What's it take to update to OpenSSH 5.1 or higher?

[jols]

We are running the latest RELEASE version of cPanel on:
WHM 11.26.20
REDHAT Enterprise 5.5 i686 standard

When I do this at shell:

yum install openssh*

I get this readout:

Package openssh-server-4.3p2-41.el5_5.1.i386 already installed and latest version
Package openssh-4.3p2-41.el5_5.1.i386 already installed and latest version
Package openssh-clients-4.3p2-41.el5_5.1.i386 already installed and latest version


So what does this mean? That only openssh 4.3 is compatible with Redhat OS a this time? Or what?

Thanks much.

 

[JaredR.]

Latest available from Red Hat

This means that you have the latest version of the package that is available from Red Hat's Red Hat Network yum channels. If you want a newer version, you will need to locate a compatible package from a different source.

 

[sneader]

One of our customers says their PCI Compliance scan is failing, due to OpenSSH. The message is:

OpenSSH 3.9p1 is vulnerable Severity. Solution: Upgrade to OpenSSH version 5.1 or higher

So, I am interested in the answer to this as well. Running CentOS 4.7. Doing some research now...

- Scott

 

[jols]

I made out a cPanel.net trouble ticket for this. The response that came back was that the currently used version has been security patched and I could show Security Metrics the version history file to prove it.

So I did, and the final response has yet to hit my desk, but somehow I don't think Security Metrics is going to accept anything but an upgrade.

So, we're stuck....

Then in this thread, cPanel.net says, "If you want a newer version, you will need to locate a compatible package from a different source..."

So..... "need to locate a compatible package..." Compatible with what? Elements of the cPanel system that may fail if I go outside the conventional parameters here? Hope not.

 

[InterServed]

Just wrote this bash script that should uninstall the ssh provided by centos/rhel yum repository and install OpenSSH 5.6p1 from source.


I take no responsibility for the following code as i haven't tested it yet:

#!/bin/bash
#Configuration:
temp_working_directory=/usr/local/src
openssh_source_link=http://filedump.se.rit.edu/pub/OpenBSD/OpenSSH/portable/openssh-5.6p1.tar.gz
install_prefix=/usr


#Saving old sshd init script:
cp -a /etc/rc.d/init.d/sshd /etc/rc.d/init.d/sshd.save

#Uninstall OS installed SSH
rpm -e openssh openssh-clients openssh-server
##Installing OpenSSH 5.6p1 from source:

#Downloading OpenSSH5.6p1
cd $temp_working_directory && wget -c "$openssh_source_link"
##Untaring and configure openssh
tar xfz openssh-5.6p1.tar.gz
#Removing openssh archive openssh-5.6p1.tar.gz
rm -rf openssh-5.6p1.tar.gz
cd openssh-5.6p1 ;./configure --prefix=$install_prefix && make && make install
#Restoring sshd init script
cp -a /etc/rc.d/init.d/sshd.save /etc/rc.d/init.d/sshd

#Restarting SSHD:
/sbin/service sshd restart
`which ssh` -V
echo "Duplicate your ssh connection to the server and verify that the new SSHD started"

Cheers !
P.S: If something goes wrong you might end up locked out of your server [ make sure you have a way to get back into the server console via KVM or something ]

 

[sneader]

I made out a cPanel.net trouble ticket for this. The response that came back was that the currently used version has been security patched and I could show Security Metrics the version history file to prove it.

So I did....

Can you explain how to output the version history file, so I can try the same?

I have actually seen Security Metrics accept this type of response.

- Scott

 

[cPanelTristan]

You can check the changelog for the rpm using the following command:

rpm -q --changelog openssl

This will show the various patches for openssl. You can add a grep for CVE or CAN numbers to see any specific CVE reported.

Almost all PCI compliance companies will accept patched versions of openssl rather than require an upgrade so long as you indicate proof that the existing version is patched for the various CVE security issues.

 

[st1905]

Hello,

I have just upgraded my openssh to 5.6p1 (latest) on a server with cpanel and centos 4.8, first you need to compile and install openssl (I installed 0.9.8q, released on 2th of december 2010) then I re-compiled apache, php and curl with the new ssl version. Finally i have downloaded the openssh source and built an rpm package from it and installed it , works perfectly so far, i can create a bash script to do this so next time nobody will ever need to do the manual installation again.

This method will work on all centos based servers. No matter which version you have.

 

[Kent Brockman]

Hello,

I have just upgraded my openssh to 5.6p1 (latest) on a server with cpanel and centos 4.8, first you need to compile and install openssl (I installed 0.9.8q, released on 2th of december 2010) then I re-compiled apache, php and curl with the new ssl version. Finally i have downloaded the openssh source and built an rpm package from it and installed it , works perfectly so far, i can create a bash script to do this so next time nobody will ever need to do the manual installation again.

This method will work on all centos based servers. No matter which version you have.

Hello, this sounds great. Can you share the bash script? Is it different in any way to that posted by InterServed?