SSH upgrade for money?

L

lexxntu

New Member
Feb 26, 2023
2
0
1
To pass the next penetration test of my server, I must install SSH version 9.3 or newer. I currently have free ProxMox 8.1. It has SSH 9.2 installed, which does not satisfy PCI DSS today. May I know if a paid subscription will solve my problem? Perhaps there is a list of updates for which I will pay money?
 
lexxntu said:
May I know if a paid subscription will solve my problem?
Click to expand...
No, the paid enterprise repo is always older and therefore more stable/better tested.

lexxntu said:
Perhaps there is a list of updates for which I will pay money?
Click to expand...
No.

PVE8.1 is based on Debian 12 userland and custom Ubuntu LTS based kernel. So an option would be to add another Debian repo that is more up to date but then also not that reliable.
The Debian 12 "testing" repo for example got openssh 9.4: https://packages.debian.org/source/testing/openssh
 
Thanks for your reply! Perhaps you can tell me what repository line I need to add so that I receive updates and this does not harm ProxMox?
 
During a stable release lifecycle Debian normally back-ports fixes rather than updating the version. So the real question is are the relevant CVE's covered, not what the number is. You can find those under /usr/share/doc/openssh-client/changelog.Debian.gz, and in there you will see this:

Code: 
openssh (1:9.2p1-2+deb12u1) bookworm; urgency=medium

  * Cherry-pick from OpenSSH 9.3p2:
    - [CVE-2023-38408] Fix a condition where specific libraries loaded via
      ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code
      execution via a forwarded agent socket (closes: #1042460).

 -- Colin Watson <cjwatson@debian.org>  Sat, 23 Sep 2023 23:11:33 +0100

For future reference, the problem with installing programs from testing as someone suggested is that it will diverge from the current stable release. In particular, things will start being built against newer libraries. And then you have dependency hell and your system will be a broken mess. But there is a way! The usual procedure for getting newer versions but built against stable libraries is https://backports.debian.org/

That all being said, there is currently no OpenSSH >= 9.3 in backports, it having only been out for a half year. Hopefully by the time the next audit arrives it will be available or your auditor will be satisfied with the changelog.

Hope this helps.
 
Last edited:
  • Like
Reactions: Dunuin
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom