A detailed explanation of OpenSSH vulnerability repair steps in Linux

Source: Internet
Author: User
Tags bz2 chmod openssl openssl version ssh

Recently several hosts on line, on the line of the host in the security compliance scan, found the following openssh vulnerabilities. A few of them are old-aged vulnerabilities, mainly cve-2014-1692 vulnerabilities (OpenSSH schnorr.c vulnerabilities) for the new vulnerabilities of the January. Because the host does not have an extranet connection configured, and for different versions of SuSE and Redhat, it is repaired using a source package compilation upgrade OpenSSH version.

I. Preparation of related packages

zlib-1.2.5.tar.bz2

Openssl-1.0.1.tar.gz

Openssh-6.6p1.tar.gz

Related packages have been uploaded on Baidu cloud disk.

Second, prepare other login mode

Because there are uninstall SSH operation, so as not to log on to the host, you can choose to configure Telnet or VNC for remote operation, here to Telnet, for example, as follows:

The code is as follows Copy Code
# vim/etc/xinetd.d/telnet
Service Telnet
{
Socket_type = Stream
protocol = TCP
wait = no
user = root
Server =/usr/sbin/in.telnetd
Disable = yes
}

Note, such as no telnet-server package, you need to install the package before you configure the above options.

Once configured, restart the xinetd daemon to take effect and see if 23-port monitoring is available:

# Service XINETD Restart
# NETSTAT-TUNLP
For security reasons, you may also consider modifying the Telnet port or specifying the source address via iptables.

Third, the program upgrades

1, the installation of OpenSSL package

The code is as follows Copy Code
# TAR-ZXVF Openssl-1.0.1.tar.gz
# CD openssl-1.0.1
#./config-fpic Threads Shared
# make
# Make Test
# make Install
# Mv/usr/bin/openssl/usr/bin/openssl. Off
# Mv/usr/include/openssl/usr/include/openssl. Off
This step may prompt no file, ignore it
# ln-s/usr/local/ssl/bin/openssl/usr/bin/openssl
# ln-s/usr/local/ssl/include/openssl/usr/include/openssl
Remove the OpenSSL from the original system and link the new files that were generated by your own compilation

Note: The original OpenSSL package cannot be unloaded, otherwise it will affect the system's SSL encrypted library file, unless you can do two soft connections libcryto and Libssl.

Configuration File Search Path:

  code is as follows copy code

# chmod 755/usr/local/ssl/lib
# echo "/usr/local/ssl/lib" >>/etc/ld.so.conf
#/sbin/ldconfig-v
# OpenSSL Version-a
OpenSSL 1.0.1 2012
Built On:fri Mar 17:14:50 CST 2012
Platform:linux-x86_64
Options:bn (64,64) RC4 (16x,int) des (idx,cisc,16,int) idea (int) blowfish (IDX)
Compiler:gcc-fpic-dopenssl_pic-dzlib-dopenssl_threads-d_reentrant-ddso_dlfcn-dhave_dlfcn_h-wa,--Noexecstack- M64-dl_endian-dtermio-o3-wall-dopenssl_ia32_sse2-dopenssl_bn_asm_mont-dopenssl_bn_asm_mont5-dopenssl_bn_asm_ Gf2m-dsha1_asm-dsha256_asm-dsha512_asm-dmd5_asm-daes_asm-dvpaes_asm-dbsaes_asm-dwhirlpool_asm-dghash_asm
Openssldir: "/usr/local/ssl"

2, unloading the original OpenSSH package

Backup startup script

# cp/etc/init.d/sshd/root/
Stop sshd Service

#/sbin/service sshd Stop

Uninstall the original OpenSSH in the system

# rpm-qa|grep OpenSSH//Query system original installed OPENSSH package, all uninstall.
# rpm-e OpenSSH--nodeps
# rpm-e Openssh-server--nodeps
# rpm-e Openssh-clients--nodeps
# RPM-E Openssh-askpass
or rpm-e--nodeps ' Rpm-qa |grep openssh '

3, decompression installation zlib package

The code is as follows Copy Code

# TAR-JXVF zlib-1.2.5.tar.bz2//install zlib library First, otherwise you will report ZLIB.C error cannot be done
# CD zlib-1.2.5
#./configure
# Make&&make Install

4, Upgrade OpenSSH package

To back up the/etc/ssh folder first:

The code is as follows Copy Code
# Mv/etc/ssh/etc/ssh_bak
# TAR-ZXVF Openssh-6.6p1.tar.gz
#./configure--sysconfdir=/etc/ssh--with-ssl-dir=/usr/local/ssl--with-md5-passwords--mandir=/usr/share/man-- With-pam
# make
# make Install

The following errors may be reported during compilation:

Checking for evp_sha256 ... yes
Checking whether OpenSSL has nid_x9_62_prime256v1 ... yes
Checking whether OpenSSL has nid_secp384r1 ... yes
Checking whether OpenSSL has nid_secp521r1 ... yes
Checking if OpenSSL ' s NID_SECP521R1 is functional ... yes
Checking for Ia_openinfo in-liaf ... no
Checking whether OpenSSL ' s PRNG is internally seeded ... yes
Configure:error:PAM headers not found
If you report this error, you need to install the appropriate version of the Pam-devel package. After installation, you can recompile.

5. Start OpenSSH Service

After the compilation is installed, it can be verified by sshd-d, if there is no error, you can re-enable openssh.

The code is as follows Copy Code

# cp-p Contrib/redhat/sshd.init/etc/init.d/sshd
(SUSE:CP contrib/suse/rc.sshd/etc/init.d/sshd)
# chmod +x/etc/init.d/sshd
# chkconfig--add sshd
# CP Sshd_config/etc/ssh/sshd_config (if prompted to overwrite, yes enter)
# CP Sshd/usr/sbin/sshd (if prompted to overwrite, yes enter)
(REDHAT:CP Ssh-keygen/usr/bin/ssh-keygen)

Start the SSH service with the following command:

The code is as follows Copy Code
Service sshd start or service sshd restart

Note: ssh-v//If you see a new version number, no problem! If there is no SSH command, execute (redhat, suse:ln-s/usr/local/bin/ssh/usr/bin/ssh)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.