Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to upgrade openssh in centos6.5 from 5.3 to 7.3. many people may not understand it very well. in order to make you understand better, the editor has summarized the following contents. I hope you can get something according to this article.

The version 5.3 of SSH that comes with CentOS6.5 is too low. The security check reported a vulnerability and the version needs to be upgraded.

This article uses the version of openssh-7.3p1 for source code upgrade installation.

It is not difficult to upgrade OpenSSH, but it is difficult to install it in the underlying environment before the upgrade. The following software is required: gcc-c++,zlib,OpenSSL,pam

Ssh is interrupted during the upgrade process, you need to turn on the telnet service first. If you can log in to the system directly, you don't need to install telnet.

Need to install xinted,telnet-server first

Reference: http://www.cnblogs.com/xlmeng1988/archive/2012/04/24/telnet-server.html

The following packages need to be installed:

Telnet-server-1.2-134.24.1.x86_64.rpm

Xinetd-2.3.14-40.el6.x86_64.rpm

Xinetd-2.3.14-40.el6.src.rpm

Start the TELNET service

Edit / etc/xinetd.d/telnet and change the yes of disable = yes to no.

Use the chkconfig command to directly open: [root@localhost loong] # chkconfig telnet on

Activate the xinetd service: service xinetd restart

Allow root to log in using telnet: it is not recommended to open root login for telnet, which is easy to bring security risks.

Note: by default, the system only allows ordinary users to log in telnet, not root users. To get root privileges, you can log in as a normal user and then execute su to get root privileges.

Or use the following method to allow root to log in to telnet:

Method 1: # mv / etc/securetty / etc/securetty.bak (this method is not recommended, change it back after testing! )

Method 2: modify / etc/pam.d/remote, comment out: auth required pam_securetty.so

Upgrade OpenSSH

There are three ways to install the basic environment: YUM, rpm, and source code installation

1. Yum installation

It should be the most convenient way.

Yum-y gcc-c++,zlib,zlib-devel,openssl,openssl-devel,pam-devel

2. Rpm installation

2.1.The steps of gcc-c++ installation

The order cannot be reversed, or an error will be reported.

Rpm-ivh ppl-0.10.2-11.el6.x86_64.rpm

Rpm-ivh cloog-ppl-0.15.7-1.2.el6.x86_64.rpm

Rpm-ivh mpfr-2.4.1-6.el6.x86_64.rpm

Rpm-ivh cpp-4.4.7-17.el6.x86_64.rpm

Rpm-Uvh kernel-headers-2.6.32-642.el6.x86_64.rpm

Rpm-Uvh tzdata-2016c-1.el6.noarch.rpm

Rpm-Uvh glibc-devel-2.12-1.192.el6.x86_64.rpm glibc-2.12-1.192.el6.x86_64.rpm glibc-headers-2.12-1.192.el6.x86_64.rpm glibc-common-2.12-1.192.el6.x86_64.rpm

Rpm-Uvh libgcc-4.4.7-17.el6.x86_64.rpm

Rpm-Uvh libgomp-4.4.7-17.el6.x86_64.rpm

Rpm-ivh gcc-4.4.7-17.el6.x86_64.rpm

Rpm-Uvh libstdc++-4.4.7-17.el6.x86_64.rpm

Rpm-ivh libstdc++-devel-4.4.7-17.el6.x86_64.rpm

Rpm-ivh gcc-c++-4.4.7-17.el6.x86_64.rpm

2.2.The steps of zlib installation

Rpm-ivh zlib-devel-1.2.3-29.el6.x86_64.rpm

2.3.The steps of OpenSSL installation

The order must not be reversed, or an error will be reported.

Rpm-Uvh keyutils-1.4-5.el6.x86_64.rpm keyutils-libs-1.4-5.el6.x86_64.rpm keyutils-libs-devel-1.4-5.el6.x86_64.rpm

Rpm-Uvh krb5-libs-1.10.3-57.el6.x86_64.rpm krb5-workstation-1.10.3-57.el6.x86_64.rpm

Rpm-Uvh libselinux-2.0.94-7.el6.x86_64.rpm libselinux-utils-2.0.94-7.el6.x86_64.rpm libselinux-python-2.0.94-7.el6.x86_64.rpm

Rpm-ivh libsepol-devel-2.0.41-4.el6.x86_64.rpm

Rpm-ivh libselinux-devel-2.0.94-7.el6.x86_64.rpm

Rpm-Uvh e2fsprogs-libs-1.41.12-22.el6.x86_64.rpm e2fsprogs-1.41.12-22.el6.x86_64.rpm libss-1.41.12-22.el6.x86_64.rpm libcom_err-1.41.12-22.el6.x86_64.rpm

Rpm-ivh krb5-devel-1.10.3-57.el6.x86_64.rpm libcom_err-devel-1.41.12-22.el6.x86_64.rpm

Rpm-Uvh openssl-devel-1.0.1e-48.el6.x86_64.rpm openssl-1.0.1e-48.el6.x86_64.rpm

2.4.The steps of pam installation

Rpm-Uvh pam-devel-1.1.1-22.el6.x86_64.rpm pam-1.1.1-22.el6.x86_64.rpm

3. Source code installation

Only zlib and OpenSSL source code installation has been done. Rpm is installed, so there is no need to install it.

3.1Source installation of zlib

[root@localhost tmp] # tar xf zlib-1.2.8.tar.gz

[root@localhost tmp] # cd zlib-1.2.8

[root@localhost zlib-1.2.8] #. / configure-prefix=/usr/local/zlib

Checking for gcc...

Checking for shared library support...

Building shared library libz.so.1.2.8 with gcc.

Checking for off64_t... Yes.

Checking for fseeko... Yes.

Checking for strerror... Yes.

Checking for unistd.h... Yes.

Checking for stdarg.h... Yes.

Checking whether to use vs [n] printf () or s [n] printf (). Using vs [n] printf ().

Checking for vsnprintf () in stdio.h... Yes.

Checking for return value of vsnprintf (). Yes.

Checking for attribute (visibility) support... Yes.

[root@localhost zlib-1.2.8] # make

[root@localhost zlib-1.2.8] # make install

3.2. installation of OpenSSL source code

[root@localhost tmp] # tar zxf openssl-1.0.2h.tar.gz

[root@localhost tmp] # cd openssl-1.0.2h

[root@localhost openssl-1.0.2h] # / config-- prefix=/usr/local/openssl-- shared

[root@localhost openssl-1.0.2h] # make depend

[root@localhost openssl-1.0.2h] # make

[root@localhost openssl-1.0.2h] # make test

[root@localhost openssl-1.0.2h] # make install

4. Install OpenSSH with source code

It is best to turn on the telnet service before installation in case the upgrade fails. You can use telnet when you cannot log in using ssh.

# Uninstall the old version of openssh, which can be done after make.

Rpm-qa | grep openssh

Rpm-e-- nodeps `rpm-qa | grep openssh`

# upgrade the new version

#-with-ssl-dir=*** option, added when OpenSSL is not the default installation path.

. / configure-prefix=/usr-sysconfdir=/etc/ssh-with-zlib=/usr/local/zlib-with-md5-passwords-with-pam

/ configure-- prefix=/usr-- sysconfdir=/etc/ssh-- with-ssl-dir=/usr/local/openssl-- with-zlib=/usr/local/zlib-- with-md5-passwords-- with-pam

Make

Make install

# copy configuration file

Cp ssh_config / etc/ssh/

Cp sshd_config / etc/ssh/

Cp moduli / etc/ssh/

# copy the startup script to / etc/init.d

# depending on the installation path, you may need to modify the path of sshd in the startup script

Cp contrib/redhat/sshd.init / etc/init.d/sshd

/ usr/sbin/sshd-t-f / etc/ssh/sshd_config

# add self-booting

Chkconfig-add sshd

Chkconfig sshd on

Chkconfig sshd-list

# enable remote login for root users.

# this step is not necessary. It is recommended that this option be turned off and there will be security risks if it is turned on.

Vi / etc/ssh/sshd_config

PermitRootLogin yes

# enable SSH service

Service sshd start

5. Shut down the telnet service

Edit / etc/xinetd.d/telnet and change the yes of disable = yes to no.

Use the chkconfig command to directly open: [root@localhost loong] # chkconfig telnet off

Restore securetty:# cp / etc/securetty.bak / etc/securetty

6. Problem: after restarting the system, you need to log in to the console directly and restart the sshd service before you can access it remotely and normally.

Service sshd stop

Service sshd start

After reading the above, do you have any further understanding of how to upgrade openssh from 5.3 to 7.3 in centos6.5? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.