Page 1 of 2 12 LastLast
Results 1 to 20 of 21

Thread: HOWTO: Upgrading OpenSSH

  1. #1
    Join Date
    May 2003
    Posts
    142

    HOWTO: Upgrading OpenSSH

    Title: Upgrading OpenSSH on Redhat Servers
    Revision: 1.0.3
    Date: June 28th, 2003
    Time: 9:47am CST
    Description: Guide for installing and upgrading OpenSSH services on a typical Redhat server.
    Difficulty: 5/10

    ------------------------------------------------------------

    Disclaimer:
    THIS HOWTO IS PROVIDED BY NULL-ROUTE DOT COM "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NULL-ROUTE DOT COM. OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

    ------------------------------------------------------------

    Introduction:
    OpenSSH has become the standard for accessing servers today. And maintain its security is a must to keep your server free from intruders. Standard Redhat installations of all versions install OpenSSH but these default installations all also have root exploits for them.

    This howto will attempt to guide you in upgrading your current OpenSSH installation to aid in hardening your system.

    NOTE: This guide can be considered dangerous as if the directions are not followed exactly and all steps completed you may loose access to your server completely. Use this with caution!

    This howto assumes the reader has a general knowledge of Linux and the command line interface for installing applications and has root access to the server. Readers with minimal knowledge of Linux or the processes of compiling and installing software should not attempt this without proper supervision from a system administrator or in a production environment.

    Pre-Installation:
    We will begin with checking the OpenSSHd version number to see if we are running an older version than current.

    Code:
    # sshd -v
    NOTE: -v is not a legal flag that is normally passed onto sshd but for this purpose it will produce the list of accepted parameters and the SSHd version. The output should look like this:

    Code:
    root@grep [/]# sshd -v             
    sshd: illegal option -- v
    sshd version OpenSSH_3.4p1
    Usage: sshd [options]
    <snip>
    Once we have verified that we are running an older version of OpenSSH we will be downloading the OpenSSH source tar ball to /usr/src. At the time of this writing the latest version available is 3.6.1p2. We will also be untarring the downloaded file and changing to the new directory.

    Code:
    # cd /usr/src
    # wget ftp://ftp.openbsd.org/pub/OpenBSD/Op...3.6.1p2.tar.gz
    # tar -xvzf openssh-3.6.1p2.tar.gz
    # cd openssh-3.6.1p2/
    Now to be safe we will also be turning telnetd on incase OpenSSH does not come back up after we restart it. This should NOT be left on after the compile as all commands and logins will be transmitted in plain text.

    Code:
    # chkconfig --level 1235 telnet on

    Installation and upgrading:
    The configure command bellow will enable the pluggable authentication module, PAM and set the configuration path for SSH.

    Code:
    # ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam
    After configure has ran on your system and if no errors are given it is safe to begin building your OpenSSH package with make.

    Code:
    # make
    # make install
    NOTE: You may receive an error after running make install saying that the user sshd is not present on your system. To fix this error run this command:

    Code:
    # adduser sshd -s /sbin/nologin
    # make install
    If everything has been compiled without any errors then it is time to restart sshd. This is when it is important to either have telnet up or someone that can console to the server incase sshd does not come back up after the restart.

    Code:
    # /etc/init.d/sshd restart
    After restarting OpenSSH you can now verify that you are running your new build with this command:

    Code:
    # sshd -v
    Acceptable output would be:

    Code:
    root@grep [/]# sshd -v             
    sshd: illegal option -- v
    sshd version OpenSSH_3.6.1p2
    Usage: sshd [options]
    <snip>
    After you have verified that OpenSSH has been properly upgraded and accepts connections fine it is HIGHLY recommended to turn telnetd off.

    Code:
    # chkconfig --level 1235 telnet off
    Closing:
    If you have found any glaring typos, or outdated info in this document, please let me know.

  2. #2
    Join Date
    Jun 2003
    Location
    United Kingdom
    Posts
    16
    I'm a gambling man. Knowing the support for my server isn't the best, I decided not to turn telnetd on... Now I think to myself "What n ediot.
    ......
    ......
    ......
    It worked

    HA

  3. #3
    Join Date
    Oct 2003
    Location
    los angeles, cali
    Posts
    23
    For what it's worth on this, 3.7p1 is now out, you can get it from :

    ftp://ftp3.usa.openbsd.org/pub/OpenB...h-3.7p1.tar.gz

    The only change you would need is which version of OpenSSH you are wget'ing, everything else from above still works.
    -nick
    Systems Engineer
    Lunarpages.com.


