Update Your OpenSSH: Enhanced Security and Performance
Introduction
Updating OpenSSH to version 9.8 is crucial due to significant security improvements. This guide explains why the update is necessary and provides steps to install it on Ubuntu.
Note: OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which helps in securing network communications via encryption.
Security Issues in Previous Versions
1. Race Condition in sshd
Impact: Arbitrary code execution with root privileges.
Affected Versions: 8.5p1 to 9.7p1.
Details: Exploitable on 32-bit Linux/glibc systems with ASLR enabled. Attacks require continuous connections over 6-8 hours.
Explanation: A race condition in the sshd component can allow attackers to execute arbitrary code with the highest system privileges (root). This vulnerability is significant because it affects many versions and requires prolonged connections to exploit.
2. Logic Error in ObscureKeystrokeTiming
Impact: Passive observers can detect real keystrokes.
Affected Versions: 9.5 to 9.7.
Details: Logic error sends both fake and real keystrokes, nullifying timing attack mitigations.
Explanation: A flaw in the keystroke timing obscuring feature could allow attackers to discern actual keystrokes by observing network traffic, potentially exposing sensitive information.
Potential Threats of the regreSSHion Vulnerability
The regreSSHion vulnerability (CVE-2024-6387) in OpenSSH’s server (sshd) can lead to the following potential threats:
- Unauthenticated Remote Code Execution: Attackers can execute arbitrary code remotely without authentication, gaining full root access to the system.
- Full System Compromise: With root access, attackers can control the entire system, steal data, alter configurations, and install malicious software.
- No User Interaction Needed: The exploit does not require any action from the user, making it easier for attackers to exploit.
- Wide Impact: Affects default configurations, making many systems vulnerable.
Explanation: The regreSSHion vulnerability is particularly dangerous as it allows attackers to remotely take control of a system without any interaction from the user, compromising the system completely.
How to Upgrade to OpenSSH 9.8 on Ubuntu
Follow these steps to upgrade your OpenSSH to the latest version on Ubuntu. This process involves stopping the existing service, removing it, and installing the new version.
1. Stop and Remove Existing OpenSSH Service
sudo systemctl stop sshd
sudo apt-get remove openssh-server openssh-client
First, you need to stop the current OpenSSH service and remove the existing OpenSSH packages. This ensures that the new installation starts from a clean state.
2. Install OpenSSH 9.8
The Tokyo Repo link is used as an example. Please download from a repository closer to your location for better performance.
wget https://repo.jing.rocks/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
tar zxvf openssh-9.8.tar.gz
cd openssh-9.8
./configure
make
sudo make install
Download the latest OpenSSH package from a repository, extract it, configure the build environment, compile the source code, and install it. This will replace the old version with the new one.
3. Set Up and Start the New SSH Service
sudo nano /etc/systemd/system/sshd.service
Add the following content:
[Unit]
Description=OpenSSH server daemon
After=network.target
[Service]
ExecStart=/usr/local/sbin/sshd -D
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
Create a new systemd service file for OpenSSH. This file will define how the SSH service starts, stops, and restarts.
sudo systemctl daemon-reload
sudo systemctl start sshd
sudo systemctl enable sshd
Reload the systemd daemon to recognize the new service file, start the new OpenSSH service, and enable it to start automatically on boot.
Verify Installation
ssh -V
sudo systemctl status sshd
Check the OpenSSH version to ensure the upgrade was successful and verify that the new SSH service is running correctly.
Conclusion
Updating to OpenSSH 9.8 is essential for security and performance improvements. By following these steps, you can ensure your system is protected against known vulnerabilities and running the latest version.
Keeping your OpenSSH updated is crucial to protect your system from potential threats. Regular updates and maintenance ensure that your system remains secure and performs optimally.
in step 2, when I enter "make" it says "No targets specified and no makefile found. Stop", same thing with "sudo make install" that replies No rule to make target install. STop" What should I do? Thanks.
ReplyDeleterun these commands:
Deletesudo apt-get install zlib1g-dev
sudo apt-get install libssl-dev
then run ./configure again
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
DeleteI followed this tutorial but not lucky
ReplyDeleteroot@MyMachine:/home/dakroot/openssh-9.8p1# systemctl status sshd
× sshd.service - OpenSSH server daemon
Loaded: loaded (/etc/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2024-07-11 00:01:19 WIB; 6s ago
Process: 3151640 ExecStart=/usr/local/sbin/sshd -D (code=exited, status=255/EXCEPTION)
Main PID: 3151640 (code=exited, status=255/EXCEPTION)
CPU: 16ms
Jul 11 00:01:19 MyMachine systemd[1]: sshd.service: Main process exited, code=exited, status=255/EXCEPTION
Jul 11 00:01:19 MyMachine sshd[3151640]: fatal: Cannot bind any address.
Jul 11 00:01:19 MyMachine systemd[1]: sshd.service: Failed with result 'exit-code'.
Jul 11 00:01:19 MyMachine systemd[1]: sshd.service: Scheduled restart job, restart counter is at 5.
Jul 11 00:01:19 MyMachine systemd[1]: Stopped OpenSSH server daemon.
Jul 11 00:01:19 MyMachine systemd[1]: sshd.service: Start request repeated too quickly.
Jul 11 00:01:19 MyMachine systemd[1]: sshd.service: Failed with result 'exit-code'.
Jul 11 00:01:19 MyMachine systemd[1]: Failed to start OpenSSH server daemon.
can you help me?
"fatal: Cannot bind any address." This message means that the OpenSSH server could not connect to the necessary port (by default, port 22) when trying to start. maybe..
Delete1. Port Conflict
2. Configuration Error
3. System Policy or Firewall Rules(blocking port 22)
1. Port Conflict
sudo netstat -tulpn | grep :22
Use this command to see if any process is currently using port 22
If port 22 is already in use, you might see an output like this:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
If another service is using port 22, you will need to either stop that service or configure SSH to use a different port.
or
ps aux | grep sshd
This command will list all running SSH processes. If there are any processes listed,
sudo systemctl stop sshd
sudo killall sshd
you should stop them with the commands
2. Configuration Error
Open the /etc/ssh/sshd_config file and check the settings for the correct port and network interfaces. Pay special attention to the Port and ListenAddress settings.
3. System Policy or Firewall Rules(blocking port 22)
Review your firewall settings to ensure that port 22 is open. To check firewall settings, use
sudo ufw status
or
sudo iptables -L
After making the necessary changes, reload the systemd daemon and restart the SSH service.
sudo systemctl daemon-reload
sudo systemctl start sshd
sudo systemctl enable sshd
sudo systemctl status sshd
At the end trying, ssh -V I get "-bash: /usr/bin/ssh: No such file or directory".
ReplyDeleteEntering systemctl status sshd, does show active (running).
Any ideas?
The error message "-bash: /usr/bin/ssh: No such file or directory" indicates that the OpenSSH client is either not installed or not properly configured on your system.
DeleteAlthough you may have successfully installed the OpenSSH server
the client (which includes the ssh command) is a separate package and may not have been installed.
Thanks man. You saved my day. Although I couldn't make it to launch automaticaly. Also it somehow killed root and fly fm. ¯\_(ツ)_/¯
ReplyDelete