How to Update OpenSSH to 9.8p1

Update Your OpenSSH: Enhanced Security and Performance

Update Your OpenSSH: Enhanced Security and Performance

Introduction

Updating OpenSSH to version 9.8 is crucial due to significant security improvements. This guide explains why the update is necessary and provides steps to install it on Ubuntu.

Note: OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which helps in securing network communications via encryption.

Security Issues in Previous Versions

1. Race Condition in sshd

Impact: Arbitrary code execution with root privileges.
Affected Versions: 8.5p1 to 9.7p1.
Details: Exploitable on 32-bit Linux/glibc systems with ASLR enabled. Attacks require continuous connections over 6-8 hours.

Explanation: A race condition in the sshd component can allow attackers to execute arbitrary code with the highest system privileges (root). This vulnerability is significant because it affects many versions and requires prolonged connections to exploit.

2. Logic Error in ObscureKeystrokeTiming

Impact: Passive observers can detect real keystrokes.
Affected Versions: 9.5 to 9.7.
Details: Logic error sends both fake and real keystrokes, nullifying timing attack mitigations.

Explanation: A flaw in the keystroke timing obscuring feature could allow attackers to discern actual keystrokes by observing network traffic, potentially exposing sensitive information.

Potential Threats of the regreSSHion Vulnerability

The regreSSHion vulnerability (CVE-2024-6387) in OpenSSH’s server (sshd) can lead to the following potential threats:

  1. Unauthenticated Remote Code Execution: Attackers can execute arbitrary code remotely without authentication, gaining full root access to the system.
  2. Full System Compromise: With root access, attackers can control the entire system, steal data, alter configurations, and install malicious software.
  3. No User Interaction Needed: The exploit does not require any action from the user, making it easier for attackers to exploit.
  4. Wide Impact: Affects default configurations, making many systems vulnerable.

Explanation: The regreSSHion vulnerability is particularly dangerous as it allows attackers to remotely take control of a system without any interaction from the user, compromising the system completely.

How to Upgrade to OpenSSH 9.8 on Ubuntu

Follow these steps to upgrade your OpenSSH to the latest version on Ubuntu. This process involves stopping the existing service, removing it, and installing the new version.

1. Stop and Remove Existing OpenSSH Service


sudo systemctl stop sshd
sudo apt-get remove openssh-server openssh-client

    

First, you need to stop the current OpenSSH service and remove the existing OpenSSH packages. This ensures that the new installation starts from a clean state.

2. Install OpenSSH 9.8

The Tokyo Repo link is used as an example. Please download from a repository closer to your location for better performance.


wget https://repo.jing.rocks/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
tar zxvf openssh-9.8.tar.gz
cd openssh-9.8
./configure
make
sudo make install

    

Download the latest OpenSSH package from a repository, extract it, configure the build environment, compile the source code, and install it. This will replace the old version with the new one.

3. Set Up and Start the New SSH Service


sudo nano /etc/systemd/system/sshd.service

    

Add the following content:


[Unit]
Description=OpenSSH server daemon
After=network.target

[Service]
ExecStart=/usr/local/sbin/sshd -D
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target

    

Create a new systemd service file for OpenSSH. This file will define how the SSH service starts, stops, and restarts.


sudo systemctl daemon-reload
sudo systemctl start sshd
sudo systemctl enable sshd

    

Reload the systemd daemon to recognize the new service file, start the new OpenSSH service, and enable it to start automatically on boot.

Verify Installation


ssh -V
sudo systemctl status sshd

    

Check the OpenSSH version to ensure the upgrade was successful and verify that the new SSH service is running correctly.

Conclusion

Updating to OpenSSH 9.8 is essential for security and performance improvements. By following these steps, you can ensure your system is protected against known vulnerabilities and running the latest version.

Keeping your OpenSSH updated is crucial to protect your system from potential threats. Regular updates and maintenance ensure that your system remains secure and performs optimally.

