RHEL 5.9 Requires OpenSSH 4.4+

Latest response

Dud to security concerns, I am being required to upgrade a RHEL 5.9 server to openssh 4.4+. The problem is I am not allowed to connect the machine directly to the internet. Where can I directly download the relevant rpm from a reliable location?

Responses

Assuming you have entitlements, you should just be able to pull the RPM from the Red Hat web site. Look under the "Downloads" for "Red Hat Enterprise Linux", select the RHEL version you're looking for (5.9), then click on the Packages tab. You can search for "openssh" to find the latest-available OpenSSH package for RHEL 5.9

Hi Alex,

The latest version of openssh for rhel 5 provided by Red Hat is openssh-4.3p2-82.el5.x86_64.rpm at this link with these dependencies.

I suspect you do not have a Red Hat satellite server available for this system...

It does not look like openssh 4.4 or above is available for RHEL 5 from Red Hat Inc.

Could you go to RHEL 6.5? It has version openssh-5.3p1-94.el6.x86_64.rpm.

Thank you for your suggestions. Unfortunately I am stuck on 5.9 even though I would dearly love to upgrade. Also, sadly, oppenssh 4.3.x has been deemed "unacceptable".

Alex, Red Hat often 'backports' fixes/features from higher version open source fixes to their own versions. If you have a specific security concern, you can also open a case with Red Hat to address a security concern (I've had to do this once in a while at the request of my own security folks). They are typically prompt to respond. I'd recommend against using an open source version (like what you might find at rpmfind, etc, or the upstream open-source non-Red Hat location) when Red Hat has addressed CVEs in their RPMs.

ADDED: If you found something above/beyond what they have covered, you can tell the Red Hat Security Response team even in confidence

Kind Regards,

Alex,

Remmele is right with backports. RHEL 5 is still supported so any security fixes will be backported to the RHEL 5 version of SSH which will likely cover the conerns that any security auditor has (unless there are new feature requirements that this SSH doesn't provide).

Is there a security compliance standard / script you are running that is providing this failure? or is it an internal security compliance/standard/request? Do you have any more specifics on exactly what the concern with 4.3 is?

Unfortunately your options in regards to support for 4.4 on RHEL 5.9 are fairly limited especially if you roll/compile your own or use third party repositories... something I would also advise against.

Alex, to add one more bit to PixelDrift's good bit above, you will have false positives on some findings from scanning tools. Ergo the backports.

I checked IAVAs (see spreadsheet) and current CVEs, and did not see anything recent regarding version 4.x for openssh. At the Red Hat CVE link, they have a HIGHLY USEFUL feature where you can filter by any keyword (like "openssh" or "ssh" for instance), and see all the relevant CVE responses from Red Hat for any given year.

Alex, If you are looking for the newer chroot sftp features listed in the upstream open-source (non-Red Hat open source project) for version 4.4, sftp chroot can be done I believe as of rhel 5.5 and Red Hat can help with this, contact support because you probably want discretion and privacy in the discussion. A couple of initial articles, here, and here

Kind Regards,
Remmele