Topic: openssh security howto

[Ari]

This howto address 2 issues.
1) Upgrade of openssh to 3.1p1-1
2) disable fallback to ssh 1.0 protocol in all ssh connections to the server

This is my first attempt at a how-to.

http://www.marari.net/downloads/openssh/howto-openssh-upgrade.htm

Any feedback would be greatly appreciated.

Cheers!
Ari

[Jonathan]

Ari,
I tried this update on an SME v5.12 and it worked great.  I checked the logs of my client and I was previously connecting with protocol 1, and am now connecting with protocol 2.  This is great news and the instructions worked without a hitch.

I also tried it on an SME v5.0 server and I got the following dependency problem:
error: failed dependencies:
         libc.so.6(GLIBC_2.2.4)     is needed by openssh-server-3.1p1-1

I looked on the rpmfind site, but it wasn't obvious to me which package might solve this problem.  Can you suggest an update that would solve the problem for SME 5.0?

Thanks,
Jonathan

[Michael Doerner]

Ari,

I just applied it here on our test server and I am a bit surprised that I can't get ssh access (using putty) from the internal network any longer!

/var/log/messages reports for every attempt:
sshd[2203]: refused connect from 192.168.1.10.

It's the latest version of putty and I am definitely using ssh protocol 2 (as I did before when it was working).

Is the syntax to set the sshd properties in the database really ... sshd Protocol 2 or might it have to be like "Protocol 2" or protocol 2? I don't know.

How can I delete that protocol property in the database to see whether it would fallback and work with ssh protocol 1?

Regards,
Michael

[Ari]

edit the fragment 20Protocol in /etc/e-smith/templates/etc/ssh/sshd_config
and put "{"  "}" at the beginning and end of the line.

Rebuild the template using:
# /sbin/e-smith/expand-template /etc/ssh/sshd_config

and it should remove the protocol line.

I have to tell you though that I am using the latest version of the putty client and I'm connecting to the server (both on the internal and external IP addresses) without trouble.

In Putty, under the SSH tab, you can force it to Protocol 2 but you shouldn't need to since after the update, there's no fallback to ssh Protocol 1

Ari

[Michael Doerner]

Sorry for the (wrong) error report. It was just a user fault (me!).
I applied the new rpms through a ssh/putty session from a Windows workstation and when I started the "remoteaccess-update", it completely locked the whole network access from my workstation.
I lost all mapped drives under Windows, couldn't browse the network, etc. A Windows restart didn't fix that and I paniked. Since I was under time pressure, I uninstalled the e-smith-openssh....dmc (which was wrong to do).
After a server restart (I still don't  know why that was needed?) all Windows networking was back to normal but of course there was no ssh access any longer. I reapplied that missing rpm this morning and it's working fine as expected.
Thanks for the extra help and sorry for my report.

Regards,
Michael