STATPAN

9 Comments

  1. in step 2, when I enter "make" it says "No targets specified and no makefile found. Stop", same thing with "sudo make install" that replies No rule to make target install. STop" What should I do? Thanks.

    ReplyDelete
    Replies
    1. run these commands:
      sudo apt-get install zlib1g-dev
      sudo apt-get install libssl-dev

      then run ./configure again

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  3. I followed this tutorial but not lucky


    root@MyMachine:/home/dakroot/openssh-9.8p1# systemctl status sshd
    × sshd.service - OpenSSH server daemon
    Loaded: loaded (/etc/systemd/system/sshd.service; enabled; vendor preset: enabled)
    Active: failed (Result: exit-code) since Thu 2024-07-11 00:01:19 WIB; 6s ago
    Process: 3151640 ExecStart=/usr/local/sbin/sshd -D (code=exited, status=255/EXCEPTION)
    Main PID: 3151640 (code=exited, status=255/EXCEPTION)
    CPU: 16ms

    Jul 11 00:01:19 MyMachine systemd[1]: sshd.service: Main process exited, code=exited, status=255/EXCEPTION
    Jul 11 00:01:19 MyMachine sshd[3151640]: fatal: Cannot bind any address.
    Jul 11 00:01:19 MyMachine systemd[1]: sshd.service: Failed with result 'exit-code'.
    Jul 11 00:01:19 MyMachine systemd[1]: sshd.service: Scheduled restart job, restart counter is at 5.
    Jul 11 00:01:19 MyMachine systemd[1]: Stopped OpenSSH server daemon.
    Jul 11 00:01:19 MyMachine systemd[1]: sshd.service: Start request repeated too quickly.
    Jul 11 00:01:19 MyMachine systemd[1]: sshd.service: Failed with result 'exit-code'.
    Jul 11 00:01:19 MyMachine systemd[1]: Failed to start OpenSSH server daemon.

    can you help me?

    ReplyDelete
    Replies
    1. "fatal: Cannot bind any address." This message means that the OpenSSH server could not connect to the necessary port (by default, port 22) when trying to start. maybe..
      1. Port Conflict
      2. Configuration Error
      3. System Policy or Firewall Rules(blocking port 22)

      1. Port Conflict
      sudo netstat -tulpn | grep :22
      Use this command to see if any process is currently using port 22
      If port 22 is already in use, you might see an output like this:
      tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
      tcp6 0 0 :::22 :::* LISTEN
      If another service is using port 22, you will need to either stop that service or configure SSH to use a different port.

      or
      ps aux | grep sshd
      This command will list all running SSH processes. If there are any processes listed,

      sudo systemctl stop sshd
      sudo killall sshd
      you should stop them with the commands

      2. Configuration Error
      Open the /etc/ssh/sshd_config file and check the settings for the correct port and network interfaces. Pay special attention to the Port and ListenAddress settings.

      3. System Policy or Firewall Rules(blocking port 22)
      Review your firewall settings to ensure that port 22 is open. To check firewall settings, use

      sudo ufw status
      or
      sudo iptables -L

      After making the necessary changes, reload the systemd daemon and restart the SSH service.
      sudo systemctl daemon-reload
      sudo systemctl start sshd
      sudo systemctl enable sshd
      sudo systemctl status sshd

      Delete
  4. At the end trying, ssh -V I get "-bash: /usr/bin/ssh: No such file or directory".

    Entering systemctl status sshd, does show active (running).

    Any ideas?

    ReplyDelete
    Replies
    1. The error message "-bash: /usr/bin/ssh: No such file or directory" indicates that the OpenSSH client is either not installed or not properly configured on your system.

      Although you may have successfully installed the OpenSSH server
      the client (which includes the ssh command) is a separate package and may not have been installed.

      Delete
  5. Thanks man. You saved my day. Although I couldn't make it to launch automaticaly. Also it somehow killed root and fly fm. ¯\_(ツ)_/¯

    ReplyDelete
Previous Post Next Post