OpenSSH server.


By the way, a never version will also allow to use more modern key types like ED25519.

And it is really advisable to use current OpenSSH and OpenSSL versions in general -- also for other security fixes and new features improving your security.


Here are the versions installed by default in Windows (with a current patch level).

And I have a link for your, to update those versions with a PowerShell based installer shipped with it.

The installer would also install the OpenSSH Service automatically if not yet installed.

Both the SSH client and server are included in one package -- in contrast Windows splits it in client and server -- the SSH client is installed by default.



Windows 2019

OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5 (05.04.2018)


Windows 10 / Windows11 / Windows 2022

OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 (18.12.2019)


Current Version

OpenSSH_for_Windows_8.6p1, LibreSSL 3.3.3 (26.05.2021)



You can see that beside Windows 2019 all other Windows versions have a never OpenSSH and SSL version.

And there is a more up to date version provided by Microsoft in their PowerShell/Win32-OpenSSH project.


The download page has all the information and details:

https://github.com/PowerShell/Win32-OpenSSH/releases

LibSSL


By the way Microsoft's OpenSSH implementation is not based on OpenSSL.

They are using a project, which has been forked a while ago -->
https://www.libressl.org/.


Donwload of a more current version


The download comes with an install Powershell script creates which can create the OpenSSH server service.
But it only works if no OpenSSH is installed.


The version shipping with more current Windows version is perfectly OK to use and on a level most other Linux distributions are using.

You can see below that CentOS 7 ships even an older version than Windows 2019 with a quite old OpenSSL version.


On Linux switching to a later OpenSSL version isn't that simple. The distributions update their OpenSSL major releases only with major releases of their OS.

So CentOS Stream 9 and RHEL 9 are the first Linux distributions I have made the switch to OpenSSL 3.0.


And even Linux versions like CentOS 7 are still supported and maintained, you cannot expect the latest packages for important security packages like OpenSSL and OpenSSH.

Those older versions are still security patched, but they don't provide all features you might want like using more modern key types etc.



-- Daniel



Linux version list OpenSSH


CentOS 7

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017


CentOS Stream 8

OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021


SUSE Leap 15.2

OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019


SUSE Leap 15.3

OpenSSH_8.4p1, OpenSSL 1.1.1d  10 Sep 2019


CentOS Stream 9

OpenSSH_8.7p1, OpenSSL 3.0.0 7 sep 2021



References:


Official Micosoft documentation

https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview

Official Microsoft project

https://github.com/PowerShell/openssh-portable

Project documentation

https://github.com/PowerShell/Win32-OpenSSH


Comments
No Comments Found

Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]