We run regular security scans against our resources using AppCheck and one of the issues it’s recently picked up is that we’re using an older version of openssh on our Ubuntu virtual machines which has potential vulnerabilities in it.

Although these vulnerabilities are unlikely to be exploitable in our specific setup we wanted to try and resolve them anyway. Once you’ve connected to the machine via SSH you can check the current version using.

ssh -V

You then need to download, compile and install your desired version.

sudo apt update
sudo apt install build-essential zlib1g-dev libssl-dev
sudo mkdir /var/lib/sshd
sudo chmod -R 700 /var/lib/sshd/
sudo chown -R root:sys /var/lib/sshd/
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
tar -xzf openssh-9.7p1.tar.gz
cd openssh-9.7p1/
sudo apt install libpam0g-dev libselinux1-dev libkrb5-dev
./configure --with-kerberos5 --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
make
sudo make install

If you reboot the machine and then check the version again locally you will see that it has been updated. However if you check it remotely using a tool such as sshcheck.com then it will appear that the version hasn’t been updated. This is because the sshd service will continue to use the old version of openssh. To copy over the new configuration details for sshd you can run the below.

cd /usr/sbin
sudo mv sshd sshd.bak
sudo cp /usr/local/sbin/sshd sshd

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *