The process of installing HPN-SSH from source is a relatively painless process but does have some nuances. This document will go through the process step by step to help you get the most from your installation. If you find any errors please contact us at hpnssh@psc.edu.

The official repository for HPN-SSH is found at https://github.com/rapier1/hpn-ssh. Get a copy with

git clone https://github.com/rapier1/hpn-ssh

• What you need to install is dependent on your distribution but will include:
• OpenSSL development package
  • Debian: libssl-dev
  • Fedora: openssl-devel
  • Alternatively you can use LibreSSL
    • However, in this case we suggest compiling and installing libressl manually as there are few maintained linux packages for LibreSSL.
    • Also, LibreSSL v3.5 and v3.6 do not support the threaded AES-CTR cipher. If that’s important to you then you should use OpenSSL.
• Z compression library
  • Debian: zlib1g-dev
  • Fedora: zlib-devel
• Autoconf
• Automake

This optional libraries will extend the functionality of HPN-SSH to allow the use of PAM authentication, Kerberos, graphical password tools, etc.

• PAM
• Kerberos
• GTK

generate ./configure with “autoreconf -f -i"

Configure the installation. You can get detailed information on how to do this by issuing ./configure --help. However, commonly you will want to change the default installation location of the binaries. This can be done with --prefix=/[desired_path]. For example, if you want the binaries installed into /usr/bin as opposed to the default of /usr/local/bin you’d use ./configure --prefix=/usr. Other common options would be to incorporate pam, kerberos, alternative SSL libraries, and so forth. However, for most users either no additional configuration options or modifying the prefix will suffice.

Make the application with make -j[<em>num cores</em>]. So if you have an 8 core system you’d use make -j8

After HPN-SSH successfully builds, install it with sudo make install. This will install the binaries, configuration files, and generate the unique host keys used. At this point you can make changes to the ssh client and server default configuration. These files are found, generally, in /etc/hpnssh/ssh_config and sshd_config respectively. You may want to change the default port from 2222 to some other value. You may also want to enable the NoneCipher and NoneMac options. For more information use man hpnsshd_config and man hpnssh_config. Note: The hpnssh client expects the server to be on port 2222 but will fallback to 22 if it’s not found there. So if you do change the default port, you’ll need to make sure the clients point at the correct port.

This user is part of the privilege separation routines used in the pre-authentication sandbox. I suggest using the following command:
sudo useradd --system --shell /usr/sbin/nologin --comment="Privilege separated HPNSSH User" --home=/run/hpnsshd hpnsshd
Alternatively, you can use vipw to add the user manually.

At this point you can start hpnsshd manually by running sudo /usr/sbin/hpnsshd or whatever the full path to the hpnsshd binary might be. However, this won’t restart automatically on reboot. To do this you’ll need to install an appropriate systemd configuration file. If that seems like a good idea to you then following steps may be of help. Otherwise, you are done. Enjoy!

The correct systemd startup file depends on the distribution you are using. For system using systemd (you start a service with systemctl) create a file at /lib/systemd/system/hpnssh.service with the following contents. NB: you may need to update the paths to match your installation:

[Unit]
Description=HPN/OpenBSD Secure Shell server
Documentation=man:hpnsshd(8) man:hpnsshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/hpnssh/sshd_not_to_be_run

[Service]
EnvironmentFile=-/etc/default/hpnssh
ExecStartPre=/usr/sbin/hpnsshd -t
ExecStart=/usr/sbin/hpnsshd -D $SSHD_OPTS
ExecReload=/usr/sbin/hpnsshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=hpnsshd
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target
Alias=hpnsshd.service

Then create the defaults file at /etc/defaults/hpnssh with the following content:

# Default settings for openssh-server. 
# Options to pass to sshd
SSHD_OPTS= 

Enter any runtime options you want on the SSHD_OPTS line. If you can’t think of any, simply leave it blank.

You must then reload the systemd service to make it aware of this new service with sudo systemctl daemon-reload

If you are using an init.d (you start a service with system) then you need to install an init.d. Create the file /etc/init.d/hpnssh and copy the following into it. NB: The following is for where hpnsshd is found at /usr/sbin/hpnsshd. If it is not in that location you’ll need to update the paths.

#! /bin/sh

### BEGIN INIT INFO
# Provides:                hpnsshd
# Required-Start:        $remote_fs $syslog
# Required-Stop:        $remote_fs $syslog
# Default-Start:        2 3 4 5
# Default-Stop:                
# Short-Description:        OpenBSD Secure Shell server with HPN
### END INIT INFO

set -e

# /etc/init.d/hpnssh: start and stop the OpenBSD "secure shell(tm)" daemon

test -x /usr/sbin/hpnsshd || exit 0
( /usr/sbin/hpnsshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0

umask 022

if test -f /etc/default/hpnssh; then
    . /etc/default/hpnssh
fi

. /lib/lsb/init-functions


if [ -n "$2" ]; then
    SSHD_OPTS="$SSHD_OPTS $2"
fi

# Are we running from init?
run_by_init() {
    ([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ]
}

check_for_no_start() {
    # forget it if we're trying to start, and /etc/hpnssh/sshd_not_to_be_run exists
    if [ -e /etc/hpnssh/sshd_not_to_be_run ]; then 
        if [ "$1" = log_end_msg ]; then
            log_end_msg 0 || true
        fi
        if ! run_by_init; then
            log_action_msg "HPN/OpenBSD Secure Shell server not in use (/etc/hpnssh/sshd_not_to_be_run)" || true
        fi
        exit 0
    fi
}

