Upgrade OpenSSH to 7.7p1 in CentOS 6

Last edited by Junyangz AT 2018-06-09 10:08:21

Install telnet and basic environment

  • Installation

yum -y install telnet-server* telnet
yum -y install gcc-c++,zlib,zlib-devel,openssl,openssl-devel,pam-devel
  • Enable telnet service

# vi /etc/xinetd.d/telnet
# 将其中disable字段的yes改为no以启用telnet服务
# mv /etc/securetty /etc/securetty.old #允许root用户通过telnet登录
# service xinetd start #启动telnet服务
# chkconfig xinetd on #使telnet服务开机启动,避免升级过程中服务器意外重启后无法远程登录系统

Upgrade OpenSSL to 1.0.2.o

#!/bin/bash
# Copyright © 2018 Junyangz
cd
#mkdir ssh_upgrade && cd ssh_upgrade
#find / -name openssl
#find / -name "libssl*"
timestamp=$(date +%s)
#backup old OpenSSL
cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10-${timestamp}
cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10-${timestamp}
mv /usr/bin/openssl /usr/bin/openssl-${timestamp}
mv /usr/include/openssl /usr/include/openssl-${timestamp}
mv /usr/lib64/openssl/engines /usr/lib64/openssl/engines-${timestamp}
mv /usr/lib64/openssl /usr/lib64/openssl-${timestamp}
#remove old OpenSSL rpm package
rpm -qa |grep openssl|xargs -i rpm -e --nodeps {}
#compile and install new OpenSSL
tar zxvf openssl-1.0.2o.tar.gz && cd openssl-1.0.2o
./config --prefix=/usr/local/openssl --openssldir=/etc/ssl --shared zlib&& make && make test && make install
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "/usr/local/openssl/lib">>/etc/ld.so.conf
ldconfig
mv /usr/lib64/libcrypto.so.10-* /usr/lib64/libcrypto.so.10
mv /usr/lib64/libssl.so.10-* /usr/lib64/libssl.so.10
#ldconfig -v # for check
echo "OpenSSl version upgrades as to lastest:" && openssl version
#openssl version -a
# OpenSSL 1.0.2o 27 Mar 2018
# built on: reproducible build, date unspecified
# platform: linux-x86_64
# options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
# compiler: gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
#OPENSSLDIR: "/usr/local/openssl/ssl"
#echo "New version upgrades as to lastest:" && $(ssh -V)

Upgrade OpenSSH to 7.7p1

cd
timestamp=$(date +%s)
#backup old OpenSSH
cp -R /etc/ssh /etc/ssh-${timestamp}
cp /etc/init.d/sshd /etc/init.d/sshd-${timestamp}
rpm -qa | grep openssh
rpm -e --nodeps `rpm -qa | grep openssh`
tar zxvf openssh-7.7p1.tar.gz && cd openssh-7.7p1
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh \
--with-ssl-dir=/usr/local/openssl && make && make install
#ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd #or modify sshd file.
# 复制配置文件
cp ssh_config /etc/ssh/
cp sshd_config /etc/ssh/
cp moduli /etc/ssh/
# 复制启动脚本到/etc/init.d
# 根据安装路径情况,可能需要修改启动脚本中sshd的路径
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
/usr/sbin/sshd -t -f /etc/ssh/sshd_config # vim /etc/init.d/sshd
# 加入开机自启
chkconfig --add sshd
chkconfig sshd on
chkconfig sshd --list
# 开启root用户远程登录。
#vi /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config
# 开启SSH服务
# 千万不能restart。使用restart会造成连不上,需要登录控制台启动。
service sshd start
#service sshd restart
#mv /etc/securetty.old /etc/securetty ##disable telnet login

RPM

最终批量更新使用RPM包的形式来进行详情参考

Build OpenSSH RPM on CentOS 6.5

yum install -y pam-devel rpm-build rpmdevtools zlib-devel openssl-devel krb5-devel gcc
mkdir -p ~/rpmbuild/SOURCES && cd ~/rpmbuild/SOURCES
wget -c http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
wget -c http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz.asc
# # verify the file
# update the pam sshd from the one included on the system
# the default provided doesn't work properly on CentOS 6.5
tar zxvf openssh-7.7p1.tar.gz
cp /etc/pam.d/sshd openssh-7.7p1/contrib/redhat/sshd.pam
mv openssh-7.7p1.tar.gz{,.orig}
tar zcpf openssh-7.7p1.tar.gz openssh-7.7p1
cd
tar zxvf ~/rpmbuild/SOURCES/openssh-7.7p1.tar.gz openssh-7.7p1/contrib/redhat/openssh.spec
# edit the specfile
cd openssh-7.7p1/contrib/redhat/
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
#if encounter build error with the follow line, comment it.
sed -i -e "s/PreReq: initscripts >= 5.00/#PreReq: initscripts >= 5.00/g" openssh.spec
rpmbuild -ba openssh.spec

Batch update

For CentOS 6.5

#!/bin/bash
# Copyright © 2018 Junyangz
# For CRS2-CentOS 6.5 with OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
cd
mkdir openssh && cd openssh
timestamp=$(date +%s)
if [ ! -f openssh-7.7p1-RPMs.tar.gz ]; then wget http://10.27.5.118/openssh-7.7p1-RPMs.tar.gz; fi;
tar zxvf openssh-7.7p1-RPMs.tar.gz
cp /etc/pam.d/sshd pam-ssh-conf-$timestamp
#rpm -e openssh-askpass-5.3p1-94.el6.x86_64
rpm -U *.rpm
#mv /etc/pam.d/sshd /etc/pamd.d/sshd_bak
yes | cp pam-ssh-conf-$timestamp /etc/pam.d/sshd
#sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config
/etc/init.d/sshd restart
echo "New version upgrades as to lastest:" && $(ssh -V)
#!/bin/bash
# Copyright © 2018 Junyangz
# fix error when openssh-askpass was installed.
if [ -f /etc/ssh/sshd_config.rpmnew ]; then
echo "New version upgrades as to lastest:" && $(ssh -V)
exit 0
fi
cd openssh
if [ ! -f openssh-7.7p1-RPMs.tar.gz ]; then wget http://${httpd-listen-ip}/openssh-7.7p1-RPMs.tar.gz; fi;
if [ ! -f pam-ssh-conf-* ]; then cp /etc/pam.d/sshd pam-ssh-conf-bak; fi;
if [ ! -f openssh-7.7p1-1.el6.x86_64.rpm ]; then tar zxvf openssh-7.7p1-RPMs.tar.gz; fi;
rpm -e --nodeps `rpm -qa | grep openssh-askpass`
rpm -U *.rpm
yes | cp pam-ssh-conf-* /etc/pam.d/sshd
/etc/init.d/sshd restart
#cd
#rm -rf openssh
echo "New version upgrades as to lastest:" && $(ssh -V)

For CentOS 6.4

Update openssl first for CentOS 6.4 (add openssl-1.0.1e-57.el6.x86_64.rpm and openssl-devel-1.0.1e-57.el6.x86_64.rpm for update)

#!/bin/bash
# Copyright © 2018 Junyangz
# For CRS1-CentOS 6.4 with OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
if [ -f /etc/ssh/sshd_config.rpmnew ]; then
echo "New version upgrades as to lastest:" && $(ssh -V)
exit 0
fi
cd /tmp/
# ansible all -m copy -a "src=/root/openssh-update/openssh-7.7p1-RPMs.tar.gz dest=/tmp/openssh-7.7p1-RPMs.tar.gz force=yes"
if [ ! -f openssh-7.7p1-RPMs.tar.gz ]; then exit 1; fi;
timestamp=$(date +%s)
tar zxvf openssh-7.7p1-RPMs.tar.gz
cd openssh
rpm -e --nodeps `rpm -qa |grep openssl-devel`
# update openssl
rpm -U openssl/*.rpm
# backup sshd
cp /etc/pam.d/sshd pam-ssh-conf-$timestamp
rpm -e --nodeps `rpm -qa | grep openssh-askpass`
rpm -U *.rpm
yes | cp pam-ssh-conf-$timestamp /etc/pam.d/sshd
/etc/init.d/sshd restart
cd
rm -rf /tmp/openssh /tmp/openssh-7.7p1-RPMs.tar.gz
echo "New version upgrades as to lastest:" && $(ssh -V)

整个升级过程不会中断ssh连接,但这种升级方式会禁止root密码登录,如需开启需修改/etc/ssh/sshd_config文件后重启sshd。

sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config
/etc/init.d/sshd restart

附PermitRootLogin参数解释:

PermitRootLogin yes #允许root用户以任何认证方式登录(貌似也就两种认证方式:用户名密码认证,公钥认证)
PermitRootLogin without-password #只允许root用public key认证方式登录
PermitRootLogin no #不允许root用户以任何认证方式登录

Summary

目前已批量更新了虚拟机集群,待测试稳定无问题后再升级物理机集群。 已更新完集群所有机器。