What's it take to update to OpenSSH 5.1 or higher?

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
We are running the latest RELEASE version of cPanel on:
WHM 11.26.20
REDHAT Enterprise 5.5 i686 standard

When I do this at shell:

yum install openssh*

I get this readout:

Package openssh-server-4.3p2-41.el5_5.1.i386 already installed and latest version
Package openssh-4.3p2-41.el5_5.1.i386 already installed and latest version
Package openssh-clients-4.3p2-41.el5_5.1.i386 already installed and latest version


So what does this mean? That only openssh 4.3 is compatible with Redhat OS a this time? Or what?

Thanks much.
 

JaredR.

Well-Known Member
Feb 25, 2010
1,834
24
143
Houston, TX
cPanel Access Level
Root Administrator
Latest available from Red Hat

This means that you have the latest version of the package that is available from Red Hat's Red Hat Network yum channels. If you want a newer version, you will need to locate a compatible package from a different source.
 

sneader

Well-Known Member
Aug 21, 2003
1,195
63
178
La Crosse, WI
cPanel Access Level
Root Administrator
One of our customers says their PCI Compliance scan is failing, due to OpenSSH. The message is:

OpenSSH 3.9p1 is vulnerable Severity. Solution: Upgrade to OpenSSH version 5.1 or higher
So, I am interested in the answer to this as well. Running CentOS 4.7. Doing some research now...

- Scott
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
I made out a cPanel.net trouble ticket for this. The response that came back was that the currently used version has been security patched and I could show Security Metrics the version history file to prove it.

So I did, and the final response has yet to hit my desk, but somehow I don't think Security Metrics is going to accept anything but an upgrade.

So, we're stuck....

Then in this thread, cPanel.net says, "If you want a newer version, you will need to locate a compatible package from a different source..."

So..... "need to locate a compatible package..." Compatible with what? Elements of the cPanel system that may fail if I go outside the conventional parameters here? Hope not.
 

InterServed

Well-Known Member
Jul 10, 2007
268
14
68
cPanel Access Level
DataCenter Provider
Just wrote this bash script that should uninstall the ssh provided by centos/rhel yum repository and install OpenSSH 5.6p1 from source.


I take no responsibility for the following code as i haven't tested it yet:

Code:
#!/bin/bash
#Configuration:
temp_working_directory=/usr/local/src
openssh_source_link=http://filedump.se.rit.edu/pub/OpenBSD/OpenSSH/portable/openssh-5.6p1.tar.gz
install_prefix=/usr


#Saving old sshd init script:
cp -a /etc/rc.d/init.d/sshd /etc/rc.d/init.d/sshd.save

#Uninstall OS installed SSH
rpm -e openssh openssh-clients openssh-server
##Installing OpenSSH 5.6p1 from source:

#Downloading OpenSSH5.6p1
cd $temp_working_directory && wget -c "$openssh_source_link"
##Untaring and configure openssh
tar xfz openssh-5.6p1.tar.gz
#Removing openssh archive openssh-5.6p1.tar.gz
rm -rf openssh-5.6p1.tar.gz
cd openssh-5.6p1 ;./configure --prefix=$install_prefix && make && make install
#Restoring sshd init script
cp -a /etc/rc.d/init.d/sshd.save /etc/rc.d/init.d/sshd

#Restarting SSHD:
/sbin/service sshd restart
`which ssh` -V
echo "Duplicate your ssh connection to the server and verify that the new SSHD started"
Cheers !
P.S: If something goes wrong you might end up locked out of your server [ make sure you have a way to get back into the server console via KVM or something ]
 
Last edited:

sneader

Well-Known Member
Aug 21, 2003
1,195
63
178
La Crosse, WI
cPanel Access Level
Root Administrator
I made out a cPanel.net trouble ticket for this. The response that came back was that the currently used version has been security patched and I could show Security Metrics the version history file to prove it.

So I did....
Can you explain how to output the version history file, so I can try the same?

I have actually seen Security Metrics accept this type of response.

- Scott
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You can check the changelog for the rpm using the following command:

Code:
rpm -q --changelog openssl
This will show the various patches for openssl. You can add a grep for CVE or CAN numbers to see any specific CVE reported.

Almost all PCI compliance companies will accept patched versions of openssl rather than require an upgrade so long as you indicate proof that the existing version is patched for the various CVE security issues.
 

st1905

Registered
Dec 5, 2010
1
0
51
Hello,

I have just upgraded my openssh to 5.6p1 (latest) on a server with cpanel and centos 4.8, first you need to compile and install openssl (I installed 0.9.8q, released on 2th of december 2010) then I re-compiled apache, php and curl with the new ssl version. Finally i have downloaded the openssh source and built an rpm package from it and installed it , works perfectly so far, i can create a bash script to do this so next time nobody will ever need to do the manual installation again.

This method will work on all centos based servers. No matter which version you have.
 
Last edited:

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,272
63
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Hello,

I have just upgraded my openssh to 5.6p1 (latest) on a server with cpanel and centos 4.8, first you need to compile and install openssl (I installed 0.9.8q, released on 2th of december 2010) then I re-compiled apache, php and curl with the new ssl version. Finally i have downloaded the openssh source and built an rpm package from it and installed it , works perfectly so far, i can create a bash script to do this so next time nobody will ever need to do the manual installation again.

This method will work on all centos based servers. No matter which version you have.
Hello, this sounds great. Can you share the bash script? Is it different in any way to that posted by InterServed?