A detailed explanation of OpenSSH vulnerability repair steps in Linux

Recently several hosts on line, on the line of the host in the security compliance scan, found the following openssh vulnerabilities. A few of them are old-aged vulnerabilities, mainly cve-2014-1692 vulnerabilities (OpenSSH schnorr.c vulnerabilities) for the new vulnerabilities of the January. Because the host does not have an extranet connection configured, and for different versions of SuSE and Redhat, it is repaired using a source package compilation upgrade OpenSSH version.

I. Preparation of related packages

zlib-1.2.5.tar.bz2

Openssl-1.0.1.tar.gz

Openssh-6.6p1.tar.gz

Related packages have been uploaded on Baidu cloud disk.

Second, prepare other login mode

Because there are uninstall SSH operation, so as not to log on to the host, you can choose to configure Telnet or VNC for remote operation, here to Telnet, for example, as follows:

The code is as follows	Copy Code
# vim/etc/xinetd.d/telnet Service Telnet { Socket_type = Stream protocol = TCP wait = no user = root Server =/usr/sbin/in.telnetd Disable = yes }

Note, such as no telnet-server package, you need to install the package before you configure the above options.

Once configured, restart the xinetd daemon to take effect and see if 23-port monitoring is available:

# Service XINETD Restart
# NETSTAT-TUNLP
For security reasons, you may also consider modifying the Telnet port or specifying the source address via iptables.

Third, the program upgrades

1, the installation of OpenSSL package

The code is as follows

Copy Code

# TAR-ZXVF Openssl-1.0.1.tar.gz # CD openssl-1.0.1 #./config-fpic Threads Shared # make # Make Test # make Install # Mv/usr/bin/openssl/usr/bin/openssl. Off # Mv/usr/include/openssl/usr/include/openssl. Off This step may prompt no file, ignore it # ln-s/usr/local/ssl/bin/openssl/usr/bin/openssl # ln-s/usr/local/ssl/include/openssl/usr/include/openssl Remove the OpenSSL from the original system and link the new files that were generated by your own compilation

Note: The original OpenSSL package cannot be unloaded, otherwise it will affect the system's SSL encrypted library file, unless you can do two soft connections libcryto and Libssl.

Configuration File Search Path:

code is as follows

copy code

# chmod 755/usr/local/ssl/lib # echo "/usr/local/ssl/lib" >>/etc/ld.so.conf #/sbin/ldconfig-v # OpenSSL Version-a OpenSSL 1.0.1 2012 Built On:fri Mar 17:14:50 CST 2012 Platform:linux-x86_64 Options:bn (64,64) RC4 (16x,int) des (idx,cisc,16,int) idea (int) blowfish (IDX) Compiler:gcc-fpic-dopenssl_pic-dzlib-dopenssl_threads-d_reentrant-ddso_dlfcn-dhave_dlfcn_h-wa,--Noexecstack- M64-dl_endian-dtermio-o3-wall-dopenssl_ia32_sse2-dopenssl_bn_asm_mont-dopenssl_bn_asm_mont5-dopenssl_bn_asm_ Gf2m-dsha1_asm-dsha256_asm-dsha512_asm-dmd5_asm-daes_asm-dvpaes_asm-dbsaes_asm-dwhirlpool_asm-dghash_asm Openssldir: "/usr/local/ssl"

2, unloading the original OpenSSH package

Backup startup script

# cp/etc/init.d/sshd/root/
Stop sshd Service

#/sbin/service sshd Stop

Uninstall the original OpenSSH in the system

# rpm-qa|grep OpenSSH//Query system original installed OPENSSH package, all uninstall.
# rpm-e OpenSSH--nodeps
# rpm-e Openssh-server--nodeps
# rpm-e Openssh-clients--nodeps
# RPM-E Openssh-askpass
or rpm-e--nodeps ' Rpm-qa |grep openssh '

3, decompression installation zlib package

The code is as follows	Copy Code
# TAR-JXVF zlib-1.2.5.tar.bz2//install zlib library First, otherwise you will report ZLIB.C error cannot be done # CD zlib-1.2.5 #./configure # Make&&make Install

4, Upgrade OpenSSH package

To back up the/etc/ssh folder first:

The code is as follows	Copy Code
# Mv/etc/ssh/etc/ssh_bak # TAR-ZXVF Openssh-6.6p1.tar.gz #./configure--sysconfdir=/etc/ssh--with-ssl-dir=/usr/local/ssl--with-md5-passwords--mandir=/usr/share/man-- With-pam # make # make Install

The following errors may be reported during compilation:

Checking for evp_sha256 ... yes
Checking whether OpenSSL has nid_x9_62_prime256v1 ... yes
Checking whether OpenSSL has nid_secp384r1 ... yes
Checking whether OpenSSL has nid_secp521r1 ... yes
Checking if OpenSSL ' s NID_SECP521R1 is functional ... yes
Checking for Ia_openinfo in-liaf ... no
Checking whether OpenSSL ' s PRNG is internally seeded ... yes
Configure:error:PAM headers not found
If you report this error, you need to install the appropriate version of the Pam-devel package. After installation, you can recompile.

5. Start OpenSSH Service

After the compilation is installed, it can be verified by sshd-d, if there is no error, you can re-enable openssh.

The code is as follows	Copy Code
# cp-p Contrib/redhat/sshd.init/etc/init.d/sshd (SUSE:CP contrib/suse/rc.sshd/etc/init.d/sshd) # chmod +x/etc/init.d/sshd # chkconfig--add sshd # CP Sshd_config/etc/ssh/sshd_config (if prompted to overwrite, yes enter) # CP Sshd/usr/sbin/sshd (if prompted to overwrite, yes enter) (REDHAT:CP Ssh-keygen/usr/bin/ssh-keygen)

Start the SSH service with the following command:

The code is as follows	Copy Code
Service sshd start or service sshd restart

Note: ssh-v//If you see a new version number, no problem! If there is no SSH command, execute (redhat, suse:ln-s/usr/local/bin/ssh/usr/bin/ssh)