Ubuntu 14.04 includes a new version of OpenSSH. Version 6.2, which is present in Saucy has a vulnerability which potentially could lead to it being exploited. If you are doing PCI compliance, then fixing this is a must!
Luckily, replacing OpenSSH is pretty easy. This install assumes you are using 13.10, and that you already have OpenSSH installed and configured, and that you have already installed the Ubuntu 13.10 build dependencies. If you’ve ever compiled something from source, then you will have this. If you don’t, then use
First download 6.6p1 (I used the Australian servers). Make sure it’s the portable version, otherwise it will only work for UNIX.
Next you will uncompress the file, go into the directory containing it’s contents, and configure it.
tar -xvf openssh-6.6p1.tar.gz cd openssh-6.6p1 ./configure --prefix=/usr --sysconfdir=/etc/ssh \ --with-md5-passwords --with-privsep-path=/var/lib/sshd
Okay, if your configuration worked, then you are good to go. You’ve already got openSSH working right? So when it warns you about PAM configurations, don’t worry. It’s already set up!
Now you are as good as done! If you try and run the sshd command and ask for the version, it should tell you what version it is.
sshd -V OpenSSH_6.6p1, OpenSSL 1.0.1e 11 Feb 2013
You are now up and running. Check you can SSH back into your server!