I built a file server that I wanted to be accessible only by ssh. I had a security scan done to check for holes and was told that I needed to upgrade my ssh (openssh) from version 3.6.7 to the latest (3.9.1)
I have tried this and when I do a "ssh -V", it says that it is the new version,but when I requested a second security scan, it came back with the same security hole and the same old openssh version,3.6.7. How do I install and/or upgrade openssh so that the new version takes over and is functional?, are there step by step instructions that I could look at on this?, I just want to plug a hole ("sigh".... :-(

If you didn't restart the sshd server yourself, the old version may still be running. The only other possibility I can think of is that the installation you tried failed, but then you would've seen some sort of error message.

Thanks for the input Wolfbone. I decided to
try a different route to this problem. I was able to find the openssh-.3.9.1p-i386.rpm beta from the redhat site and download it. I put in a separate directory and executed the rpm installation for that directory. It went through the “Preparing systems update” procedure
and did a check for package dependencies. Thought I was in the clear but then it came back with “Packages not found”; basically stating that the installation could not continue because the following packages could not be found and would only do so when the following packages were installed on my system:

Package: Required by:
Libselinux (“openssh,3,9p1.3)

Libselinux.so.1 (“openssh,3,9p1.3)

Openssh (openssh-client‘3,6.1p2.33.30.1)

Openssh (openssh-server ‘3,6.1p2.33.30.1)

NOW then! , if I do a “ssh –V”, the version of ssh that comes back is “Openssh _3.9.1p, BUT, if I do a “rpm –qa | grep ssh”, I get the following info:

Openssh-3.6.1p2.33.30.1
Openssh server-3.6.1p2.33.30.1
Openssh client-3.6.1p2.33.30.1

What happen!?!?, what have I done here?!?

I don't know - unless you've somehow managed to get a copy of the new ssh client binary onto your system, 'ssh -V' should match the rpm version. You'd better try removing all the openssh packages, make sure they've really gone, then install the new ones, including any new dependencies like libselinux that they need if they ask for them.

I would've thought RH would have a tool to automatically get updated rpms and their dependencies (does yum do this?).

Sounds to me as if you installed the tarball
for SSH, and that is the version you are
getting returned when you do ssh -V.

At the same time, you still have the .rpm
package installed for the older version, and
that is the one which is running, and giving
the security check issue. You can use rpm to
remove the .rpm packages for the old
version, then install the dependencies with
rpm, and finally the new version ssh
package(s). IIRC, fedora has an update tool
called up-to-date. You can run it, and save
some of the rpm he** :).

HTH,

Ernie [ewilcox@buckeye-express.com]
ICQ 41060744
Registered Linux User 247790

I agree, RedHat should and sorta does have the "RedHat Network Alert Notification Tool"
and that starts the "up2date" program updater, but I think that they are getting either greedy, lazy or both as as far as keeping up with security issues and updates.

Unless there is another way to do this via app or command line (rpm appname.version & up2date appname.version) I'm at a loss as to what else I could try.

As far as deleting and/or removing the ssh packages, when I tried to do a "rpm -e openssh" to remove the old openssh app, I got a bunch of "NO, we can't do this, dependencies crap! Is there another way to delete unwanted applications and their numerous related files thoroughly from the system so I can do a fresh, clean install of openssh?, or should I just start going through and deleting everything ssh-related?, is there a removal tool in linux that can do this?

I did a search for the "libselinux & libselinux.so.1" files. I found some on http://rpm.pbone.net/index.php3, but I wasn't sure if I could use them for my version of Linux (RedHat Enterprise Advance Server (AS) ). Still looking for the rpms for this silly thing as well.

Yum works well on Fedora, haven't tried in on Redhat yet.

Thxs for your input Wolfebone.

Hi Ernie & thanks also for your input.

When I try to remove openssh packages\rpm, I get "failed depencices" , openssh-server needs this, openssh-client needs this, netdump needs this to run. Any way around this?

There cannot be all that many dependencies on openssh. If pkga needs pkgb when you are trying to uninstall pkgb then you do 'rpm -e pkga pkgb' to remove them both.

You should first make sure you have got all the new openssh rpms and any rpms they depend on and any rpms that depend on them, all from an official RH source repository. If you cannot do this you should change to an alternative distro.

You haven't said whether ernie was correct to suggest you had tried installing from a non-rpm source. What does 'rpm -qf $(which ssh)' say? If that is so you are likely to make a horrible mess of your system

You can always pass the --nodeps and/or --force switches to rpm in order to ignore dependencies etc although it is not always a good idea....just make sure that you are able to then install the newer packages to satisfy any broken dependencies.

Hi guys,

Let me see if I can show you whats going on here:

[root@apples root]# ssh -V
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
[root@apples root]#
[root@apples root]# rpm -qa | grep ssh
openssh-3.6.1p2-33.30.1
openssh-server-3.6.1p2-33.30.1
openssh-clients-3.6.1p2-33.30.1
[root@apples root]#
[root@apples root]#
[root@apples root]# up2date openssh-3.6.1p2-33.30.1

Fetching Obsoletes list for channel: rhel-i386-as-3...

Fetching rpm headers...

Name Version Rel

The following packages you requested were not found:
openssh-3.6.1p2-33.30.1
[root@apples root]#
[root@apples root]# up2date openssh

Fetching Obsoletes list for channel: rhel-i386-as-3...

Fetching rpm headers...

Name Version Rel

The following packages you requested are already updated:
openssh
[root@apples root]#
[root@apples root]#
[root@apples root]# rpm -e openssh-clients-3.6.1p2-33.30.1
error: Failed dependencies:
openssh-clients is needed by (installed) lam-6.5.9-1
openssh-clients is needed by (installed) kdebase-3.1.3-5.4
/usr/bin/ssh is needed by (installed) netdump-0.6.11-3
[root@apples root]#
[root@apples root]#
[root@apples root]# rpm -e openssh-server-3.6.1p2-33.30.1
error: Failed dependencies:
openssh-server is needed by (installed) lam-6.5.9-1
/usr/sbin/sshd is needed by (installed) netdump-server-0.6.11-3
[root@apples root]#
[root@apples root]#
[root@apples root]# rpm -e openssh-3.6.1p2-33.30.1
error: Failed dependencies:
openssh = 3.6.1p2-33.30.1 is needed by (installed) openssh-clients-3.6.1 p2-33.30.1
openssh = 3.6.1p2-33.30.1 is needed by (installed) openssh-server-3.6.1p 2-33.30.1
/usr/bin/ssh-keygen is needed by (installed) netdump-0.6.11-3
[root@apples root]#
[root@apples root]#
[root@apples root]#

I can't see why kdebase is dependent on openssh-clients?!?

If you want to remove all three packages try this (all on one line):
# rpm -ev openssh-3.6.1p2-33.30.1 openssh-server-3.6.1p2-33.30.1 openssh-clients-3.6.1p2-33.30.1 --nodeps

You can then try installing the newer version by using -ivh instead of -ev and --nodeps.