upgrade openSSH 7.2p in ubuntu 14.04

前端 未结 6 1420
别那么骄傲
别那么骄傲 2021-02-14 04:12

I have a server running Ubuntu 14.04, but I have an issue with PCI requirements. I have installed in my server OpenSSH 6.6p1, then I upgraded it to OpenSSH 7.2p, compiling the c

相关标签:
6条回答
  • 2021-02-14 04:25

    Updated to latest using:

    wget http://mirror.exonetric.net/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz
    tar -zxvf openssh-7.5p1.tar.gz
    cd openssh-7.5p1
    ./configure
    make
    sudo make install
    
    0 讨论(0)
  • 2021-02-14 04:30

    You don't need to if you are using Ubuntu LTS. It seems like the Ubuntu Security Team pushes the patches to you! A detailed answer:

    Tools like Qualys and nmap are not that smart to figure this out. You can visit the ubuntu package changelog page [For my case the package was openssh-server6.6] to see if the patch has been provided.

    At max to be safe, just do sudo apt-get install --only-upgrade openssh-server to get the patches.

    0 讨论(0)
  • 2021-02-14 04:31

    This is an edit from @dszakal's comment since I did not have exactly the same things to do (Ubuntu 16 here).

    cd
    wget http://mirror.exonetric.net/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
    tar -zxvf openssh-7.7p1.tar.gz
    cd openssh-7.7p1
    wget http://www.linuxfromscratch.org/patches/blfs/svn/openssh-7.7p1-openssl-1.1.0-1.patch
    patch -Np1 -i ./openssh-7.7p1-openssl-1.1.0-1.patch
    ./configure --prefix=/opt
    make
    sudo make install
    cp ~/openssh-7.7p1/sshd_config /opt/etc/
    cp ~/openssh-7.7p1/ssh_config /opt/etc/
    
    sudo nano /opt/etc/sshd_config
    
    # Uncomment the lines I wrote below
    ---------------------------------------------
    Port 33333 # You can change the port here
    AddressFamily any
    ListenAddress 0.0.0.0
    ListenAddress ::
    
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    
    PasswordAuthentication yes
    PermitEmptyPasswords no
    ---------------------------------------------
    
    # Then launch the service
    sudo /opt/sbin/sshd
    

    Then try to log in with your usual credentials, it should work.

    Nmap report :

    PORT      STATE SERVICE VERSION
    33333/tcp open  ssh     OpenSSH 7.7 (protocol 2.0) 
    

    Now we will transfer the new SSH to port 22. I logged in on port 33333 to disabled the old SSH service & changed 33333 to 22 in /opt/etc/sshd_config

    sudo service ssh stop
    sudo nano /opt/etc/sshd_config
    Port 22
    
    # Then re-launch the service
    sudo /opt/sbin/sshd
    

    Then try to log in with your usual credentials, it should work.

    Nmap report :

    PORT      STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.7 (protocol 2.0) 
    

    Works like a charm big thanks to @dszakal !!

    0 讨论(0)
  • 2021-02-14 04:35

    I needed to install the newest OpenSSH as well but I wanted to install it via a package instead of compiling from source.

    sudo apt-add-repository 'deb http://archive.ubuntu.com/ubuntu yakkety main universe multiverse'
    sudo apt-get update
    sudo apt-get install openssh-server=1:7.3p1-1
    

    It worked for me. (Technically only main and universe were necessary here)

    $ ssh -V
    OpenSSH_7.3p1 Ubuntu-1, OpenSSL 1.0.2g  1 Mar 2016
    

    Edit (2017-10-04): This answer has been receiving some attention lately and might be out of date now. Remember only main and universe were necessary from this, and I specifically wanted to install this as a package instead of compiling from source. Please be careful with typing random commands from the internet, no matter how well-meaning the stranger (in this case me) is!

    0 讨论(0)
  • 2021-02-14 04:40

    Tested on Ubuntu 16.04

    upgrades ssh-client to latest version. updates alot of other stuff!

    sudo apt-add-repository 'deb http://old-releases.ubuntu.com/ubuntu yakkety main universe multiverse'
    sudo apt-get update
    sudo apt-get install openssh-server=1:7.4p1-10
    

    remove repository that was added so extra updates don't happen later:

    sudo apt-add-repository --remove 'deb http://old-releases.ubuntu.com/ubuntu yakkety main'
    sudo apt-get update
    

    note: For 17.04 change yakety to zesty (untested)

    0 讨论(0)
  • 2021-02-14 04:46

    There are two answers already mentioning the recompile. The way they suggest it may not sound like to be a safe option if you are already connected with ssh. Also they fail to suggest what to do with OpenSSL 1.0.2 vs 1.1.0 issue as by default ./configure finds on Ubuntu 14.04 LTS the 1.1.0 version of OpenSSL. To patch OpenSSL 7.7 sources to work with OpenSSL 1.1.0 here is a patch:

    http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

    wget http://mirror.exonetric.net/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
    tar -zxvf openssh-7.7p1.tar.gz
    cd openssh-7.7p1
    wget http://www.linuxfromscratch.org/patches/blfs/svn/openssh-7.7p1-openssl-1.1.0-1.patch
    patch -Np1 -i ./openssh-7.7p1-openssl-1.1.0-1.patch
    

    And here comes the trick: you can have TWO SSHDs so you will not lose the current connection. We will install this other sshd to /opt and its config will be in /opt/etc

    ./configure --prefix=/opt
    make ## in the end make will write where it will install, double check everything will go to /opt
    make install
    nano /opt/etc/ssh/sshd_config
    

    Here edit the port, take it away from 22 to for example 1888 (make sure port is forwarded/opened/etc)

    And now you can start the new sshd

    /opt/sbin/sshd
    

    Make sure on restart something (for example systemd) will start this other ssh too.

    The 2 sshds are now running simultaneously. You can try to connect with this newly built one. When done, you can safely remove the outdated and security update lacking openssh6.6 from apt, or at least stop the daemon and remove the daemon from startup.

    And you are one step closer to a secure system.

    0 讨论(0)
提交回复
热议问题