Installing OpenSSH 6.6p1 on Ubuntu 13.10 “Saucy”

Ubuntu 14.04 includes a new version of OpenSSH. Version 6.2, which is present in Saucy has a vulnerability which potentially could lead to it being exploited. If you are doing PCI compliance, then fixing this is a must!

Luckily, replacing OpenSSH is pretty easy. This install assumes you are using 13.10, and that you already have OpenSSH installed and configured, and that you have already installed the Ubuntu 13.10 build dependencies. If you’ve ever compiled something from source, then you will have this. If you don’t, then use 

First download 6.6p1 (I used the Australian servers). Make sure it’s the portable version, otherwise it will only work for UNIX.

wget http://mirror.aarnet.edu.au/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz

Next you will uncompress the file, go into the directory containing it’s contents, and configure it.

tar -xvf openssh-6.6p1.tar.gz
cd openssh-6.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh \
--with-md5-passwords --with-privsep-path=/var/lib/sshd

Okay, if your configuration worked, then you are good to go. You’ve already got openSSH working right? So when it warns you about PAM configurations, don’t worry. It’s already set up!

make install

Now you are as good as done! If you try and run the sshd command and ask for the version, it should tell you what version it is.

sshd -V
OpenSSH_6.6p1, OpenSSL 1.0.1e 11 Feb 2013

You are now up and running. Check you can SSH back into your server!
 

9 thoughts on “Installing OpenSSH 6.6p1 on Ubuntu 13.10 “Saucy”

  1. good article ,, can you please explain why do you use –with-md5-passwords flag , i was always the opinion that md5 is not secure and a bad choise.

    • Hi Tito, md5 is not secure as a primary means of communication. However the password exchange will be encrypted. Having md5 hash comparison going on, instead of plaintext over encryption is more secure. Further, I think it’s required for some packages that use ssh.

      EDIT: So I went and looked it up, and I was wrong. But it’s still not a concern, it’s primarily about compatibility. If your system uses PAM, then it should run on PAM. However, if you don’t specify MD5, then it will look at your passwords file, use crypt to hash the password, and see if it works. If your system uses MD5 instead, that comparison will fail. I’ve seen it recommended to run MD5 for compatibility, however it shouldn’t make a difference, because you are likely to be using PAM. So my understanding is that it has zero security ramifications, aside from the fact that if you don’t have PAM, and your system itself is using md5, you won’t be able to log in.

      • ok i followed your steps and when i do make install i get the following message

        /usr/sbin/sshd -t -f /etc/ssh/sshd_config
        /etc/ssh/sshd_config line 88: Unsupported option UsePAM
        /etc/ssh/sshd_config: line 89: Bad configuration option: DebianBanner
        /etc/ssh/sshd_config: terminating, 1 bad configuration options

        so it seems that i do need to compile with pam , if i remote the DebianBanner and UsePAM from my config the ssh starts but when i tried to authenticate i get
        Permission denied (publickey).

        I am allowing only key authentication
        can you post your sshd_config?

      • Thanks for the reply—i literally ran it as noted in the blog above. I am on ubuntu 14.04. I was on version 6.6 ssh updating to 6.9. When complete, I get a publickey error.

        I was logged in via ssh before. As soon as i did this, logged out, I then began getting the error.

        I am on AWS (fyi)

  2. I am facing the following error on make install command
    packet.c:1035:1: error: conflicting types for ‘packet_send’
    packet_send(void)
    ^
    In file included from packet.c:65:0:
    packet.h:57:9: note: previous declaration of ‘packet_send’ was here
    int packet_send(void);
    ^
    packet.c:1722:1: error: conflicting types for ‘packet_write_poll’
    packet_write_poll(void)
    ^
    In file included from packet.c:65:0:
    packet.h:91:9: note: previous declaration of ‘packet_write_poll’ was here
    int packet_write_poll(void);
    ^
    make: *** [packet.o] Error 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s