Re: Upgrade openssl .deb? or purge old ver and install new?
Well,
I vote for wipe both clean, 'apt-get install' Woody's openssl-0.9.5a and
build openssh-2.1.1p4 from source tomorrow morning.
montefin looks at all the votes.
Er...vote.
Hmmmm. I won!
Somebody stop me!
montefin
montefin wrote:
>
> Hi,
>
> Just hoping for a little guidance before I upgrade both ssl and ssh.
>
> With a new (Potato-based, linux-2.2.16) firewall in place between my
> SDSL connection and my internal network, I now want to open a secure
> telnet connection (port 22) to and from the outside, and to close the
> regular telnet connection (port 23).
>
> To accomplish that, I've downloaded openssh-2.1.1p4 from
> http://www.openssh.com/. Since that requires openssl-9.9.5a, I also
> added http://non-us.debian.org/debian-non-US woody/non-US main contrib
> non-free to my /etc/apt/sources.list so I can apt-get it.
>
> Currently, I have openssh-1.2.3-8, openssl-0.9.4-5, apache-ssl, and
> apache-perl on the firewall -- all installed via apt-get.
>
> I've run 3 apt-get simulations:
>
> 1.) apt-get --simulate install openssl -- which says it will upgrade
> openssl and add 1 required library, libssl095a.
>
> 2.) apt-get --simulate remove openssl -- which says it will remove
> apache-perl, apache-ssl and openssl, and install php3, apache-dev and
> apache-common.
>
> 3.) apt-get --simulate remove ssh -- which says it will just remove ssh.
>
> The only fly in the ointment (that I can see) is that I accepted the
> default expiration on the temporary certificate I made for apache-ssl
> back in April, so it has expired.
>
> ---> Okay, here's my question(s): Since there is no .deb file (AFAICT)
> for openssh-2.1.1p4, I'm going to have to apt-get remove (or dpkg
> --purge) ssh anyway and install the new version from source. Would there
> be any advantage to going to the extra trouble of removing/purging and
> re-installing openssl, apache-ssl and apache-perl? Besides, that is,
> getting the opportunity to create new certificates and keys now that I
> know a little more about how to do that? Of course, if the openssl
> upgrade gave me the same opportunity, that would clinch it for me.
>
> And one bug-a-boo, I _know_ I have seen a version of the openssl tookit
> saying it _includes_ the ssh functionalities, but for the life of me I
> can't re-locate that source. Was I dreaming?
>
> Any guidance would be vastly appreciated -- especially if there are
> better, simpler ways to go about updating the security features on the
> firewall which, btw, is a 486DX, 64Mb RAM, 514Mb HDD machine running
> Potato on a 2.2.16 kernel (with vague notions of bumping up to
> 2.4.0-test5, which is humming along nicely on my P II box, because I
> _love_ them iptables).
>
> Thanks in advance for any help, and for your patience with
>
> montefin
>
Reply to: