2001-Nov-21

Updated openssl and openssh on old 1.4.2 server (due to bad openssh). I noticed a /sshd.core dump, but I don't think the system has been compromised. (The old version was fixed over a year ago, but lately a lot of exploits have been announced.)

A few days ago, I had tried to manually change the openssl and openssh pkgsrc to update them but had problems. Today, I ftp'd the latest pkgsrc tarball and extracted it. (It took a long time to extract.) Then, I did a "make update" under security/openssh. I had to first install the new pkg tools (which included digest). Then, I had to allow the commercial openssl license. Strangely, the openssh package tried to get installed twice -- the second time it abort saying I should delete it first -- but it was the same version!

To configure it, I ran the startup shell script that generated a few files. Plus I had to add HostKey entries to the config for the new protocol 2 keys.