check_dev_null() {
    if [ ! -c /dev/null ]; then
        if [ "$1" = log_end_msg ]; then
            log_end_msg 1 || true
        fi
        if ! run_by_init; then
            log_action_msg "/dev/null is not a character device!" || true
        fi
        exit 1
    fi
}

check_privsep_dir() {
    # Create the PrivSep empty dir if necessary
    if [ ! -d /run/hpnsshd ]; then
        mkdir /run/hpnsshd
        chmod 0755 /run/hpnsshd
    fi
}

check_config() {
    if [ ! -e /etc/hpnssh/sshd_not_to_be_run ]; then
        # shellcheck disable=SC2086
        /usr/sbin/hpnsshd $SSHD_OPTS -t || exit 1
    fi
}

export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"

case "$1" in
  start)
        check_privsep_dir
        check_for_no_start
        check_dev_null
        log_daemon_msg "Starting HPN/OpenBSD Secure Shell server" "hpnsshd" || true
        # shellcheck disable=SC2086
        if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd -- $SSHD_OPTS; then
            log_end_msg 0 || true
        else
            log_end_msg 1 || true
        fi
        ;;
  stop)
        log_daemon_msg "Stopping HPN/OpenBSD Secure Shell server" "hpnsshd" || true
        if start-stop-daemon --stop --quiet --oknodo --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd; then
            log_end_msg 0 || true
        else
            log_end_msg 1 || true
        fi
        ;;


  reload|force-reload)
        check_for_no_start
        check_config
        log_daemon_msg "Reloading HPN/OpenBSD Secure Shell server's configuration" "hpnsshd" || true
        if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd; then
            log_end_msg 0 || true
        else
            log_end_msg 1 || true
        fi
        ;;


  restart)
        check_privsep_dir
        check_config
        log_daemon_msg "Restarting HPN/OpenBSD Secure Shell server" "hpnsshd" || true
        start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd
        check_for_no_start log_end_msg
        check_dev_null log_end_msg
        # shellcheck disable=SC2086
        if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd -- $SSHD_OPTS; then
            log_end_msg 0 || true
        else
            log_end_msg 1 || true
        fi
        ;;


  try-restart)
        check_privsep_dir
        check_config
        log_daemon_msg "Restarting HPN/OpenBSD Secure Shell server" "hpnsshd" || true
        RET=0
        start-stop-daemon --stop --quiet --retry 30 --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd || RET="$?"
        case $RET in
            0)
                # old daemon stopped
                check_for_no_start log_end_msg
                check_dev_null log_end_msg
                # shellcheck disable=SC2086
                if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd -- $SSHD_OPTS; then
                    log_end_msg 0 || true
                else
                    log_end_msg 1 || true
                fi
                ;;
            1)
                # daemon not running
                log_progress_msg "(not running)" || true
                log_end_msg 0 || true
                ;;
            *)
                # failed to stop
                log_progress_msg "(failed to stop)" || true
                log_end_msg 1 || true
                ;;
        esac
        ;;


  status)
        status_of_proc -p /run/hpnsshd.pid /usr/sbin/hpnsshd hpnsshd && exit 0 || exit $?
        ;;


  *)
        log_action_msg "Usage: /etc/init.d/hpnssh {start|stop|reload|force-reload|restart|try-restart|status}" || true
        exit 1
esac

exit 0

If you are using SELinux you’ll need to run a few more commands in order to grant hpnssh the necessary exceptions to open sockets, files, read keys, and so forth. Run the following commands to allow this. Note: I’m not sure every single one of these is needed so if someone knows better please let me know. Again, double check the paths of the files being updated.

semanage fcontext -a -f f -t sshd_key_t  /etc/hpnssh/ssh_host_dsa_key  
semanage fcontext -a -f f -t sshd_key_t  /etc/hpnssh/ssh_host_rsa_key
semanage fcontext -a -f f -t sshd_key_t  /etc/hpnssh/ssh_host_ecdsa_key 
semanage fcontext -a -f f -t sshd_key_t  /etc/hpnssh/ssh_host_ed25519_key 
semanage fcontext -a -f f -t sshd_key_t /etc/hpnssh/ssh_host_dsa_key.pub 
semanage fcontext -a -f f -t sshd_key_t /etc/hpnssh/ssh_host_rsa_key.pub 
semanage fcontext -a -f f -t sshd_key_t  /etc/hpnssh/ssh_host_ecdsa_key.pub 
semanage fcontext -a -f f -t sshd_key_t  /etc/hpnssh/ssh_host_ed25519_key.pub 
semanage fcontext -a -f f -t sshd_exec_t /usr/sbin/hpnsshd 
semanage fcontext -a -f f -t sshd_keygen_exec_t /usr/libexec/hpnssh/hpnsshd-keygen 
semanage fcontext -a -f f -t bin_t /usr/libexec/hpnssh/hpnsftp-server 
semanage fcontext -a -f f -t ssh_exec_t /usr/bin/hpnssh 
semanage fcontext -a -f f -t ssh_agent_exec_t /usr/bin/hpnssh-agent 
semanage fcontext -a -f f -t ssh_keygen_exec_t /usr/bin/hpnssh-keygen 
semanage fcontext -a -f f -t etc_t /etc/pam.d/hpnsshd 
semanage port -a -t ssh_port_t -p tcp 2222 
restorecon /usr/sbin/hpnsshd
restorecon /etc/hpnssh/ssh*_key
restorecon /etc/hpnssh/ssh*_key\.pub
restorecon /usr/libexec/hpnssh/hpnsshd-keygen
restorecon /usr/libexec/hpnssh/hpnsftp-server
restorecon /usr/bin/hpnssh
restorecon /usr/bin/hpnssh-agent
restorecon /usr/bin/hpnssh-keygen
restorecon /etc/pam.d/hpnsshd