Well, I vote for wipe both clean, 'apt-get install' Woody's openssl-0.9.5a and build openssh-2.1.1p4 from source tomorrow morning.
montefin looks at all the votes. Er...vote. Hmmmm. I won! Somebody stop me! montefin montefin wrote: > > Hi, > > Just hoping for a little guidance before I upgrade both ssl and ssh. > > With a new (Potato-based, linux-2.2.16) firewall in place between my > SDSL connection and my internal network, I now want to open a secure > telnet connection (port 22) to and from the outside, and to close the > regular telnet connection (port 23). > > To accomplish that, I've downloaded openssh-2.1.1p4 from > http://www.openssh.com/. Since that requires openssl-9.9.5a, I also > added http://non-us.debian.org/debian-non-US woody/non-US main contrib > non-free to my /etc/apt/sources.list so I can apt-get it. > > Currently, I have openssh-1.2.3-8, openssl-0.9.4-5, apache-ssl, and > apache-perl on the firewall -- all installed via apt-get. > > I've run 3 apt-get simulations: > > 1.) apt-get --simulate install openssl -- which says it will upgrade > openssl and add 1 required library, libssl095a. > > 2.) apt-get --simulate remove openssl -- which says it will remove > apache-perl, apache-ssl and openssl, and install php3, apache-dev and > apache-common. > > 3.) apt-get --simulate remove ssh -- which says it will just remove ssh. > > The only fly in the ointment (that I can see) is that I accepted the > default expiration on the temporary certificate I made for apache-ssl > back in April, so it has expired. > > ---> Okay, here's my question(s): Since there is no .deb file (AFAICT) > for openssh-2.1.1p4, I'm going to have to apt-get remove (or dpkg > --purge) ssh anyway and install the new version from source. Would there > be any advantage to going to the extra trouble of removing/purging and > re-installing openssl, apache-ssl and apache-perl? Besides, that is, > getting the opportunity to create new certificates and keys now that I > know a little more about how to do that? Of course, if the openssl > upgrade gave me the same opportunity, that would clinch it for me. > > And one bug-a-boo, I _know_ I have seen a version of the openssl tookit > saying it _includes_ the ssh functionalities, but for the life of me I > can't re-locate that source. Was I dreaming? > > Any guidance would be vastly appreciated -- especially if there are > better, simpler ways to go about updating the security features on the > firewall which, btw, is a 486DX, 64Mb RAM, 514Mb HDD machine running > Potato on a 2.2.16 kernel (with vague notions of bumping up to > 2.4.0-test5, which is humming along nicely on my P II box, because I > _love_ them iptables). > > Thanks in advance for any help, and for your patience with > > montefin >