Shulou(Shulou.com)06/01 Report--

This article mainly briefly records the openssh upgrade steps and one-click upgrade script.

Install the toolkit required for compilation

Yum install gcc pam-devel zlib-devel

First, reasons for upgrading

Serious vulnerabilities exist in the following openssh versions:

1.OpenSSH remote privilege escalation vulnerability (CVE-2016-10010)

2.OpenSSH J-PAKE Authorization problem vulnerability (CVE-2010-4478)

3.Openssh MaxAuthTries restriction Bypass vulnerability (CVE-2015-5600)

OpenSSL > = 1.0.1 you don't have to upgrade OpenSSL

Second, install telnet service

1. Install softwar

# yum-y install telnet-server* telnet

two。 Enable the telnet service

# vi / etc/xinetd.d/telnet change the yes in the disable field to no to enable telnet service # mv / etc/securetty / etc/securetty.old # allow root users to log in through telnet # service xinetd start # start telnet service # chkconfig xinetd on # enable telnet service boot to avoid remote login to the system after the server is accidentally rebooted during the upgrade process

3. Test whether telnet can log in to the system normally

Third, upgrade OpenSSH

1. Back up the current openssh

Mv / etc/ssh / etc/ssh.oldmv / etc/init.d/sshd / etc/init.d/sshd.old

two。 Uninstall the current openssh

# rpm-qa | grep opensshopenssh-clients-5.3p1-104.el6.x86_64openssh-server-5.3p1-104.el6.x86_64openssh-5.3p1-104.el6.x86_64openssh-askpass-5.3p1-104.el6.x86_64# rpm-e-nodeps openssh-5.3p1-104.el6.x86_64# rpm-e-- nodeps openssh-server-5.3p1-104.el6.x86_64# rpm-e-- nodeps openssh-clients-5.3p1-104. El6.x86_64# rpm-e-- nodeps openssh-askpass-5.3p1-104.el6.x86_64# rpm-qa | grep openssh Note: if the following error occurs during uninstallation [root@node1 openssh-7.5p1] # rpm-e-- nodeps openssh-server-5.3p1-104.el6.x86_64 error reading information on service sshd: No such file or directoryerror:% preun (openssh-server-5.3p1-104.el6.x86_64) scriptlet failed Exit status 1 solution: # rpm-e-- noscripts openssh-server-5.3p1-104.el6.x86_64

Pre-installation environment configuration for 3.openssh

# install-v-m700-d / var/lib/sshd# chown-v root:sys / var/lib/sshd if the current system sshd user already exists, there is no need to operate the following # groupadd-g 50 sshd# useradd-c 'sshd PrivSep'-d / var/lib/sshd-g sshd-s / bin/false-u 50 sshd

4. Extract the openssh_7.5p1 source code and compile and install it

# tar-zxvf openssh-7.5p1.tar.gz# cd openssh-7.5p1#. / configure-- prefix=/usr-- sysconfdir=/etc/ssh-- with-md5-passwords-- with-pam-- with-zlib-- with-openssl-includes=/usr-- with-privsep-path=/var/lib/sshd# make# make install

Environment configuration after 5.openssh installation

# execute the following command in the openssh compilation directory # install-v-m755 contrib/ssh-copy-id / usr/bin# install-v-m644 contrib/ssh-copy-id.1 / usr/share/man/man1# install-v-m755-d / usr/share/doc/openssh-7.5p1# install-v-m644 INSTALL LICENCE OVERVIEW README* / usr/share/doc/openssh-7.5p1# ssh- V # verify whether the upgrade is successful

6. Enable the OpenSSH service

# execute the following directory in the openssh compilation directory # echo 'X11Forwarding yes' > > / etc/ssh/sshd_config# echo "PermitRootLogin yes" > > / etc/ssh/sshd_config# to allow root users to log in through ssh # cp-p contrib/redhat/sshd.init / etc/init.d/sshd# chmod + x / etc/init.d/sshd# chkconfig-- add sshd# chkconfig sshd on# chkconfig-- list sshd# service sshd restart

Note: if the upgrade operation has been carried out in a ssh remote session, the above sshd service restart command may cause the session to be disconnected and unable to log in using ssh (that is, ssh failed to restart successfully). In this case, you need to log in through telnet and execute the sshd service restart command.

7. Shut down the telnet service after restarting the system to verify that there is no problem.

# mv / etc/securetty.old / etc/securetty# chkconfig xinetd off# service xinetd stop if you need to restore the previous ssh configuration information, you can directly delete the upgraded configuration information and restore the backup. # rm-rf / etc/ssh# mv / etc/ssh.old / etc/ssh

The attachment is an one-click upgrade script, which runs telnetserver.sh first, and then runs the upgrade openssh script.

Attachment: http://down.51cto.com/data/2366639

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.