  4. #4
    Join Date
    Jun 2003
    Location
    UK
    Posts
    2,326
    i believe theres also an official patch released by RHN, just run up2date -l to check its listed
    OptimumServers » Managed Dedicated Servers & General Systems Management » Coming Soon!
    ProWebUK - Quality Web Services
    DirectAdmin Server Checklist

  5. #5
    Join Date
    Nov 2003
    Posts
    2
    One addition to that telnet part: You should filter every IP exect yours on port 23 by firewall. If you have dynamic IP-range, you should put your prefix length also in it.

    IPtables:
    Static IP:
    MYIP=15.62.1.55

    Dynamic IP:
    MYIP=15.62.1.0/24

    Then:
    iptables -A INPUT -p tcp -m tcp --destination-port 23 --source ! $MYIP -j DROP

    Of course you can/should delete that rule after successed SSH upgrading

    iptables -D INPUT -p tcp -m tcp --destination-port 23 --source ! $MYIP -j DROP

  6. #6
    Join Date
    Oct 2003
    Location
    Romania
    Posts
    122
    Hello, my server is running OpenSSH 3.5, so I just download the new OpenSSH 3.7p1 as you described, but when try to run the command:
    Code:
    # ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam
    there are some checks there, and receive an error at the end: configure: error: PAM headers not found.

    Can you tell me what should I do?

    And one more newbee question: After the upgrading process, can I remove the openssh-3.7p1.tar.gz archive and openssh-3.7p1 dir?
    The more people I know, the more I love my dog.

  7. #7
    Join Date
    Jun 2003
    Location
    UK
    Posts
    2,326
    Originally posted by MagnuM there are some checks there, and receive an error at the end: configure: error: PAM headers not found
    You need to reinstall PAM

    can I remove the openssh-3.7p1.tar.gz archive and openssh-3.7p1 dir?
    Yes (if you mean the directory made by unpacking the .tar.gz!)

    Chris
    OptimumServers » Managed Dedicated Servers & General Systems Management » Coming Soon!
    ProWebUK - Quality Web Services
    DirectAdmin Server Checklist

  8. #8
    Join Date
    Jun 2003
    Location
    UK
    Posts
    2,326
    Originally posted by Buzer
    One addition to that telnet part: You should filter every IP exect yours on port 23 by firewall.
    What he is doing is disabling telnet from starting *at all* when your server reboots........ when something is disabled, do you need to allow your own IP addresses access? you could just by all means block port 23 and not worry about allowing your own IP's if telnet is off

    Chris
    OptimumServers » Managed Dedicated Servers & General Systems Management » Coming Soon!
    ProWebUK - Quality Web Services
    DirectAdmin Server Checklist

  9. #9
    Join Date
    Oct 2003
    Location
    Romania
    Posts
    122
    You need to reinstall PAM
    Do I realy need this PAM, because I don't even know how to install and configure this software.
    The more people I know, the more I love my dog.

  10. #10
    Join Date
    Oct 2003
    Location
    Romania
    Posts
    122
    OK, is there anyone here who knows what PAM is and how useful it is, and how can I install it, so I can upgrade to openssh-3.7p1?
    The more people I know, the more I love my dog.

  11. #11
    Join Date
    Jun 2003
    Location
    UK
    Posts
    2,326
    Answers to all your questions: http://rpmfind.net/linux/rpm2html/se...&submit=Search

    Chris
    OptimumServers » Managed Dedicated Servers & General Systems Management » Coming Soon!
    ProWebUK - Quality Web Services
    DirectAdmin Server Checklist

  12. #12
    Join Date
    Sep 2003
    Location
    The Netherlands
    Posts
    556
    Since I've been using up2date till now my version is patched with everything, but i rather use the new version altough i don't seem to have a telnetd on my server...

