Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to upgrade the Linux operating system openssh. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Introduction

The 6.9 version of Redhat enterprise system comes with SSH version OpenSSH_5.3p1. Based on audit and security requirements, it is recommended to upgrade it to the latest OpenSSH version. The latest version of the official website is 7.4p1. This document details the complete steps of the OpenSSH upgrade. It is important to note that although uninstalling zlib, openssl, and openssh is involved in the upgrade process, it does not cause the current ssh remote connection session to be disconnected, so the entire upgrade process can be written as an automated script for automatic batch deployment.

Steps

1. Preparatory work

1.1. Download related software packages

OpenSSH depends on ZLIB and OpenSSL, so you need to download the source code packages of the three from the official website. It should be noted that the latest version of OpenSSH 7.4p1 relies on OpenSSL version 1.0.2k instead of its latest version 1.1.0e (upgrade will fail with this version). ZLIB can use the latest version 1.2.11, while redhat6.9 comes with zlib version 1.2.3, or it is not recommended to upgrade (it is recommended that zlib still use the original version 1.2.3, the upgrade is normal and there will be no other minor problems). Download address of the three source codes:

Http://www.zlib.net/

Http://www.openssl.org/

Http://www.openssh.org/

1.2. View the current software version of the system

# rpm-Q zlib

# openssl version

# ssh-V

1.3.Configuring local yum sources

Since you need to install some software packages to install related tools and compile the source code, you need to configure the local yum source first (it is better to have a remote yum source). The configuration method is as follows:

A. upload the operating system image to the server and mount it.

# mount-o loop / soft/iso/OEL6.9.iso / yum # you can specify the mount directory here

If you need to mount automatically when the system starts, you can add the above command to the / etc/rc.d/rc.local file

B. Configure yum source files

# cd / etc/yum.repos.d

# rm-f * # Delete all current yum source files

# gedit local.repo # add the following

[Redhat6.9]

Name=rhel6.9

Baseurl= file:///yum

Enabled=1

Gpgcheck=0

1.4. Install the toolkit required for compilation

# yum-y install gcc pam-devel zlib-devel

1.5 shut down iptable and selinux (note that it must be closed, otherwise xftp and secureCRT cannot be used after rebooting the operating system after upgrade)

Service iptables stop # turn off the firewall

Chkconfig iptables off # set the firewall to boot or not.

Chkconfig xinetd on # set the telnet service to boot

Getenforce # View selinux status

Setenforce 0 # set selinux to off

To prevent the OpenSSH from being unable to connect to the machine through the remote terminal after upgrading, it is recommended to shut it down as follows:

Vi / etc/selinux/config

Change SELINUX=enforcing to SELINUX=disabled

2. Formal upgrade

2.1upgrade OpenSSL

Official upgrade document: http://www.linuxfromscratch.org/blfs/view/cvs/postlfs/openssl.html

A. Back up the current openssl

# find /-name openssl

/ usr/lib64/openssl

/ usr/bin/openssl

/ etc/pki/ca-trust/extracted/openssl

# mv / usr/lib64/openssl / usr/lib64/openssl.old

# mv / usr/bin/openssl / usr/bin/openssl.old

# mv / etc/pki/ca-trust/extracted/openssl / etc/pki/ca-trust/extracted/openssl.old

The following two library files must be backed up first, because some tools in the system (such as yum, wget, etc.) depend on this library, but the new version of OpenSSL does not include these two libraries.

# cp / usr/lib64/libcrypto.so.10 / usr/lib64/libcrypto.so.10.old

# cp / usr/lib64/libssl.so.10 / usr/lib64/libssl.so.10.old

B. Uninstall current openssl

# rpm-qa | grep openssl

Openssl-1.0.1e-42.el6.x86_64

# rpm-e-nodeps openssl-1.0.1e-42.el6.x86_64

# rpm-qa | grep openssl

Or execute this command directly: rpm-qa | grep openssl | xargs-I rpm-e-- nodeps {}

C, decompress the openssl_1.0.2k source code and compile and install

# tar-zxvf openssl-1.0.2k.tar.gz

# cd openssl-1.0.2k

#. / config-- prefix=/usr-- openssldir=/etc/ssl-- shared zlib #-- shared must be added, otherwise the newly installed openssl library will not be found and an error will be reported during compilation

# make

# make test # you must perform this step with the result of pass to continue, otherwise ssh will not be able to use it even if the installation is complete

# make install

# openssl version-a # check whether the upgrade is successful

D, restore the shared library

Because OpenSSL_1.0.2k does not provide libcrypto.so.10 and libssl.so.10 libraries, and yum, wget and other tools rely on this library, you need to restore these two libraries that were previously backed up, and other libraries can be restored depending on the situation. (skip this step if you do not have the latest zlib installed)

# mv / usr/lib64/libcrypto.so.10.old / usr/lib64/libcrypto.so.10

# mv / usr/lib64/libssl.so.10.old / usr/lib64/libssl.so.10

2.2. Upgrade OpenSSH

Official upgrade document: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

A. Back up the current openssh

# mv / etc/ssh / etc/ssh.old

B. Uninstall current openssh

# rpm-qa | grep openssh

Openssh-clients-5.3p1-111.el6.x86_64

Openssh-server-5.3p1-111.el6.x86_64

Openssh-5.3p1-111.el6.x86_64

Openssh-askpass-5.3p1-111.el6.x86_64

# rpm-e-nodeps openssh-5.3p1-111.el6.x86_64

# rpm-e-nodeps openssh-server-5.3p1-111.el6.x86_64

# rpm-e-nodeps openssh-clients-5.3p1-111.el6.x86_64

# rpm-e-nodeps openssh-askpass-5.3p1-111.el6.x86_64

# rpm-qa | grep openssh

Or execute this command directly: rpm-qa | grep openssh | xargs-I rpm-e-- nodeps {}

C, openssh pre-installation environment configuration

# install-v-m700-d / var/lib/sshd

# chown-v root:sys / var/lib/sshd

# groupadd-g 50 sshd

# useradd-c 'sshd PrivSep'-d / var/lib/sshd-g sshd-s / bin/false-u 50 sshd

D, decompress the openssh_7.4p1 source code and compile and install

# tar-zxvf openssh-7.4p1.tar.gz

# cd openssh-7.4p1

#. / configure-prefix=/usr-sysconfdir=/etc/ssh-with-md5-passwords-with-pam-with-zlib-with-openssl-includes=/usr-with-privsep-path=/var/lib/sshd

# make

# make install

E, openssh post-installation environment configuration (this step can be skipped directly and has no effect)

# execute the following command in the openssh compilation directory

# install-v-m 755 contrib/ssh-copy-id / usr/bin

# install-v-m 644 contrib/ssh-copy-id.1 / usr/share/man/man1

# install-v-m 755-d / usr/share/doc/openssh-7.4p1

# install-v-m 644 INSTALL LICENCE OVERVIEW README* / usr/share/doc/openssh-7.4p1

# ssh-V # verify whether the upgrade is successful

F. Enable OpenSSH service

# execute the following directory in the openssh compilation directory

# mv / etc/init.d/sshd / etc/init.d/sshd.old

# cp-p contrib/redhat/sshd.init / etc/init.d/sshd

# chmod + x / etc/init.d/sshd

Backup configuration fil

# mv / etc/ssh/ssh_config / etc/ssh/ssh_config_old

# mv / etc/ssh/sshd_config / etc/ssh/sshd_config_old

# cp ssh_config / etc/ssh/ssh_config

# cp sshd_config / etc/ssh/sshd_config

Modify the configuration file

# gedit / etc/ssh/sshd_config

Add the following

PermitRootLogin yes

Set up and start the sshd service

# chkconfig-add sshd

# chkconfig sshd on

# chkconfig-list sshd

# service sshd restart

Note: if the upgrade operation has been carried out in a ssh remote session, the above sshd service restart command may cause the session to be disconnected and unable to log in using ssh (that is, ssh failed to restart successfully). In this case, you need to log in through telnet and execute the sshd service restart command.

3. Take care of the aftermath

Newly open the remote terminal to log in to the system with ssh [ip]. After confirming that everything is normal and upgraded successfully, just shut down the telnet service to ensure the security of the system.

# mv / etc/securetty.old / etc/securetty

# chkconfig xinetd off

# service xinetd stop

Restart the firewall if necessary

# service iptables start

# chkconfig iptables on

If you need to restore the previous ssh configuration information, you can directly delete the upgraded configuration information and restore the backup.

# rm-rf / etc/ssh

# mv / etc/ssh.old / etc/ssh

The above is the Linux operating system that the editor shared with you how to upgrade openssh. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.