Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[HELP] Upgrading OpenSSH to 9.1 from 8.0 in AlmaLinux 8
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[HELP] Upgrading OpenSSH to 9.1 from 8.0 in AlmaLinux 8

Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

Hello,

For some unavoidable reasons, I need OpenSSH 9.1 in AlmaLinux 8 which is not in the Repository.

I tried to install it manually, but, when I remove OpenSSH 8.0 (that comes by default), the service shows connection refused and the newly installed 9.1 doesn't comeup as 'sshd' service in systemctl.

Anyone has experience in similar case ?? If you have, can you please guide me ?

Regards.

Comments

  • If your building from source then doing 'make install' will not create your systemd service file. That is up to you.

    Host rep asking such basic admin help seems worrying...

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @jugganuts said:
    If your building from source then doing 'make install' will not create your systemd service file. That is up to you.

    Host rep asking such basic admin help seems worrying...

    Sorry for such Basic Admin help. I would definitely try to be better. As far as I can remember, the host rep tag was converted after the last rule. However, I have two queries. Should I remove the currently installed OpenSSH before proceeding to install 9.1 from scratch ? And, with the configure command, will it create the systemd service file ?

    I was following this one to understand it better: https://www.tecmint.com/install-openssh-server-from-source-in-linux/

  • Change OpenSSH 8.0 to some random port like 2137 and under port 22 run OpenSSH 9.1.

    When even something goes wrong, you will be able to get to your server.

    Thanked by 1Mahfuz_SS_EHL
  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @Hotmarer said:
    Change OpenSSH 8.0 to some random port like 2137 and under port 22 run OpenSSH 9.1.

    When even something goes wrong, you will be able to get to your server.

    That's a great idea. I have already took the 8.0 to another port. Now, the thing is how can I differentiate the other one, I'm a bit confused. Hopefully, I can sort it out.

  • @Mahfuz_SS_EHL said:

    @Hotmarer said:
    Change OpenSSH 8.0 to some random port like 2137 and under port 22 run OpenSSH 9.1.

    When even something goes wrong, you will be able to get to your server.

    That's a great idea. I have already took the 8.0 to another port. Now, the thing is how can I differentiate the other one, I'm a bit confused. Hopefully, I can sort it out.

    Just name the systemd service unit a different name... sshd9, perhaps?

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @TimboJones said:

    @Mahfuz_SS_EHL said:

    @Hotmarer said:
    Change OpenSSH 8.0 to some random port like 2137 and under port 22 run OpenSSH 9.1.

    When even something goes wrong, you will be able to get to your server.

    That's a great idea. I have already took the 8.0 to another port. Now, the thing is how can I differentiate the other one, I'm a bit confused. Hopefully, I can sort it out.

    Just name the systemd service unit a different name... sshd9, perhaps?

    It didn't create any systemd service from the source package. Do I have to do this manually ?

  • @Mahfuz_SS_EHL said:

    @TimboJones said:

    @Mahfuz_SS_EHL said:

    @Hotmarer said:
    Change OpenSSH 8.0 to some random port like 2137 and under port 22 run OpenSSH 9.1.

    When even something goes wrong, you will be able to get to your server.

    That's a great idea. I have already took the 8.0 to another port. Now, the thing is how can I differentiate the other one, I'm a bit confused. Hopefully, I can sort it out.

    Just name the systemd service unit a different name... sshd9, perhaps?

    It didn't create any systemd service from the source package. Do I have to do this manually ?

    Yes, just copy existing /etc/systemd/system/sshd.service and replace line to point to your ssh 9.1 installation directory.

    Thanked by 1Mahfuz_SS_EHL
  • FatGrizzlyFatGrizzly Member, Host Rep

    just a curious question, what feature is missing in 8.0 that you want to upgrade to 9.1?

  • @Hotmarer said:
    Change OpenSSH 8.0 to some random port like 2137 and under port 22 run OpenSSH 9.1.

    When even something goes wrong, you will be able to get to your server.