    While trying to execute :
    Now to be safe we will also be turning telnetd on incase OpenSSH does not come back up after we restart it. This should NOT be left on after the compile as all commands and logins will be transmitted in plain text.


    code:--------------------------------------------------------------------------------
    # chkconfig --level 1235 telnet on
    --------------------------------------------------------------------------------
    I get a :
    Code:
    [root@horus openssh-3.7p1]# chkconfig --level 1235 telnet on
    error reading information on service telnet: No such file or directory
    Anyone have the correct files to enable this the way it should ?
    I really don't want to have to go the datacentre for this update

  13. #13
    Join Date
    Dec 2003
    Posts
    26
    Icheb,


    up2date -i telnet-server

    to get the telnet server on your box.

  14. #14
    Join Date
    Sep 2003
    Location
    The Netherlands
    Posts
    556
    Originally posted by FeBox
    Icheb,


    up2date -i telnet-server

    to get the telnet server on your box.
    Thanks, didn't know the exact name for it, i guessed telnetd, but nothing happened

    Furthermore, the on and off sequence required my xinetd to be reconfigured and reloaded, so i'd say: Before you update, try to get a login window at the telnetd

  15. #15
    Join Date
    Oct 2003
    Location
    Calgary, AB
    Posts
    696
    used this for 3.8p1

    thanks!

  16. #16
    Join Date
    Nov 2003
    Posts
    48
    OS RH8

    when running make I get:

    /usr/src/openssh-3.6.1p2/cipher.c:243: undefined reference to `EVP_CIPHER_CTX_set_key_length'
    collect2: ld returned 1 exit status
    make: *** [ssh] Error 1

  17. #17
    Join Date
    Nov 2003
    Posts
    48
    anyone?

  18. #18
    Join Date
    Apr 2004
    Location
    Waterloo, IA
    Posts
    27
    Originally posted by joh2900
    OS RH8

    when running make I get:

    /usr/src/openssh-3.6.1p2/cipher.c:243: undefined reference to `EVP_CIPHER_CTX_set_key_length'
    collect2: ld returned 1 exit status
    make: *** [ssh] Error 1
    Update your redhat installation, 8 is years old and shouldn't even be used.

    Has anyone got this successfully working with fc2+ ? I'm getting host disconnections before anything is even asked, it's just tossing it out. Nothing's in the logs, nothing, it just closes the connection.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to your WHMCS install!
    Linux admin, WHMCS Guru for hire. PM me for more information

  19. #19
    Join Date
    Sep 2003
    Location
    The Netherlands
    Posts
    556
    I know admins still using RH 7.2 or even 6.2 for services, so why is 8 that old ?
    If you know how to make sure no one has ssh access, you upgrade all stuff manually, it works fine. (Yeah, we are switching to Debian, I hate FC, it's kinda not meant for servers, in my opinion)

    I don't know the error, should see a bit more from the logs, perhaps I could recognise it than, but don't expect much of it.

  20. #20
    Join Date
    Jun 2005
    Posts
    11
    I tried to upgrade the openssh on my server. But after upgrading and restarting sshd successfully when i checkup the version, it still shows 3.9.1 whereas i upgraded it to version 4.2.

    What do i do to rectify it? Please help
    Intrested in smokyhosts.com!!

    Try these simple pages for details of free hosting , reseller hosting , domain registration and domain reseller .

    Also for proof of our uptime, click here

Page 1 of 2 12 LastLast

Similar Threads

  1. HOWTO: Upgrading OpenSSL
    By The Prohacker in forum How-To Guides
    Replies: 49
    Last Post: 04-09-2014, 08:47 PM
  2. OpenSSH 5.1p1 !
    By demz in forum 3rd Party Software Version Updates
    Replies: 0
    Last Post: 07-24-2008, 02:03 AM
  3. OpenSSH 4.5p1
    By xemaps in forum Required Software Version Updates
    Replies: 2
    Last Post: 11-18-2006, 02:30 AM
  4. OpenSSH 4.4p1
    By @how@ in forum Required Software Version Updates
    Replies: 3
    Last Post: 10-01-2006, 02:39 AM
  5. OpenSSH
    By scott9824 in forum DirectAdmin General Discussion
    Replies: 0
    Last Post: 08-19-2005, 01:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •