I love being in the IT industry. You never get bored and you learn new stuff everyday. Recently there is a rumor for a possible vulnerability of OpenSSH. I was really interested, so I made a small research. It turns out just a rumor, but if you want to be really sure that your machine is safe, then I recommend you to upgrade openSSH package.
How to fix it?
In your Linux box ( I used Ubuntu in this example), type ssh- v to learn the version you have. The latest stable version is 5.2 which is publicly available since february 09. If your distro doesn’t provide this version, then you need to download it from source code, and compile it on your own.
Lets get our hand dirty and install it from source.
First let’s remove openssh from our linux box.
$apt-get remove openssh-client openssh-server
I didn’t use –purge option and remove my config files, since I want to keep them. (But I installed openssh with default option (ah!), then I need to figure out where new config files are, where new sshd executable is etc, and do some tricks; however you can backup your config files and use –purge option and remove them completely, then paste your files in their new location which is /usr/local/bin, usr/local/sbin)
First go to their website and use wget to download the source (I choosed closest server for me):
Let’s now let’s install Zlib and OpenSSL which are prequisetes, (Probably you already have openssl so you can skip this step)
I installed zlib from it source.
$tar xvfz zlib-1.2.3.tar.gz
And apt-get for openssl
$apt-get install openssl
Now we can tar our openssh package.
$tar xvfz openssh-5.2p1.tar.gz
Then go to inside of openssh-5.2p1 and run
Ahh, you should get some error, why?
You can check log file config.log in the directory. I found that we also need to install libcurl4-openssl-dev
After you install that package, then run
$make install ssh -v
Remember that this will install openssh with default option.
Now type $ssh -v, You should see OpenSSH 5.2p1 if you install it correctly. Since I installed openSSH with default option I need to make some changes to get ssh server is running. First, I see that my sshd executable is in /usr/local/sbin; however /etc/init.d/ssh script is looking for it in /sbin directory; so I copy sshd into that directory. Then I see that sshd check /usr/local/etc/sshd_config file not /etc/ssh/sshd_config file, so then I need to copy my previous sshd_config to /usr/local/etc/sshd_config
Finally it works! Even tough my new config files in the /usr/local/etc I am happy with that.
I hope this helps for ones who concern about their ssh server security.