How to install OpenSSH 6.0.0.6200 and OpenSSL 1.0.1.514 on AIX

— ny_wk

To install OpenSSH 6.0.0.6200 and OpenSSL 1.0.1.514 on AIX, install the OpenSSL fileset first, then OpenSSH, both with installp -aXYd . from the extracted package directory. OpenSSH on AIX depends on OpenSSL for its crypto libraries, so the order matters and the install will fail if you reverse it. This guide walks through the full, correct procedure for AIX 5.3, 6.1 and 7.1, the common pitfalls (a running sshd daemon locking the server fileset), and how to verify the result — plus a clear warning about why these exact levels are end-of-life today.

Why OpenSSH and OpenSSL ship separately on AIX

On AIX, OpenSSH and OpenSSL are delivered as native installp filesets packaged by IBM, not as the source tarballs or RPMs you would use on Linux. OpenSSL provides the cryptographic engine (the libcrypto and libssl shared libraries); OpenSSH is the SSH client and server that link against those libraries. That dependency is the single most important fact in this whole process: OpenSSL must be present before OpenSSH, or the OpenSSH filesets will refuse to apply because their prerequisites are unmet.

The build numbers map to upstream releases. The IBM Web Download Pack labelled openssl-1.0.1.514 contains the OpenSSL 1.0.1e code base, and OpenSSH_6.0.0.6200 corresponds to upstream OpenSSH 6.0p1. Knowing this matters when you check versions later, because the AIX fileset level and the version the binary reports are deliberately different strings.

Before you start: prerequisites and a critical EOL warning

You need a few things in place before you install OpenSSH and OpenSSL on AIX:

• Root access. Every step here runs as root (or via a role with the equivalent install privilege).
• The IBM packages. Download the OpenSSL Web Download Pack and the OpenSSH fileset bundle from IBM's Fix Central / AIX Web Download portal. Do not pull random binaries from third-party sites — SSH is your trust boundary.
• Free space in /tmp (or wherever you extract). The OpenSSL openssl.base fileset alone is ~22 MB and OpenSSH ~6.7 MB, plus room for the extracted tree.
• A maintenance window. Installing the OpenSSH server fileset requires stopping the sshd daemon, which drops remote SSH sessions. Have console/HMC access as a fallback so you are not locked out.

End-of-life warning — read this before deploying. OpenSSL 1.0.1 reached end of life on 31 December 2016 and OpenSSH 6.0p1 dates to 2012. These exact levels (1.0.1e / 6.0p1) are vulnerable to well-known, weaponised CVEs — including the 2014 Heartbleed flaw (CVE-2014-0160) in early 1.0.1 builds and numerous later SSH and TLS issues. Use this procedure only to understand a legacy system or to reproduce a historical environment. For any system that touches a network today, install the current AIX OpenSSL and OpenSSH Web Download Pack levels (OpenSSL 1.1.1 / 3.x and OpenSSH 8.x or newer as shipped by IBM). The installation mechanics below are identical for the modern filesets — only the version numbers change.

Step 1: Install OpenSSL 1.0.1.514 first

Log in as root, change to the directory holding the downloaded archive (the examples use /tmp), and extract the tarball. The package unpacks into its own subdirectory containing the individual filesets.

1. Extract the OpenSSL package:
   cd /tmp
tar -xvf openssl-1.0.1.514.tar

   You should see the filesets unpacked, for example openssl-1.0.1.514/openssl.base, openssl-1.0.1.514/openssl.license and openssl-1.0.1.514/openssl.man.en_US.

2. Move into the extracted directory:
   cd openssl-1.0.1.514
3. Run the installer against the current directory:
   installp -aXYd . openssl

   The installp flags do the heavy lifting: -a = apply, -X = automatically expand any filesystem that runs short of space, -Y = agree to the licenses (so the install is non-interactive), and -d . = use the current directory as the device/source. The trailing openssl tells installp to install all filesets whose name starts with that string.

A successful run ends with an Installation Summary where every line reads APPLY / SUCCESS:

The USR part installs the shared code under /usr; the ROOT part installs the node-specific pieces. Seeing both for openssl.base is exactly what you want.

Step 2: Stop the sshd daemon before installing OpenSSH

This is the step most people skip — and it is the number-one reason an OpenSSH install on AIX fails. If sshd is already running (an existing OpenSSH is in place and you are upgrading), the openssh.base.server fileset cannot be replaced because the running daemon holds the binary open. Stop it cleanly through the System Resource Controller first.

1. Check whether sshd is active:
   lssrc -s sshd

   If the Status column says active, the daemon is running and must be stopped.

2. Stop the subsystem:
   stopsrc -s sshd

   Expect: 0513-044 The sshd Subsystem was requested to stop.

Warning: SSH service is unavailable while sshd is stopped. Any remote shell you are using over SSH will keep its current connection but you will not be able to open a new SSH session until you restart the daemon. This is precisely why you want HMC or physical console access during the maintenance window.

Step 3: Install OpenSSH 6.0.0.6200

With OpenSSL in place and sshd stopped, install OpenSSH the same way. The OpenSSH bundle contains the client, the server, the license, a large set of localized message catalogs (openssh.msg.*), and the man pages.

1. Extract the OpenSSH package (back in your download directory):
   cd /tmp
tar -xvf OpenSSH_6.0.0.6200.tar

   This unpacks OpenSSH_6.0.0.6200/openssh.base, openssh.license, openssh.man.en_US and dozens of openssh.msg.* language filesets.

2. Move into the directory:
   cd OpenSSH_6.0.0.6200
3. Install all OpenSSH filesets:
   installp -aXYd . openssh

When it finishes, the Installation Summary should show SUCCESS for the key filesets — openssh.base.client, openssh.base.server, openssh.license, openssh.man.en_US — each at level 6.0.0.6200, with both USR and ROOT parts applied for the base filesets and the message catalogs applied as USR.

If the server fileset fails: the most common failure is openssh.base.server not applying because sshd was still running. Stop it (stopsrc -s sshd) and re-run installp -aXYd . openssh — installp is safe to re-run and will simply finish the filesets that did not apply the first time.

Step 4: Start sshd and bring SSH back online

Restart the daemon through the System Resource Controller so it comes up under SRC management (which also means it will restart correctly on reboot via /etc/inittab / SRC):

1. Start the subsystem:
   startsrc -s sshd

   Expect: 0513-059 The sshd Subsystem has been started. Subsystem PID is <pid>.

2. Confirm it is active again:
   lssrc -s sshd

   The Status column should now read active with a fresh PID.

Step 5: Verify the OpenSSH and OpenSSL installation

Never trust an install summary alone — verify from three angles: the fileset registry, the binary versions, and a live connection test.

Check the installed fileset levels

List every Open Secure fileset and confirm the level and state:

lslpp -l | grep "Open Secure"

Every relevant line should read COMMITTED at the expected level — OpenSSH at 6.0.0.6200 and OpenSSL at 1.0.1.514, for example:

COMMITTED means the install is permanent and there is no saved previous version to reject back to. If a fileset shows APPLIED instead, the prior version is still saved and you could roll back with installp -r; once you are satisfied, commit with installp -c openssh openssl.

Check the binary versions

Confirm the tools actually run and report the upstream versions they are built from:

• which openssl should return /usr/bin/openssl.
• openssl version should report OpenSSL 1.0.1e 11 Feb 2013 — the upstream release inside fileset level 1.0.1.514.
• ssh -V should report OpenSSH_6.0p1 along with the linked OpenSSL version.

Note on the command: use ssh -V (capital V) to print the version. The lowercase ssh -v enables verbose debugging for a connection and, with no host, just prints the usage banner — a common point of confusion. The fact that the OpenSSH binary reports 6.0p1 while the fileset level is 6.0.0.6200 is normal and expected.

Test a real connection

From another host (or loopback), open a session to prove the server answers and authentication works:

ssh -v root@<aix-hostname>

Here the lowercase -v is genuinely useful: it prints the key exchange, the offered ciphers, and the authentication steps, so if something is wrong you can see exactly where the handshake stops.

Common pitfalls when you install OpenSSH and OpenSSL on AIX

• Wrong order. Installing OpenSSH before OpenSSL fails on unmet prerequisites. Always install openssl first, then openssh.
• Forgetting to stop sshd. The running daemon locks openssh.base.server; stopsrc -s sshd, install, then startsrc -s sshd.
• Running the installer from the wrong directory. installp -aXYd . uses the current directory as the source. You must cd into the extracted openssl-1.0.1.514 / OpenSSH_6.0.0.6200 folder first, or installp finds no filesets.
• Filesystem too small. The -X flag auto-expands JFS2 filesystems, but only if there is free space in the volume group. Check with lsvg rootvg if expansion fails.
• Locking yourself out. If you only have SSH access and the upgrade goes wrong while sshd is down, you are stranded. Keep an HMC console, a serial console, or a second admin path open.
• Stale PATH or libraries. If openssl version reports an older build, an earlier OpenSSL may be ahead in your PATH or cached; confirm with which openssl and re-check lslpp -l.
• Deploying EOL crypto. Shipping 1.0.1e to production exposes you to Heartbleed and a decade of unpatched CVEs. Treat these levels as legacy-only and move to the current IBM Web Download Pack.

Key Takeaways

• Install OpenSSL first, then OpenSSH — OpenSSH depends on OpenSSL's libraries and will not apply without it.
• Use installp -aXYd . <fileset> from inside each extracted package directory for a non-interactive, license-accepted install.
• Stop sshd with stopsrc -s sshd before installing the server fileset, and restart it with startsrc -s sshd afterward.
• Verify with lslpp -l | grep "Open Secure" (expect COMMITTED), then openssl version, ssh -V, and a live ssh -v test.
• OpenSSL 1.0.1 and OpenSSH 6.0p1 are end-of-life and vulnerable — use these exact levels for legacy/lab work only and deploy the current AIX Web Download Pack in production.

Frequently Asked Questions

Do I have to install OpenSSL before OpenSSH on AIX?

Yes. OpenSSH on AIX links against the libcrypto and libssl libraries provided by the OpenSSL filesets. If you run installp for OpenSSH first, it fails because the prerequisite is missing. Install openssl, confirm it with lslpp, then install openssh.

Why does my OpenSSH install fail on openssh.base.server?

Almost always because the sshd daemon is still running and holding the server binary open. Stop it with stopsrc -s sshd, re-run installp -aXYd . openssh to finish the unapplied filesets, then start it again with startsrc -s sshd.

What is the difference between ssh -v and ssh -V?

Capital -V prints the OpenSSH version and exits (for example OpenSSH_6.0p1). Lowercase -v turns on verbose connection debugging; with no destination host it just shows the usage banner, which is why people think the version command “didn’t work.” Use ssh -V for the version, ssh -v host to debug a login.

Is OpenSSL 1.0.1.514 safe to use today?

No. Fileset 1.0.1.514 is the OpenSSL 1.0.1e code base, which reached end of life on 31 December 2016 and carries serious unpatched vulnerabilities, including the Heartbleed-era flaws in the 1.0.1 line. Use it only to study or reproduce a legacy environment, and install the current AIX OpenSSL and OpenSSH Web Download Pack for anything connected to a network.

Found this AIX walkthrough useful? Subscribe to @explorenystream on YouTube for more system administration and DevOps guides.