Friday, March 6, 2009

Upgrating old Ubuntu Lts server's ssh

A minor Ubuntu annoyance today.. I have an old Ubuntu LTS server that tripped a nessus scan because the openssh version was too old.

I did an apt-get upgrade, but the ssh packages wouldn't upgrade, failing with this error...

root@bna-fw1:~# apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
The following packages have been kept back:
linux-image-server openssh-client openssh-server

I checked in the /etc/apt directories looking for some reason why it was held back to no avail.. Then I checked dpkg -l openssh-server but the package wasn't marked as held either. Then I gave up and googled it. As it turns out, upgrading ssh requires you to install the oops-sorry-we-made-ssh-unsecure-won't-happen-again package openssh-blacklist package and apt-get "upgrade" can't install a new package. This seems like an open manhole waiting to swallow any sysadmin that blindly trusts apt-get upgrade for updates..

The command to fix it and upgrade openssh-server/client is...

apt-get install openssh-blacklist


No comments: