1

I have been setting up a simple server, and was worried about some security risks. I found that the Pi is running openssh 6.7, when the most up to date version is 7.5. Tenable Nessus says this leads to multiple security vulnerabilities that can be resolved by downgrading openssh to version 7.5.

However, running apt-get update and apt-get upgrade returns no necessary updates. How would I guarantee security for my pi in this case?

BarrowWight
  • 335
  • 1
  • 4
  • 10

3 Answers3

2

Try upgrading the distribution instead, not sure if SSH is included in that, it might be

apt-get dis-upgrade

or if you're using OpenSSH target the app

apt-get update openssh-server

If you need to see whats installed use this,

dpkg --get-selections

if you see anything with SSH in, you could try an upgrade or update with the package name displayed in that list.

sudo as appropriate.

Side Note: I had this exact same issue last night with OpenVPN, the raspbian repos don't have the latest versions of everything (probably for compatibility reasons). I ended up having to compile and installed myself from a tar.gz release of the package.

Though looking at the networking repolist 6.7 is the latest in jesse repos. Looks like Raspbian Stretch release will have it but its not been released yet.

Ollie
  • 181
  • 7
1

You can install openssh from source and have the latest version.

First you have to uninstall openssh.

Note! It can be dependencies that isn't meet when installing from source, and to have compilation tools is also seen as a security weakness.

I would recommend to wait for Raspbian Stretch.

MatsK
  • 2,882
  • 3
  • 17
  • 22
1

I needed to upgrade ssh so I could use a newer command - specifically the ProxyJump. I found a handy link here for ubuntu to build it.

I altered it like this: (You can update the source as required from https://www.openssh.com/)

sudo apt-get install  build-essential libssl-dev zlib1g-dev
wget "https://fastly.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz"
tar xfz openssh-7.4p1.tar.gz
cd openssh-7.4p1
./configure
make
sudo make install && sudo service ssh restart && ssh -V

I had an ssh key on one machine (Machine-A), an allowed IP address on an intermediate machine (Machine-B) and a destination server (Machine-C) that needed the key from Machine-A to connect (I had forgotten the password and only had they key) - this helped me to tunnel / hop to my target server.

ssh -o ProxyJump=root@mac.hin.e.b root@mac.hine.c

An extended answer - but maybe it helps somebody

MaZ
  • 11
  • 1