upgrade openSSH 7.2p in ubuntu 14.04

Asked 6/4, 2016 at 14:21 Answered 17/8, 2018 at 6:44

ubuntu ssh upgrade openssh pci-compliance

I have a server running Ubuntu 14.04, but I have an issue with PCI requirements. I have installed in my server OpenSSH 6.6p1, then I upgraded it to OpenSSH 7.2p, compiling the code with make and make install directly from repositories from OpenSSH, but it seems something is broken because I continue getting the old version after I check dpkg -l openssh\*:

ii openssh-client 1:6.6p1-2ubunt amd64 secure shell (SSH) client, 
ii openssh-server 1:6.6p1-2ubunt amd64 secure shell (SSH) server,
ii openssh-sftp-serve 1:6.6p1-2ubunt amd64 secure shell (SSH) sftp server

And PCI scanner continues reporting the same issue about that I have to install the latest version of OpenSSH.

This is the CVI Id of the issue: CVE-2016-3115

Laine answered 6/4, 2016 at 14:21 Comment(2)

The reason dpkg still shows the older version is that it doesn't know about the one you compiled from source. – Gullett 25/6, 2017 at 16:43

I upgraded my version Ubuntu to the latest LTS version in order to solve this issue. – Howse 8/1, 2019 at 21:16

I needed to install the newest OpenSSH as well but I wanted to install it via a package instead of compiling from source.

sudo apt-add-repository 'deb http://archive.ubuntu.com/ubuntu yakkety main universe multiverse'
sudo apt-get update
sudo apt-get install openssh-server=1:7.3p1-1

It worked for me. (Technically only main and universe were necessary here)

$ ssh -V
OpenSSH_7.3p1 Ubuntu-1, OpenSSL 1.0.2g  1 Mar 2016

Edit (2017-10-04): This answer has been receiving some attention lately and might be out of date now. Remember only main and universe were necessary from this, and I specifically wanted to install this as a package instead of compiling from source. Please be careful with typing random commands from the internet, no matter how well-meaning the stranger (in this case me) is!

Atrioventricular answered 9/1, 2017 at 19:23 Comment(8)

This should be marked as the answer. It worked for me on 14.04. – Punchy 14/3, 2017 at 21:51

Also worked for me, except I needed a more recent version in zesty, same steps, just change yakkety to zesty, and the ssh version to 1:7.4p1-10 – Apomixis 23/5, 2017 at 1:2

This will also cause apt to want to upgrade a lot of other packages, too, no? Perhaps the repository should be disabled once you have your new ssh version. But then, how to get security updates? – Gullett 25/6, 2017 at 16:50

Word of caution: adding this new apt repository caused apt to want to install and remove a whole bunch of packages, which ended up bricking my Ubuntu installation to the point of uselessness (no wifi access, no window manager, couldn't mount external drives, etc). – Hoekstra 18/9, 2017 at 11:29

Bricked mine too. Lesson learnt; don't blindly do what stack overflow tells you to do. – Gothar 4/10, 2017 at 16:51

just do a sudo apt-add-repository --remove 'deb archive.ubuntu.com/ubuntu zesty main universe multiverse' after installing ssh and it should be safe. – Blather 17/10, 2017 at 12:20

this works for me on 14.04: gist.github.com/techgaun/df66d37379df37838482c4c3470bc48e – Knitter 16/1, 2018 at 9:49

that solution didnt work for me on 14.04. it added this line "deb archive.ubuntu.com/ubuntu yakkety main universe multiverse" to /etc/apt/sources.list which breaks apt-get update. i removed manually and now i can do 'apt-get update' but still no ssh upgrade was done. – Knitter 23/1, 2018 at 14:56

Tested on Ubuntu 16.04

upgrades ssh-client to latest version. updates alot of other stuff!

sudo apt-add-repository 'deb http://old-releases.ubuntu.com/ubuntu yakkety main universe multiverse'
sudo apt-get update
sudo apt-get install openssh-server=1:7.4p1-10

remove repository that was added so extra updates don't happen later:

sudo apt-add-repository --remove 'deb http://old-releases.ubuntu.com/ubuntu yakkety main'
sudo apt-get update

note: For 17.04 change yakety to zesty (untested)

Gagger answered 20/6, 2018 at 23:48 Comment(4)

Worked perfectly, even inside Windows Subsystem for Linux running Ubuntu. This should be the accepted answer. You forgot a single quote after main in the remove step. – Unmindful 11/7, 2018 at 20:1

getting Version '1:7.4p1-10' for 'openssh-server' was not found – Brenn 3/7, 2019 at 13:41

tried again and worked for me. Are you sure you added the old-releases repo and ran apt-get update? – Gagger 5/7, 2019 at 4:46

This should not be the accepted answer as it completely ignores the original question, which is to install a new openssh on Ubuntu 14.04. I won't downvote it, but it won't get my upvote either. – Escurial 20/4, 2020 at 8:14

There are two answers already mentioning the recompile. The way they suggest it may not sound like to be a safe option if you are already connected with ssh. Also they fail to suggest what to do with OpenSSL 1.0.2 vs 1.1.0 issue as by default ./configure finds on Ubuntu 14.04 LTS the 1.1.0 version of OpenSSL. To patch OpenSSL 7.7 sources to work with OpenSSL 1.1.0 here is a patch:

http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

wget http://mirror.exonetric.net/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
tar -zxvf openssh-7.7p1.tar.gz
cd openssh-7.7p1
wget http://www.linuxfromscratch.org/patches/blfs/svn/openssh-7.7p1-openssl-1.1.0-1.patch
patch -Np1 -i ./openssh-7.7p1-openssl-1.1.0-1.patch

And here comes the trick: you can have TWO SSHDs so you will not lose the current connection. We will install this other sshd to /opt and its config will be in /opt/etc

./configure --prefix=/opt
make ## in the end make will write where it will install, double check everything will go to /opt
make install
nano /opt/etc/ssh/sshd_config

Here edit the port, take it away from 22 to for example 1888 (make sure port is forwarded/opened/etc)

And now you can start the new sshd

/opt/sbin/sshd

Make sure on restart something (for example systemd) will start this other ssh too.

The 2 sshds are now running simultaneously. You can try to connect with this newly built one. When done, you can safely remove the outdated and security update lacking openssh6.6 from apt, or at least stop the daemon and remove the daemon from startup.

And you are one step closer to a secure system.

Leiker answered 13/6, 2018 at 9:57 Comment(1)

Updated address to the patch: linuxfromscratch.org/patches/downloads/openssh/… – Lepine 12/1, 2022 at 6:50

You don't need to if you are using Ubuntu LTS. It seems like the Ubuntu Security Team pushes the patches to you! A detailed answer:

Tools like Qualys and nmap are not that smart to figure this out. You can visit the ubuntu package changelog page [For my case the package was openssh-server6.6] to see if the patch has been provided.

At max to be safe, just do sudo apt-get install --only-upgrade openssh-server to get the patches.

Overflight answered 17/8, 2018 at 6:44 Comment(0)

This is an edit from @dszakal's comment since I did not have exactly the same things to do (Ubuntu 16 here).

cd
wget http://mirror.exonetric.net/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
tar -zxvf openssh-7.7p1.tar.gz
cd openssh-7.7p1
wget http://www.linuxfromscratch.org/patches/blfs/svn/openssh-7.7p1-openssl-1.1.0-1.patch
patch -Np1 -i ./openssh-7.7p1-openssl-1.1.0-1.patch
./configure --prefix=/opt
make
sudo make install
cp ~/openssh-7.7p1/sshd_config /opt/etc/
cp ~/openssh-7.7p1/ssh_config /opt/etc/

sudo nano /opt/etc/sshd_config

# Uncomment the lines I wrote below
---------------------------------------------
Port 33333 # You can change the port here
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

PasswordAuthentication yes
PermitEmptyPasswords no
---------------------------------------------

# Then launch the service
sudo /opt/sbin/sshd

Then try to log in with your usual credentials, it should work.

Nmap report :

PORT      STATE SERVICE VERSION
33333/tcp open  ssh     OpenSSH 7.7 (protocol 2.0)

Now we will transfer the new SSH to port 22. I logged in on port 33333 to disabled the old SSH service & changed 33333 to 22 in /opt/etc/sshd_config

sudo service ssh stop
sudo nano /opt/etc/sshd_config
Port 22

# Then re-launch the service
sudo /opt/sbin/sshd

Then try to log in with your usual credentials, it should work.

Nmap report :

PORT      STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.7 (protocol 2.0)

Works like a charm big thanks to @dszakal !!

Blink answered 14/6, 2018 at 8:59 Comment(0)

-6

Updated to latest using:

wget http://mirror.exonetric.net/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz
tar -zxvf openssh-7.5p1.tar.gz
cd openssh-7.5p1
./configure
make
sudo make install

Sequence answered 1/6, 2017 at 16:17 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags