# Upgrade OpenSSH to 7.7p1 in CentOS 6 Last edited by Junyangz AT 2018-06-09 10:08:21 ## Install telnet and basic environment * Installation ```bash yum -y install telnet-server* telnet yum -y install gcc-c++,zlib,zlib-devel,openssl,openssl-devel,pam-devel ``` * Enable telnet service ```bash # vi /etc/xinetd.d/telnet # 将其中disable字段的yes改为no以启用telnet服务 # mv /etc/securetty /etc/securetty.old #允许root用户通过telnet登录 # service xinetd start #启动telnet服务 # chkconfig xinetd on #使telnet服务开机启动,避免升级过程中服务器意外重启后无法远程登录系统 ``` ## Upgrade OpenSSL to 1.0.2.o ```bash #!/bin/bash # Copyright © 2018 Junyangz cd #mkdir ssh_upgrade && cd ssh_upgrade #find / -name openssl #find / -name "libssl*" timestamp=$(date +%s) #backup old OpenSSL cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10-${timestamp} cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10-${timestamp} mv /usr/bin/openssl /usr/bin/openssl-${timestamp} mv /usr/include/openssl /usr/include/openssl-${timestamp} mv /usr/lib64/openssl/engines /usr/lib64/openssl/engines-${timestamp} mv /usr/lib64/openssl /usr/lib64/openssl-${timestamp} #remove old OpenSSL rpm package rpm -qa |grep openssl|xargs -i rpm -e --nodeps {} #compile and install new OpenSSL tar zxvf openssl-1.0.2o.tar.gz && cd openssl-1.0.2o ./config --prefix=/usr/local/openssl --openssldir=/etc/ssl --shared zlib&& make && make test && make install ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl ln -s /usr/local/openssl/include/openssl /usr/include/openssl echo "/usr/local/openssl/lib">>/etc/ld.so.conf ldconfig mv /usr/lib64/libcrypto.so.10-* /usr/lib64/libcrypto.so.10 mv /usr/lib64/libssl.so.10-* /usr/lib64/libssl.so.10 #ldconfig -v # for check echo "OpenSSl version upgrades as to lastest:" && openssl version #openssl version -a # OpenSSL 1.0.2o 27 Mar 2018 # built on: reproducible build, date unspecified # platform: linux-x86_64 # options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) # compiler: gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM #OPENSSLDIR: "/usr/local/openssl/ssl" #echo "New version upgrades as to lastest:" && $(ssh -V) ``` ## Upgrade OpenSSH to 7.7p1 ```bash cd timestamp=$(date +%s) #backup old OpenSSH cp -R /etc/ssh /etc/ssh-${timestamp} cp /etc/init.d/sshd /etc/init.d/sshd-${timestamp} rpm -qa | grep openssh rpm -e --nodeps `rpm -qa | grep openssh` tar zxvf openssh-7.7p1.tar.gz && cd openssh-7.7p1 ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh \ --with-ssl-dir=/usr/local/openssl && make && make install #ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd #or modify sshd file. # 复制配置文件 cp ssh_config /etc/ssh/ cp sshd_config /etc/ssh/ cp moduli /etc/ssh/ # 复制启动脚本到/etc/init.d # 根据安装路径情况,可能需要修改启动脚本中sshd的路径 cp contrib/redhat/sshd.init /etc/init.d/sshd chmod +x /etc/init.d/sshd /usr/sbin/sshd -t -f /etc/ssh/sshd_config # vim /etc/init.d/sshd # 加入开机自启 chkconfig --add sshd chkconfig sshd on chkconfig sshd --list # 开启root用户远程登录。 #vi /etc/ssh/sshd_config sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config # 开启SSH服务 # 千万不能restart。使用restart会造成连不上,需要登录控制台启动。 service sshd start #service sshd restart #mv /etc/securetty.old /etc/securetty ##disable telnet login ``` ## RPM 最终批量更新使用RPM包的形式来进行[详情参考](https://github.com/Junyangz/upgrade-openssh-7.7p1-CentOS)。 ### Build OpenSSH RPM on CentOS 6.5 ```bash yum install -y pam-devel rpm-build rpmdevtools zlib-devel openssl-devel krb5-devel gcc mkdir -p ~/rpmbuild/SOURCES && cd ~/rpmbuild/SOURCES wget -c http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz wget -c http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz.asc # # verify the file # update the pam sshd from the one included on the system # the default provided doesn't work properly on CentOS 6.5 tar zxvf openssh-7.7p1.tar.gz cp /etc/pam.d/sshd openssh-7.7p1/contrib/redhat/sshd.pam mv openssh-7.7p1.tar.gz{,.orig} tar zcpf openssh-7.7p1.tar.gz openssh-7.7p1 cd tar zxvf ~/rpmbuild/SOURCES/openssh-7.7p1.tar.gz openssh-7.7p1/contrib/redhat/openssh.spec # edit the specfile cd openssh-7.7p1/contrib/redhat/ sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec #if encounter build error with the follow line, comment it. sed -i -e "s/PreReq: initscripts >= 5.00/#PreReq: initscripts >= 5.00/g" openssh.spec rpmbuild -ba openssh.spec ``` ### Batch update ### For CentOS 6.5 ```bash #!/bin/bash # Copyright © 2018 Junyangz # For CRS2-CentOS 6.5 with OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 cd mkdir openssh && cd openssh timestamp=$(date +%s) if [ ! -f openssh-7.7p1-RPMs.tar.gz ]; then wget http://10.27.5.118/openssh-7.7p1-RPMs.tar.gz; fi; tar zxvf openssh-7.7p1-RPMs.tar.gz cp /etc/pam.d/sshd pam-ssh-conf-$timestamp #rpm -e openssh-askpass-5.3p1-94.el6.x86_64 rpm -U *.rpm #mv /etc/pam.d/sshd /etc/pamd.d/sshd_bak yes | cp pam-ssh-conf-$timestamp /etc/pam.d/sshd #sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config /etc/init.d/sshd restart echo "New version upgrades as to lastest:" && $(ssh -V) ``` ```bash #!/bin/bash # Copyright © 2018 Junyangz # fix error when openssh-askpass was installed. if [ -f /etc/ssh/sshd_config.rpmnew ]; then echo "New version upgrades as to lastest:" && $(ssh -V) exit 0 fi cd openssh if [ ! -f openssh-7.7p1-RPMs.tar.gz ]; then wget http://${httpd-listen-ip}/openssh-7.7p1-RPMs.tar.gz; fi; if [ ! -f pam-ssh-conf-* ]; then cp /etc/pam.d/sshd pam-ssh-conf-bak; fi; if [ ! -f openssh-7.7p1-1.el6.x86_64.rpm ]; then tar zxvf openssh-7.7p1-RPMs.tar.gz; fi; rpm -e --nodeps `rpm -qa | grep openssh-askpass` rpm -U *.rpm yes | cp pam-ssh-conf-* /etc/pam.d/sshd /etc/init.d/sshd restart #cd #rm -rf openssh echo "New version upgrades as to lastest:" && $(ssh -V) ``` ### For CentOS 6.4 > Update openssl first for CentOS 6.4 (add openssl-1.0.1e-57.el6.x86\_64.rpm and openssl-devel-1.0.1e-57.el6.x86\_64.rpm for update) ```bash #!/bin/bash # Copyright © 2018 Junyangz # For CRS1-CentOS 6.4 with OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 if [ -f /etc/ssh/sshd_config.rpmnew ]; then echo "New version upgrades as to lastest:" && $(ssh -V) exit 0 fi cd /tmp/ # ansible all -m copy -a "src=/root/openssh-update/openssh-7.7p1-RPMs.tar.gz dest=/tmp/openssh-7.7p1-RPMs.tar.gz force=yes" if [ ! -f openssh-7.7p1-RPMs.tar.gz ]; then exit 1; fi; timestamp=$(date +%s) tar zxvf openssh-7.7p1-RPMs.tar.gz cd openssh rpm -e --nodeps `rpm -qa |grep openssl-devel` # update openssl rpm -U openssl/*.rpm # backup sshd cp /etc/pam.d/sshd pam-ssh-conf-$timestamp rpm -e --nodeps `rpm -qa | grep openssh-askpass` rpm -U *.rpm yes | cp pam-ssh-conf-$timestamp /etc/pam.d/sshd /etc/init.d/sshd restart cd rm -rf /tmp/openssh /tmp/openssh-7.7p1-RPMs.tar.gz echo "New version upgrades as to lastest:" && $(ssh -V) ``` 整个升级过程不会中断ssh连接,但这种升级方式会禁止root密码登录,如需开启需修改/etc/ssh/sshd\_config文件后重启sshd。 ```bash sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config /etc/init.d/sshd restart ``` 附PermitRootLogin参数解释: ```bash PermitRootLogin yes #允许root用户以任何认证方式登录(貌似也就两种认证方式:用户名密码认证,公钥认证) PermitRootLogin without-password #只允许root用public key认证方式登录 PermitRootLogin no #不允许root用户以任何认证方式登录 ``` ## Summary ~~目前已批量更新了虚拟机集群,待测试稳定无问题后再升级物理机集群。~~ 已更新完集群所有机器。 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.junyangz.com/ops/upgrade-openssh-to-7.7p1-in-centos6.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.