Background
Company to do security scan, sweep out OpenSSH, OpenSSL loopholes, need to do upgrade. Direct Yum Update has no effect, so we have to manually compile the upgrade.
Pre-upgrade
ssh -VOpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
After upgrade
ssh -VOpenSSH_7.6p1, OpenSSL 1.0.2n 7 Dec 2017
Preparatory work
Preparing the OpenSSH, OpenSSL installation package
Openssh-7.6p1.tar.gz
Openssl-1.0.2n.tar.gz
- Install dependent packages
OpenSSL relies on
To install OpenSSL, you'll need:
- Make
- Perl 5
- An ANSI C compiler
- A development environment in form of development libraries and C
Header files
- A supported Unix operating system
OpenSSH dependency
You'll need working installations of Zlib and Libcrypto (LIBRESSL/OPENSSL)
Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions has problems):
http://www.gzip.org/zlib/
Libcrypto (Libressl or OpenSSL >= 0.9.8f < 1.1.0)
Libressl http://www.libressl.org/; Or
OpenSSL http://www.openssl.org/
yum install gcc make perl pam-devel zlib-devel -y
Turn on Telnet
Prevent upgrade failure, unable to connect to server
yum install xinetd telnet-server -ysed -i ‘/disable/ s/yes/no/‘ /etc/xinetd.d/telnet/etc/init.d/xinetd start
- Add a regular user
The default does not support root direct login After upgrade, you need to log in with a normal user, and then su switch to rootuseradd xx -G wheelpasswd xx
OpenSSL upgrade
tar zxvf openssl-1.0.2n.tar.gzcd openssl-1.0.2n./config --prefix=/usr/local/openssl shared zlib && make && make installmv /usr/bin/openssl /usr/bin/openssl.bak mv /usr/include/openssl /usr/include/openssl.bak ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl ln -s /usr/local/openssl/include/openssl /usr/include/openssl echo "/usr/local/openssl/lib" >>/etc/ld.so.conf ldconfig -v
View version
openssl version -aOpenSSL 1.0.2n 7 Dec 2017built on: reproducible build, date unspecifiedplatform: linux-x86_64options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASMOPENSSLDIR: "/usr/local/openssl/ssl"
OpenSSH upgrade
Tar zxvf openssh-7.6p1.tar.gzcd openssh-7.6p1./configure--prefix=/usr--sysconfdir=/etc/ssh--with-md5-passwords-- With-pam--with-ssl-dir=/usr/local/openssl/&& makerpm-e ' rpm-qa|grep openssh '--nodepsmake install && Install-v-m755 contrib/ssh-copy-id/usr/bin &&install-v-m644 Contrib/ssh-copy-id.1 /usr/share/man/man1 &&install-v-m755-d/usr/share/doc/openssh-7.6p1 &&install-v-M 644 INSTALL LICENCE Overview readme*/usr/share/doc/openssh-7.6p1echo "Permitrootlogin No" >> /etc/ssh/sshd_configecho "Challengeresponseauthentication No" >>/ETC/SSH/SSHD_CONFIGCP contrib/redhat/ Sshd.pam/etc/pam.d/sed ' [email protected]/[email protected]/[email protected] '/etc/pam.d/login >/etc/pam.d/sshd && chmod 644/etc/pam.d/sshd && echo "Usepam yes" >>/ETC/SSH/SSHD_CONFIGCP con Trib/redhat/sshd.init/etc/init.d/sshdchmod +x/etc/iNit.d/sshd chkconfig--add sshdchkconfig sshd on/etc/init.d/sshd start
View version
ssh -VOpenSSH_7.6p1, OpenSSL 1.0.2n 7 Dec 2017
CENTOS6 Upgrade OpenSSH 7.6,openssl 1.0.1n