4

I have a Debian 8 server for a customer that is failing a PCI scan, presumably running: nmap -p 22 -sV customer.edu

which returns

22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7

This should be easy, given my /etc/apt/sources.list is this:

deb http://mirror.rackspace.com/debian jessie main
deb-src http://mirror.rackspace.com/debian jessie main
deb http://mirror.rackspace.com/debian-security/ jessie/updates main
deb-src http://mirror.rackspace.com/debian-security/ jessie/updates main
deb http://packages.dotdeb.org jessie all
deb-src http://packages.dotdeb.org jessie all
deb http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb http://ftp.debian.org/debian jessie-backports main
deb http://security.debian.org/ jessie/updates main contrib non-free

sudo apt-get upgrade openssh-server returns:

Calculating upgrade... openssh-server is already the newest version.

Is there a better way to get the latest OpenSSH server?

I attempted to download it, install its OpenSSL 1.0.2-stable dependency in /usr/local/ but having serious troubles with it failing.

Are my choices to find a better source in apt-get, or attempt to install it and its OpenSSL dependency in /usr/local and manually point systemctl to those binaries?

sam452
  • 219
  • 6
  • 14
  • You probably should be looking at upgrading to stretch. – Zoredache Feb 19 '19 at 23:24
  • From what I researched, an in-place upgrade is not advised, but rather a new Debian stretch install and migrate our apps to it. Would you agree? – sam452 Feb 20 '19 at 10:55
  • 1
    Depends on what you are running and how well managed the system is. I have upgraded some systems in place without issue. Though I also have a well tested backup systems and can easily revert if things go wrong. – Zoredache Feb 20 '19 at 17:39

1 Answers1

4

failing a PCI scan

Document for your auditor the version of the package installed. Reference security updates regarding OpenSSH, in this case from Debian. Possibly cross reference relevant CVEs.

Parsing a version number is fragile. Stable distros generally do not upgrade the version, but apply their own patches.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • Yes, this release resolves most of the PCI scan. Except one failure reports "SSH server is using a small public key". Searching suggests this was issue prior to OpenSSH 7. Since your link is listing vulnerabilities, it's unclear if patches have resolved this complaint? – sam452 Feb 20 '19 at 14:36
  • That is for you to determine comparing the rationale from the audit to change log and patches of the openssh package you are using. If you have issues with this, ask another question. – John Mahowald Feb 21 '19 at 21:38