The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What's it take to update to OpenSSH 5.1 or higher?

Discussion in 'General Discussion' started by jols, Oct 28, 2010.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    We are running the latest RELEASE version of cPanel on:
    WHM 11.26.20
    REDHAT Enterprise 5.5 i686 standard

    When I do this at shell:

    yum install openssh*

    I get this readout:

    Package openssh-server-4.3p2-41.el5_5.1.i386 already installed and latest version
    Package openssh-4.3p2-41.el5_5.1.i386 already installed and latest version
    Package openssh-clients-4.3p2-41.el5_5.1.i386 already installed and latest version


    So what does this mean? That only openssh 4.3 is compatible with Redhat OS a this time? Or what?

    Thanks much.
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Latest available from Red Hat

    This means that you have the latest version of the package that is available from Red Hat's Red Hat Network yum channels. If you want a newer version, you will need to locate a compatible package from a different source.
     
  3. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    One of our customers says their PCI Compliance scan is failing, due to OpenSSH. The message is:

    So, I am interested in the answer to this as well. Running CentOS 4.7. Doing some research now...

    - Scott
     
  4. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I made out a cPanel.net trouble ticket for this. The response that came back was that the currently used version has been security patched and I could show Security Metrics the version history file to prove it.

    So I did, and the final response has yet to hit my desk, but somehow I don't think Security Metrics is going to accept anything but an upgrade.

    So, we're stuck....

    Then in this thread, cPanel.net says, "If you want a newer version, you will need to locate a compatible package from a different source..."

    So..... "need to locate a compatible package..." Compatible with what? Elements of the cPanel system that may fail if I go outside the conventional parameters here? Hope not.
     
  5. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Just wrote this bash script that should uninstall the ssh provided by centos/rhel yum repository and install OpenSSH 5.6p1 from source.


    I take no responsibility for the following code as i haven't tested it yet:

    Code:
    #!/bin/bash
    #Configuration:
    temp_working_directory=/usr/local/src
    openssh_source_link=http://filedump.se.rit.edu/pub/OpenBSD/OpenSSH/portable/openssh-5.6p1.tar.gz
    install_prefix=/usr
    
    
    #Saving old sshd init script:
    cp -a /etc/rc.d/init.d/sshd /etc/rc.d/init.d/sshd.save
    
    #Uninstall OS installed SSH
    rpm -e openssh openssh-clients openssh-server
    ##Installing OpenSSH 5.6p1 from source:
    
    #Downloading OpenSSH5.6p1
    cd $temp_working_directory && wget -c "$openssh_source_link"
    ##Untaring and configure openssh
    tar xfz openssh-5.6p1.tar.gz
    #Removing openssh archive openssh-5.6p1.tar.gz
    rm -rf openssh-5.6p1.tar.gz
    cd openssh-5.6p1 ;./configure --prefix=$install_prefix && make && make install
    #Restoring sshd init script
    cp -a /etc/rc.d/init.d/sshd.save /etc/rc.d/init.d/sshd
    
    #Restarting SSHD:
    /sbin/service sshd restart
    `which ssh` -V
    echo "Duplicate your ssh connection to the server and verify that the new SSHD started"
    Cheers !
    P.S: If something goes wrong you might end up locked out of your server [ make sure you have a way to get back into the server console via KVM or something ]
     
    #5 InterServed, Nov 2, 2010
    Last edited: Nov 2, 2010
  6. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Can you explain how to output the version history file, so I can try the same?

    I have actually seen Security Metrics accept this type of response.

    - Scott
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You can check the changelog for the rpm using the following command:

    Code:
    rpm -q --changelog openssl
    This will show the various patches for openssl. You can add a grep for CVE or CAN numbers to see any specific CVE reported.

    Almost all PCI compliance companies will accept patched versions of openssl rather than require an upgrade so long as you indicate proof that the existing version is patched for the various CVE security issues.
     
  8. st1905

    st1905 Registered

    Joined:
    Dec 5, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I have just upgraded my openssh to 5.6p1 (latest) on a server with cpanel and centos 4.8, first you need to compile and install openssl (I installed 0.9.8q, released on 2th of december 2010) then I re-compiled apache, php and curl with the new ssl version. Finally i have downloaded the openssh source and built an rpm package from it and installed it , works perfectly so far, i can create a bash script to do this so next time nobody will ever need to do the manual installation again.

    This method will work on all centos based servers. No matter which version you have.
     
    #8 st1905, Dec 5, 2010
    Last edited: Dec 5, 2010
  9. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello, this sounds great. Can you share the bash script? Is it different in any way to that posted by InterServed?
     
Loading...

Share This Page