Upgrading to openssh-6.7p1 on Ubuntu

Versions of openssh prior to 6.7 have a vulnerability which may result in your failing a PCI complance scan. Specifically, you may get the following medium level error: “OpenSSH SSHFP Record Verification Weakness”.

You need to upgrade ssh to 6.7p1. If you’re running Ubuntu, then this is straight forward. You will need to manually install ssh 6.7p1. Following are the steps I took.

Download latest version from http://www.openssh.com/

Extract download.
tar -zxvf openssh-6.7p1.tar.gz

Navigate to the new directory

cd openssh-6.7p1

You’re going to need to compile ssh. Not a big deal, but you have to ensure you have the compiler installed and its packages.
sudo apt-get install build-essential

Ok…you’ve made it this far. Now I run the following to specify the confdir
sudo ./configure  –sysconfdir=/etc/ssh

You may get an error when running the last command. Don’t panic. You may see:
configure: error: *** zlib.h missing – please install first or check config.log ***

If you got that error, then install zlib.h as follows:
sudo apt-get install zlib1g-dev

Try again:
sudo ./configure  –sysconfdir=/etc/ssh

I had another problem. I get  “OpenSSL headers missing”. Ok…that easy to fix:
sudo apt-get install libssl-dev

Try again:
sudo ./configure  –sysconfdir=/etc/ssh

If successful you should see:
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /etc/ssh
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter

Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE
Preprocessor flags:
Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie
Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl  -lcrypt

Now we’re cooking! Let’s do the following:
sudo make

Do the following command. You should NOT lose your current ssh session, but you will not be able to ssh again until you’re done.
sudo service ssh stop

Run the following commands:
sudo make install
sudo mv /usr/sbin/sshd /usr/sbin/sshd_20150107
sudo cp /usr/local/sbin/sshd /usr/sbin/sshd
sudo service ssh start

If you made it this far without problem, then pat yourself on the back. From another machine you can “telnet your.ip.add.ress 22”. You should see that you’re running 6.7p1.

Advertisement

Privacy Settings