Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

upgrade openSSH 7.2p in ubuntu 14.04

I have a server running Ubuntu 14.04, but I have an issue with PCI requirements. I have installed in my server OpenSSH 6.6p1, then I upgraded it to OpenSSH 7.2p, compiling the code with make and make install directly from repositories from OpenSSH, but it seems something is broken because I continue getting the old version after I check dpkg -l openssh\*:

ii openssh-client 1:6.6p1-2ubunt amd64 secure shell (SSH) client, 
ii openssh-server 1:6.6p1-2ubunt amd64 secure shell (SSH) server,
ii openssh-sftp-serve 1:6.6p1-2ubunt amd64 secure shell (SSH) sftp server 

And PCI scanner continues reporting the same issue about that I have to install the latest version of OpenSSH.

This is the CVI Id of the issue: CVE-2016-3115

like image 247
Rigoberto Giraldo Carmona Avatar asked Apr 06 '16 14:04

Rigoberto Giraldo Carmona


3 Answers

Tested on Ubuntu 16.04

upgrades ssh-client to latest version. updates alot of other stuff!

sudo apt-add-repository 'deb http://old-releases.ubuntu.com/ubuntu yakkety main universe multiverse'
sudo apt-get update
sudo apt-get install openssh-server=1:7.4p1-10

remove repository that was added so extra updates don't happen later:

sudo apt-add-repository --remove 'deb http://old-releases.ubuntu.com/ubuntu yakkety main'
sudo apt-get update

note: For 17.04 change yakety to zesty (untested)

like image 157
oneklc Avatar answered Sep 20 '22 06:09

oneklc


There are two answers already mentioning the recompile. The way they suggest it may not sound like to be a safe option if you are already connected with ssh. Also they fail to suggest what to do with OpenSSL 1.0.2 vs 1.1.0 issue as by default ./configure finds on Ubuntu 14.04 LTS the 1.1.0 version of OpenSSL. To patch OpenSSL 7.7 sources to work with OpenSSL 1.1.0 here is a patch:

http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

wget http://mirror.exonetric.net/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
tar -zxvf openssh-7.7p1.tar.gz
cd openssh-7.7p1
wget http://www.linuxfromscratch.org/patches/blfs/svn/openssh-7.7p1-openssl-1.1.0-1.patch
patch -Np1 -i ./openssh-7.7p1-openssl-1.1.0-1.patch

And here comes the trick: you can have TWO SSHDs so you will not lose the current connection. We will install this other sshd to /opt and its config will be in /opt/etc

./configure --prefix=/opt
make ## in the end make will write where it will install, double check everything will go to /opt
make install
nano /opt/etc/ssh/sshd_config

Here edit the port, take it away from 22 to for example 1888 (make sure port is forwarded/opened/etc)

And now you can start the new sshd

/opt/sbin/sshd

Make sure on restart something (for example systemd) will start this other ssh too.

The 2 sshds are now running simultaneously. You can try to connect with this newly built one. When done, you can safely remove the outdated and security update lacking openssh6.6 from apt, or at least stop the daemon and remove the daemon from startup.

And you are one step closer to a secure system.

like image 43
dszakal Avatar answered Sep 21 '22 06:09

dszakal


I needed to install the newest OpenSSH as well but I wanted to install it via a package instead of compiling from source.

sudo apt-add-repository 'deb http://archive.ubuntu.com/ubuntu yakkety main universe multiverse'
sudo apt-get update
sudo apt-get install openssh-server=1:7.3p1-1

It worked for me. (Technically only main and universe were necessary here)

$ ssh -V
OpenSSH_7.3p1 Ubuntu-1, OpenSSL 1.0.2g  1 Mar 2016

Edit (2017-10-04): This answer has been receiving some attention lately and might be out of date now. Remember only main and universe were necessary from this, and I specifically wanted to install this as a package instead of compiling from source. Please be careful with typing random commands from the internet, no matter how well-meaning the stranger (in this case me) is!

like image 40
flanger001 Avatar answered Sep 19 '22 06:09

flanger001