Bookmark and Share
RSS

Recent Posts

What OpenSSH Are You Using?

August 17, 2017

I have long been critical of IBM's policy of only patching the OpenSSH sources as CVEs are found and fixed—it’s very hard to know where you’re really at. On the plus side, you could be fairly certain that clients—even very old ssh clients—would continue to connect because the configuration demands (or expectations) didn’t change.

 

In a short article, I summarized the changes to OpenSSH since release-6.0 was released in April 2012.

 

FYI: For OpenBSD the release numbers are just that—feature changes just happen although sometimes feature changes are synced with a major release number. See http://www.rootvg.net/content/view/805/1/ for more information.

 

Between release-6.0 (which was primarily a bugfix release) and release-6.6 in March 2014 there were some new features introduced but nothing I remember as breaking an old client. Release-6.7 did significantly change some critical defaults, however, and that broke old clients. Starting with release-6.7 the default ciphers were changed - and any client that depended on the -CBC- based ciphers could no longer connect UNLESS you went and restored one, or some of the default cipers, KexAlgorithms and macs.

 

In case you’re wondering, I’m writing about this again because I’m working on some Linux systems. Yesterday it was Centos-16.11, which I’m told is meant to be the community version of RedHat Enterprise (7.3) and to my surprise I saw this:

 

[michael@T430 ~]$ cat /etc/centos-release

 

CentOS Linux release 7.3.1611 (Core)

 

[michael@T430 ~]$ uname -a

 

Linux T430.fritz.box 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

 

[michael@T430 ~]$ ssh -V

 

OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013

 

 

 

While on my NAS with embedded XXX Linux (i.e., no idea what Linux they use as a starting point):

 

[/etc] # uname -a

 

Linux x053 3.4.6 #1 SMP Thu Apr 13 05:24:36 CST 2017 x86_64 unknown

 

[/etc] # ssh -V

 

OpenSSH_7.3p1, OpenSSL 1.0.1u  22 Sep 2016

 

[/etc] #

 

 

 

On my AIX box I use to host rootvg.net and aixtools.net:

 

michael@x071:[/data/prj]oslevel -s

 

/6100-09-08-1642

 

michael@x071:[/data/prj]/usr/bin/ssh -V

 

OpenSSH_6.0p1, OpenSSL 1.0.2h  3 May 2016

 

michael@x071:[/data/prj]/opt/bin/ssh -V

 

OpenSSH_7.5p1, OpenSSL 1.0.2h  3 May 2016

 

 

 

(which reminds me that I need to update my OpenSSL).

 

 

 

Being at the latest of OS updates doesn’t guarantee you have the latest level of OpenSSH and/or OpenSSL. These require your attention. As you can see above I still have the 'old' AIX openssh packaging installed but I use my packaging (available for download here. 

 

What I hope you notice from my example above is that the IBM packaging and my (AIXTOOLS) packaging can be installed side-by-side. The key thing to note is that the AIXTOOLS packaging puts the config files in /var/openssh/etc and not in /etc/ssh. After installation the SRC subsystem will point at the AIXTOOLS versions. If you don’t remove the IBM versions and decide to remove the AIXTOOLS version, the SRC subsystem will use IBM versions again. I built this in for the unfortunate yet likely situation that clients can no longer connect once the new version is installed.

 

Note: Even if you decide to stick with the NEW IBM version (based on release-7.1) the things you can learn from the AIXTOOLS releases-7.4 (openssl is staill at 1.0.1) or release-7.5 (openssl is at VRMF 1.0.2.800 or later) will help you deal with the upgrade to the new IBM packaging.

 

The new IBM packaging for the latest OpenSSH and OpenSSL is available here. [ https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp&lang=en_US ]

Posted August 17, 2017 | Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus