Debian jessie upgrade OpenSSH server to latest

Question

I have a Debian 8 server for a customer that is failing a PCI scan, presumably running: nmap -p 22 -sV customer.edu

which returns

22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7

This should be easy, given my /etc/apt/sources.list is this:

deb http://mirror.rackspace.com/debian jessie main
deb-src http://mirror.rackspace.com/debian jessie main
deb http://mirror.rackspace.com/debian-security/ jessie/updates main
deb-src http://mirror.rackspace.com/debian-security/ jessie/updates main
deb http://packages.dotdeb.org jessie all
deb-src http://packages.dotdeb.org jessie all
deb http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb http://ftp.debian.org/debian jessie-backports main
deb http://security.debian.org/ jessie/updates main contrib non-free

sudo apt-get upgrade openssh-server returns:

Calculating upgrade... openssh-server is already the newest version.

Is there a better way to get the latest OpenSSH server?

I attempted to download it, install its OpenSSL 1.0.2-stable dependency in /usr/local/ but having serious troubles with it failing.

Are my choices to find a better source in apt-get, or attempt to install it and its OpenSSL dependency in /usr/local and manually point systemctl to those binaries?

John Mahowald · Accepted Answer · 2019-02-19T23:28:02.677

6

failing a PCI scan

Document for your auditor the version of the package installed. Reference security updates regarding OpenSSH, in this case from Debian. Possibly cross reference relevant CVEs.

Parsing a version number is fragile. Stable distros generally do not upgrade the version, but apply their own patches.

edited Feb 19 '19 at 23:28

answered Feb 19 '19 at 23:00

John Mahowald

36,071

score -3 · Answer 2 · answered Aug 31 '23 at 02:42

I originally published this script here install-newer-openssh .
Then the most updated version will be there!
However, to make it easier I transcribe it here...

PLUS!

A SEVERE VULNERABILITY (CVE-2023-38408) has been discovered in OpenSSH in versions prior to 9.3p2 which is the case for virtually all server Linux distros. CVE-2023-38408 is a vulnerability that allows remote code execution and is present in the SSH agent forwarding feature, especially against "PKCS#11" providers. Leveraging SSH agent support of "PKCS#11" under specific conditions allows attackers to execute remote code through a forwarded agent socket.

So it's important to update the OpenSSH Service in use on your server to a newer version!

MORE INFORMATION: https://github.com/kali-mx/CVE-2023-38408 , https://tryhackme.com/room/cve202338408 , https://nvd.nist.gov/vuln/detail/CVE-2023-38408 .

OpenSSH Service - Install a newer version (Debian)

Introduction

Using a OpenSSH service newer version (9.4 at the time of this guide) is easy and crucial for security.

We will install a OpenSSH service newer version while keeping and disabling the one installed by the package manager (Debian official repositories).

Tested on Debian GNU/Linux 11 (bullseye).

NOTE: For easier understanding, we will refer to the version installed by the package manager (Debian official repositories) as the OpenSSH service repo version.

IMPORTANT: Installing a OpenSSH service newer version alongside the OpenSSH service repo version is recommended because components of the OpenSSH service repo version are used by other components and packages, and its absence can be a source of problems.

Install the required packages

Install the necessary packages to build and run the OpenSSH service newer version...

apt -y install autoconf
apt -y install build-essential
apt -y install cmake
apt -y install libssh-dev
apt -y install libtool
apt -y install netcat
apt -y install wget

Download and build the OpenSSH service newer version

Commands to download and build...

wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.4p1.tar.gz
OPENSSH_VER="9.4p1"
tar -xvf openssh-${OPENSSH_VER}.tar.gz
cd openssh-${OPENSSH_VER}
./configure --prefix=/opt/openssh-${OPENSSH_VER}
make
make install
cd ..
rm -rf openssh-${OPENSSH_VER}.tar.gz

TIP: OpenSSH service newer versions can be found at https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/ .

IMPORTANT: You should use a portable version.

Create a symbolic link (symbolic link) so that we can update the OpenSSH service more easily in the future, reusing some configurations...

ln -s /opt/openssh-${OPENSSH_VER} /opt/openssh-latest

Change the OpenSSH service repo version configuration

Change the OpenSSH service repo version port in /etc/ssh/sshd_config configuration file by changing the "#Port 22" parameter to "Port 2222", for example.

NOTE: The configuration file for the OpenSSH service newer version will be in the path /opt/openssh-latest/etc/sshd_config.

Create the default environment file for the OpenSSH service newer version

Commands to create the default environment file and a folder for it...

mkdir -p "/opt/openssh-latest/default"
read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
# Default settings for OpenSSH Server.
Options to pass to sshd.
SSHD_OPTS=
END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > '/opt/openssh-latest/default/ssh'

Create service configuration files (systemd)

Commands to create the "ssh-latest.service" file...

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/opt/openssh-latest/etc/sshd_not_to_be_r
[Service]
EnvironmentFile=-/opt/openssh-latest/default/ssh
ExecStartPre=/opt/openssh-latest/sbin/sshd -t
ExecStart=/opt/openssh-latest/sbin/sshd -D $SSHD_OPTS
ExecReload=/opt/openssh-latest/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=exec
RuntimeDirectory=sshd-latest
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd-latest.service
END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > "/usr/lib/systemd/system/ssh-latest.service"

Commands to create the "ssh-latest@.service" file...

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
[Unit]
Description=OpenBSD Secure Shell server per-connection daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=auditd.service
[Service]
EnvironmentFile=-/opt/openssh-latest/default/ssh
ExecStart=/opt/openssh-latest/sbin/sshd -i $SSHD_OPTS
StandardInput=socket
RuntimeDirectory=sshd-latest
RuntimeDirectoryMode=0755
END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > "/usr/lib/systemd/system/ssh-latest@.service"

Commands to create the "ssh-latest.socket" file...

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
[Unit]
Description=OpenBSD Secure Shell server socket
Before=ssh-latest.service
Conflicts=ssh-latest.service
ConditionPathExists=!/opt/openssh-latest/etc/sshd_not_to_be_r
[Socket]
ListenStream=22
Accept=yes
[Install]
WantedBy=sockets.target
END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > "/usr/lib/systemd/system/ssh-latest.socket"

Commands to create the "rescue-ssh-latest.target" file...

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
[Unit]
Description=Rescue with network and ssh
Documentation=man:systemd.special(7)
Requires=network-online.target ssh-latest.service
After=network-online.target ssh-latest.service
AllowIsolate=yes
END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > "/usr/lib/systemd/system/rescue-ssh-latest.target"

Service configurations (systemd)

Disable the OpenSSH service repo version...

systemctl disable ssh.service
systemctl disable ssh.socket

Enable the OpenSSH service newer version...

systemctl enable ssh-latest.service
systemctl enable ssh-latest.socket

Reboot your system...

reboot

Confirm the version of the OpenSSH service newer version

Confirm the version via the binary...

/opt/openssh-latest/bin/ssh -V

Confirm the version via the service...

echo | nc 127.0.0.1 22

[Ref(s).: https://gist.github.com/jtmoon79/745e6df63dd14b9f2d17a662179e953a ]

  .~.  Have fun! =D
  /V\  
 // \\ Tux
/(   )\
 ^`~'^