How To Update Cluster SSH

From Biowiki
Jump to: navigation, search

---

Updating OpenSSH and OpenSSL on the Babylon Cluster

Vulnerabilities in OpenSSH and OpenSSL are found all the time, but fortunately they are very quickly patched. The problem is that it takes a while for these patches to make it into a package management system. So, the only way to stay on top is to update from source.

Any Internet-visible machine MUST BE UPDATED IMMEDIATELY when an update comes out! I cannot stress this enough!

This applies to any cluster node running Cent OS.

Watch these sites for updates

[[1]] (it is used by OpenSSL)

[[2]]

[[3]]

How to figure out which version of OpenSSH/OpenSSL you have

ssh -V

which will output something like this:

[[Open SSH]]_4.5p1, [[Open SSL]] 0.9.8d 28 Sep 2006

How to update from source

Acquire mighty root powers.

Download and unzip the latest source:

cd /usr/src/
# use wget to get the files from the aforementioned sites
tar xvfz zlib-1.2.3.tar.gz
tar xvfz openssl-0.9.8d.tar.gz
tar xvfz openssh-4.5p1.tar.gz

Install zlib

cd /usr/src/zlib-1.2.3/
./configure --prefix=/usr/
make
make test
make install

Install OpenSSL

cd /usr/src/openssl-0.9.8d/
./config zlib shared --prefix=/usr/
make
make test  # you should pass all tests
make install

mkdir -p /usr/ssl/include

\cp -f include/openssl/* /usr/ssl/include/  # overwrite files
\cp -f include/openssl/* /usr/include/

Required the VERY FIRST TIME you update a box from source: remove all traces of the old OpenSSL installation. To do this, you must find and remove all the old libcrypto libraries and OpenSSL headers.

This is easy using the findssl.sh script that comes with OpenSSH. It requires that the locate database be up to date, so run updatedb first.

updatedb  # this may take a while

cd /usr/src/openssh-4.5p1/contrib/
. findssl.sh

findssl.sh will tell you where all the traces of OpenSSL are on your system. For a properly updated box, it should look something like this:

Searching for [[Open SSL]] header files.
0x0090804f /usr/include/opensslv.h
0x0090804f /usr/src/openssl-0.9.8d/crypto/opensslv.h
0x0090804f /usr/src/openssl-0.9.8d/include/openssl/opensslv.h

Searching for [[Open SSL]] shared library files.
0x0090705fL /opt/sge/lib/lx24-amd64/libcrypto.so		  # these two came with Sun Grid Engine, don't worry
0x0090705fL /opt/sge/lib/lx24-amd64/libcrypto.so.0.9.7  # about removing them, they're harmless
0x0090804fL /usr/lib/libcrypto.so
0x0090804fL /usr/lib/libcrypto.so.0.9.8
0x0090804fL /usr/lib64/libcrypto.so
0x0090804fL /usr/src/openssl-0.9.8d/libcrypto.so
0x0090804fL /usr/src/openssl-0.9.8d/libcrypto.so.0.9.8

Searching for [[Open SSL]] static library files.
0x0090804fL /usr/lib/libcrypto.a
0x0090804fL /usr/lib64/libcrypto.a
0x0090804fL /usr/src/openssl-0.9.8d/libcrypto.a

The version number is the thing in the first column: in this case, the version number is 0x0090804, which corresponds to 0.9.8d. If there are any older version numbers, delete those files.

Note that a lot of these files are actually symbolic links, in which case you should relink them to where the new libraries are (if this hasn't already been done automatically by the OpenSSL make install).

For example, the following are the symbolic links you should have after a proper update:

lrwxrwxrwx  1 root root 18 Oct  3 11:49 /usr/lib/libcrypto.so -> libcrypto.so.0.9.8
lrwxrwxrwx  1 root root 27 Jun 15 10:49 /usr/lib64/libcrypto.so -> /usr/lib/libcrypto.so
lrwxrwxrwx  1 root root 18 Nov 13 16:40 /usr/lib64/libcrypto.so.2 -> /usr/lib/libcrypto.so
lrwxrwxrwx  1 root root 18 Nov 13 16:40 /usr/lib64/libcrypto.so.4 -> /usr/lib/libcrypto.so
lrwxrwxrwx  1 root root 20 Jun 15 10:49 /usr/lib64/libcrypto.a -> /usr/lib/libcrypto.a

I might be forgetting a few, so if you ever launch something (e.g. httpd) that complains about a missing libcrypto library, just symlink what it is looking for to /usr/lib/libcrypto.so and make sure that /usr/lib/libcrypto.so is itself a symlink to the latest version of libcrypto, and that should fix it.

Finally, update the dynamically linked libraries:

ldconfig

Verify that OpenSSH is now using the OpenSSL you just installed:

ssh -V

Install OpenSSH

cd /usr/src/openssh-4.5p1/
./configure --prefix=/usr/ --with-ssl-dir=/usr/ssl/ --sysconfdir=/etc/ssh/
make
make install

Check and finalize the install

Verify that everything is up to date:

ssh -V

Restart the sshd daemon:

service sshd restart

As the final test (if conditions permit this), reboot the machine and make sure that the latest version of OpenSSH/OpenSSL is still there after rebooting! I've had it revert to the older version after reboot once upon a time (may occur if you don't clean up the old libcrypto libraries). So, reboot and run:

ssh -V

to be sure the update is there to stay.

---

-- Created by: Andrew Uzilov on 13 Nov 2006