HOWTO: Upgrading OpenSSH

The Prohacker

Verified User
Joined
May 23, 2003
Messages
142
Title: Upgrading OpenSSH on Redhat Servers
Revision: 1.0.3
Date: June 28th, 2003
Time: 9:47am CST
Description: Guide for installing and upgrading OpenSSH services on a typical Redhat server.
Difficulty: 5/10

------------------------------------------------------------

Disclaimer:
THIS HOWTO IS PROVIDED BY NULL-ROUTE DOT COM "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NULL-ROUTE DOT COM. OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

------------------------------------------------------------

Introduction:
OpenSSH has become the standard for accessing servers today. And maintain its security is a must to keep your server free from intruders. Standard Redhat installations of all versions install OpenSSH but these default installations all also have root exploits for them.

This howto will attempt to guide you in upgrading your current OpenSSH installation to aid in hardening your system.

NOTE: This guide can be considered dangerous as if the directions are not followed exactly and all steps completed you may loose access to your server completely. Use this with caution!

This howto assumes the reader has a general knowledge of Linux and the command line interface for installing applications and has root access to the server. Readers with minimal knowledge of Linux or the processes of compiling and installing software should not attempt this without proper supervision from a system administrator or in a production environment.

Pre-Installation:
We will begin with checking the OpenSSHd version number to see if we are running an older version than current.

Code:
# sshd -v

NOTE: -v is not a legal flag that is normally passed onto sshd but for this purpose it will produce the list of accepted parameters and the SSHd version. The output should look like this:

Code:
root@grep [/]# sshd -v             
sshd: illegal option -- v
sshd version OpenSSH_3.4p1
Usage: sshd [options]
[i]<snip>[/i]

Once we have verified that we are running an older version of OpenSSH we will be downloading the OpenSSH source tar ball to /usr/src. At the time of this writing the latest version available is 3.6.1p2. We will also be untarring the downloaded file and changing to the new directory.

Code:
# cd /usr/src
# wget [url]ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.6.1p2.tar.gz[/url]
# tar -xvzf openssh-3.6.1p2.tar.gz
# cd openssh-3.6.1p2/

Now to be safe we will also be turning telnetd on incase OpenSSH does not come back up after we restart it. This should NOT be left on after the compile as all commands and logins will be transmitted in plain text.

Code:
# chkconfig --level 1235 telnet on


Installation and upgrading:
The configure command bellow will enable the pluggable authentication module, PAM and set the configuration path for SSH.

Code:
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam

After configure has ran on your system and if no errors are given it is safe to begin building your OpenSSH package with make.

Code:
# make
# make install

NOTE: You may receive an error after running make install saying that the user sshd is not present on your system. To fix this error run this command:

Code:
# adduser sshd -s /sbin/nologin
# make install

If everything has been compiled without any errors then it is time to restart sshd. This is when it is important to either have telnet up or someone that can console to the server incase sshd does not come back up after the restart.

Code:
# /etc/init.d/sshd restart

After restarting OpenSSH you can now verify that you are running your new build with this command:

Code:
# sshd -v

Acceptable output would be:

Code:
root@grep [/]# sshd -v             
sshd: illegal option -- v
sshd version OpenSSH_3.6.1p2
Usage: sshd [options]
[i]<snip>[/i]

After you have verified that OpenSSH has been properly upgraded and accepts connections fine it is HIGHLY recommended to turn telnetd off.

Code:
# chkconfig --level 1235 telnet off

Closing:
If you have found any glaring typos, or outdated info in this document, please let me know.
 
I'm a gambling man. Knowing the support for my server isn't the best, I decided not to turn telnetd on... Now I think to myself "What n ediot.
......
......
......
It worked

HA
 
i believe theres also an official patch released by RHN, just run up2date -l to check its listed :)
 
One addition to that telnet part: You should filter every IP exect yours on port 23 by firewall. If you have dynamic IP-range, you should put your prefix length also in it.

IPtables:
Static IP:
MYIP=15.62.1.55

Dynamic IP:
MYIP=15.62.1.0/24

Then:
iptables -A INPUT -p tcp -m tcp --destination-port 23 --source ! $MYIP -j DROP

Of course you can/should delete that rule after successed SSH upgrading

iptables -D INPUT -p tcp -m tcp --destination-port 23 --source ! $MYIP -j DROP
 
Hello, my server is running OpenSSH 3.5, so I just download the new OpenSSH 3.7p1 as you described, but when try to run the command:
Code:
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam

there are some checks there, and receive an error at the end: configure: error: PAM headers not found.

Can you tell me what should I do?

And one more newbee question: After the upgrading process, can I remove the openssh-3.7p1.tar.gz archive and openssh-3.7p1 dir?
 
Originally posted by MagnuM there are some checks there, and receive an error at the end: configure: error: PAM headers not found

You need to reinstall PAM

can I remove the openssh-3.7p1.tar.gz archive and openssh-3.7p1 dir?

Yes :) (if you mean the directory made by unpacking the .tar.gz!)

Chris
 
Buzer said:
One addition to that telnet part: You should filter every IP exect yours on port 23 by firewall.

What he is doing is disabling telnet from starting *at all* when your server reboots........ when something is disabled, do you need to allow your own IP addresses access? you could just by all means block port 23 and not worry about allowing your own IP's if telnet is off ;)

Chris
 
OK, is there anyone here who knows what PAM is and how useful it is, and how can I install it, so I can upgrade to openssh-3.7p1?
 
Since I've been using up2date till now my version is patched with everything, but i rather use the new version altough i don't seem to have a telnetd on my server...

While trying to execute :
Now to be safe we will also be turning telnetd on incase OpenSSH does not come back up after we restart it. This should NOT be left on after the compile as all commands and logins will be transmitted in plain text.


code:--------------------------------------------------------------------------------
# chkconfig --level 1235 telnet on
--------------------------------------------------------------------------------
I get a :
Code:
[root@horus openssh-3.7p1]# chkconfig --level 1235 telnet on
error reading information on service telnet: No such file or directory
Anyone have the correct files to enable this the way it should ?
I really don't want to have to go the datacentre for this update :D
 
Icheb,


up2date -i telnet-server

to get the telnet server on your box.
 
FeBox said:
Icheb,


up2date -i telnet-server

to get the telnet server on your box.

Thanks, didn't know the exact name for it, i guessed telnetd, but nothing happened :D

Furthermore, the on and off sequence required my xinetd to be reconfigured and reloaded, so i'd say: Before you update, try to get a login window at the telnetd ;)
 
OS RH8

when running make I get:

/usr/src/openssh-3.6.1p2/cipher.c:243: undefined reference to `EVP_CIPHER_CTX_set_key_length'
collect2: ld returned 1 exit status
make: *** [ssh] Error 1
 
joh2900 said:
OS RH8

when running make I get:

/usr/src/openssh-3.6.1p2/cipher.c:243: undefined reference to `EVP_CIPHER_CTX_set_key_length'
collect2: ld returned 1 exit status
make: *** [ssh] Error 1
Update your redhat installation, 8 is years old and shouldn't even be used.

Has anyone got this successfully working with fc2+ ? I'm getting host disconnections before anything is even asked, it's just tossing it out. Nothing's in the logs, nothing, it just closes the connection.
 
I know admins still using RH 7.2 or even 6.2 for services, so why is 8 that old ?
If you know how to make sure no one has ssh access, you upgrade all stuff manually, it works fine. (Yeah, we are switching to Debian, I hate FC, it's kinda not meant for servers, in my opinion)

I don't know the error, should see a bit more from the logs, perhaps I could recognise it than, but don't expect much of it.
 
I tried to upgrade the openssh on my server. But after upgrading and restarting sshd successfully when i checkup the version, it still shows 3.9.1 whereas i upgraded it to version 4.2.

What do i do to rectify it? Please help
 
Back
Top