    Oh, polish guy I see xD

    Thanked by 2Hotmarer brejski
  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @FatGrizzly said:
    just a curious question, what feature is missing in 8.0 that you want to upgrade to 9.1?

    No feature is missing. Just a security recommendation from an audit team.

    Thanked by 1FatGrizzly
  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @Liso said:

    @Mahfuz_SS_EHL said:

    @TimboJones said:

    @Mahfuz_SS_EHL said:

    @Hotmarer said:
    Change OpenSSH 8.0 to some random port like 2137 and under port 22 run OpenSSH 9.1.

    When even something goes wrong, you will be able to get to your server.

    That's a great idea. I have already took the 8.0 to another port. Now, the thing is how can I differentiate the other one, I'm a bit confused. Hopefully, I can sort it out.

    Just name the systemd service unit a different name... sshd9, perhaps?

    It didn't create any systemd service from the source package. Do I have to do this manually ?

    Yes, just copy existing /etc/systemd/system/sshd.service and replace line to point to your ssh 9.1 installation directory.

    Couldn't find that there but here /usr/lib/systemd/system/sshd.service

  • yoursunnyyoursunny Member, IPv6 Advocate
    edited October 2022

    @Mahfuz_SS_EHL said:

    @FatGrizzly said:
    just a curious question, what feature is missing in 8.0 that you want to upgrade to 9.1?

    No feature is missing. Just a security recommendation from an audit team.

    Typically, any vulnerability in existing version would have been patched by OS vendor.
    The version number won't increase, but the patch is backported.

    When you attempt to run source builds instead of official packages, you have the risk of opening up more vulnerabilities.
    Hence, don't do it.

  • @Mahfuz_SS_EHL said:

    @FatGrizzly said:
    just a curious question, what feature is missing in 8.0 that you want to upgrade to 9.1?

    No feature is missing. Just a security recommendation from an audit team.

    Just to add to what @yoursunny said: "a security recommendation from an audit team", if not more specific than this, is pretty useless in itself. If there's a known vulnerability that affects v8 but not v9 and there's no patch available, then an individual attempt to upgrade may make sense (I say "may" because it depends on the vulnerability in question), but otherwise an individual attempt to upgrade wouldn't make sense and you would just make life more difficult for yourself down the road ...

  • jackbjackb Member, Host Rep
    edited October 2022

    Audit team: please upgrade this package to a version not supported by the OS maintainer for unspecified reasons

    @Mahfuz_SS_EHL you're allowed to query and even overrule (though in that case - be prepared to provide authoritative documentation backing up your point) audit suggestions in most cases. Blindly implementing what an audit calls for can be problematic, as it would be if you roll out OpenSSH 9.1 manually and have no plan for automating future upgrades.

    A good example is a lot of auditors will call for periodic password changes, but that practice is discouraged by NIST, Microsoft and others (where MFA is enforced). At the end of the day their job is largely a box checking exercise, you've got to filter out what are genuinely good ideas and what isn't - and justify why.

    Thanked by 1Mahfuz_SS_EHL
  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @jackb said:
    Audit team: please upgrade this package to a version not supported by the OS maintainer for unspecified reasons

    @Mahfuz_SS_EHL you're allowed to query and even overrule (though in that case - be prepared to provide authoritative documentation backing up your point) audit suggestions in most cases. Blindly implementing what an audit calls for can be problematic, as it would be if you roll out OpenSSH 9.1 manually and have no plan for automating future upgrades.

    A good example is a lot of auditors will call for periodic password changes, but that practice is discouraged by NIST, Microsoft and others (where MFA is enforced). At the end of the day their job is largely a box checking exercise, you've got to filter out what are genuinely good ideas and what isn't - and justify why.

    Sorry for the late reply. Though I didn't check the recent comments but was successful to make them understand that those CVE-IDs were backported in current maintained release & thus they did a penetration test & approved it.

    Thanked by 1yoursunny
  • if you have to explain that to your penetration testing team, you should get a new team cuz they don't know what they're talking about.

Sign In or Register to comment.