HOWTO: Upgrading Open SSH

2025-04-07

If you have not yet upgraded OpenSSL to the latest version it is highly recommended you read my other HOWTO concerning OpenSSL upgrading before using this. Compiling OpenSSH with insecure OpenSSL libaries can leave your OpenSSH installation with major insecurities..
http://www.webhostingtalk.com/showth...hreadid=159363

------------------------------------------------------------

Title: Upgrading OpenSSH on Redhat Servers
Revision: 1.0.0
Date: June 28th, 2003
Time: 9:47am CST
Description: Guide for installing and upgrading OpenSSH services on a typical Redhat server.
Difficulty: 5/10

------------------------------------------------------------

Disclaimer:
THIS HOWTO IS PROVIDED BY NULL-ROUTE DOT COM "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NULL-ROUTE DOT COM. OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

------------------------------------------------------------

Introduction:
OpenSSH has become the standard for accessing servers today. And maintain its security is a must to keep your server free from intruders. Standard Redhat installations of all versions install OpenSSH but these default installations all also have root exploits for them.

This howto will attempt to guide you in upgrading your current OpenSSH installation to aid in hardening your system.

NOTE: This guide can be considered dangerous as if the directions are not followed exactly and all steps completed you may loose access to your server completely. Use this with caution!

This howto assumes the reader has a general knowledge of Linux and the command line interface for installing applications and has root access to the server. Readers with minimal knowledge of Linux or the processes of compiling and installing software should not attempt this without proper supervision from a system administrator or in a production environment.

Pre-Installation:
We will begin with checking the OpenSSHd version number to see if we are running an older version than current.

Code:

# sshd -v

NOTE: -v is not a legal flag that is normally passed onto sshd but for this purpose it will produce the list of accepted parameters and the SSHd version. The output should look like this:

Code:

root@grep [/]# sshd -v             
sshd: illegal option -- v
sshd version OpenSSH_3.4p1
Usage: sshd [options]
<snip>

Once we have verified that we are running an older version of OpenSSH we will be downloading the OpenSSH source tar ball to /usr/src. At the time of this writing the latest version available is 3.6.1p2. We will also be untarring the downloaded file and changing to the new directory.

Code:

# cd /usr/src
# wget ftp://ftp.openbsd.org/pub/OpenBSD/Op...3.6.1p2.tar.gz
# tar -xvzf openssh-3.6.1p2.tar.gz
# cd openssh-3.6.1p2/

Now to be safe we will also be turning telnetd on incase OpenSSH does not come back up after we restart it. This should NOT be left on after the compile as all commands and logins will be transmitted in plain text.

Code:

# chkconfig --level 1235 telnet on

Installation and upgrading:
The configure command bellow will enable the pluggable authentication module, PAM and set the configuration path for SSH.

Code:

# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam

After configure has ran on your system and if no errors are given it is safe to begin building your OpenSSH package with make.

Code:

# make
# make install

NOTE: You may receive an error after running make install saying that the user sshd is not present on your system. To fix this error run this command:

Code:

# adduser sshd -s /sbin/nologin
# make install

If everything has been compiled without any errors then it is time to restart sshd. This is when it is important to either have telnet up or someone that can console to the server incase sshd does not come back up after the restart.

Code:

# /etc/init.d/sshd restart

After restarting OpenSSH you can now verify that you are running your new build with this command:

Code:

# sshd -v

Acceptable output would be:

Code:

root@grep [/]# sshd -v             
sshd: illegal option -- v
sshd version OpenSSH_3.6.1p2
Usage: sshd [options]
<snip>

After you have verified that OpenSSH has been properly upgraded and accepts connections fine it is HIGHLY recommended to turn telnetd off.

Code:

# chkconfig --level 1235 telnet off

Closing:
If you have found any glaring typos, or outdated info in this document, please let me know.

------------------------------------------------------------

Next to come... Installing Apache+mod_ssl HOWTO: Upgrading Open SSH