As with all howto guides i provide, i take no responsibility, any damages that may occur to your server are your own responsibility, if you are worried about running the upgrade i recommend you hire a server administrator :) .

latest open SSH exploit over the last 48 hours, more information regarding the exploit can be found here:

http://slashdot.org/articles/03/09/16/1327248.shtml?tid=126&tid=172

to upgrade:

login as admin
su - to root

# wget http://prowebuk.com/TEMP/DOWNLOADS/OpenSSH/openssh-3.7p1.tar.gz

BEFORE DOING ANY UPGRADES MAKE SURE YOU HAVE TELNET RUNNING, CONNECT AND KEEP A CONNECTION WHILST YOU PROCEED WITH THE UPGRADE.

for DirectAdmin you should be able to enable telnet by doing the following:

# pico -w /etc/xinetd.d/telnet
change the line 'disable = yes' to 'disable = no'
save the file and exit
# service xinetd restart
also make sure you have port 23 open in your firewall (if you have a firewall)


Ok, lets start proceed with the upgrade

# tar -zxvf openssh-3.7p1.tar.gz
# cd openssh-3.7p1
# ./configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh --with-md5-passwords
# make
# make install

# service sshd restart

alternatively to restart use:

# /sbin/service sshd restart

open a new SSH window and make sure you can successfully connect to SSH... if everything is ok you will be able to disable telnet:

# pico -w /etc/xinetd.d/telnet
change the line 'disable = no' to 'disable = yes'
save the file and exit
# service xinetd restart

If you have a firewall make sure you block port 23 to stop telnet being acessed.

Post if you have any problems :)

Chris

You might want to condfigure OpenSSH with pam..

And people upgrading from older version of OpenSSH might needed add an sshd user..

adduser sshd -s /sbin/nologin
And then run make install again...

i had the ssh user problem with another box... i will add the pam information now :)

I'm having a slight problem:[root@server1 root]# `echo -e /etc/xinetd.d/telnet`
-bash: /etc/xinetd.d/telnet: No such file or directory

[root@server1 xinetd.d]# locate telnet
/usr/bin/telnet
/usr/lib/python2.2/telnetlib.py
/usr/lib/python2.2/telnetlib.pyc
/usr/lib/python2.2/telnetlib.pyo
/usr/lib/perl5/vendor_perl/5.8.0/URI/telnet.pm
/usr/share/man/man1/telnet.1.gz
/usr/share/terminfo/t/tgtelnet
/usr/include/arpa/telnet.h

Hello,

It doesn't appear as though you have telnet installed. (Don't see a telnetd file).

Just a guess, but try using up2date and see if it will install it for you:

up2date -r telnet

not sure, but just a guess.

****

Also, note about the configure line.. I *had* to add--with-md5-passwordsto get logins working again (pam wasn't playing nice). I didn't use pam in the end, but I guess it would try both methods to login if one failed. Good thing I had a telnet window open ;)

John

--with-md5-passwords now added to the configure line :)

No luck here :(

Says -r isn't a valid option, and plain old up2date telnet says it's already updated.

Says -r isn't a valid option

Sorry about that :) I got my FreeBSD pkg_add and up2date -u mixed up. Should be "up2date -u telnet" .. but since you already have it... maybe try up2date -u telnetdto see if the daemon comes seperately. (note the "d" at the end)

John

Originally posted by DirectAdmin Support
Sorry about that :) I got my FreeBSD pkg_add and up2date -u mixed up.
I thought that might be the case.. hah. :)

Anyway, I'm having no luck with up2date -u telnetd either. :(

Tried to re-register and made sure the "telnet" box was checked. On RHN it is saying I have telnet-0.17-25:1.i386.rpm installed.

Hmm..

I got it :D

Had to install telnet-server-0.17-25:1.i386.rpm



*sigh*




I too had to cut the --with-pam bit out to get this to configure right.

l0rdphi1,

You need to run the following command:

up2date -i pam-devel


Whenever you get those kinds of messages when you are sure that the object is installed, you are most likely missing the devel package.


Also, you could have ran:

up2date -i telnet-server

to get the telnet server on your box.

Would those who've had DA installed after October need to upgrade SSHD? Does DA install the latest by default? How can I check which version I have running?

Originally posted by RTKS
Would those who've had DA installed after October need to upgrade SSHD? Does DA install the latest by default? How can I check which version I have running?

yes, you should
no, it doesn't
sshd -v or sshd -V, keep forgetting, otherwise just try sshd --help :D
(When you are using RH 9.0 you can still use up2date, other versions will need a source compile :D)

OpenSSH 3.8 was released today by the way :)

what is the new ssh and ist the same step to upgrade?

Originally posted by hail
what is the new ssh and ist the same step to upgrade?
You should know how/where to find these packages yourself ;)

Take a peek at http://www.openssh.org/.
Ya can't miss it.