CENTOS6 Upgrade OpenSSH 7.6,openssl 1.0.1n

Background

Company to do security scan, sweep out OpenSSH, OpenSSL loopholes, need to do upgrade. Direct Yum Update has no effect, so we have to manually compile the upgrade.

Pre-upgrade

ssh -VOpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

After upgrade

ssh -VOpenSSH_7.6p1, OpenSSL 1.0.2n  7 Dec 2017

Preparatory work

1. Preparing the OpenSSH, OpenSSL installation package

   Openssh-7.6p1.tar.gz
   Openssl-1.0.2n.tar.gz

2. Install dependent packages

OpenSSL relies on

To install OpenSSL, you'll need:

• Make
• Perl 5
• An ANSI C compiler
• A development environment in form of development libraries and C
  Header files
• A supported Unix operating system

OpenSSH dependency

You'll need working installations of Zlib and Libcrypto (LIBRESSL/OPENSSL)
Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions has problems):
http://www.gzip.org/zlib/
Libcrypto (Libressl or OpenSSL >= 0.9.8f < 1.1.0)
Libressl http://www.libressl.org/; Or
OpenSSL http://www.openssl.org/

yum install gcc make perl pam-devel zlib-devel -y

3. Turn on Telnet
   Prevent upgrade failure, unable to connect to server

   yum install xinetd telnet-server -ysed -i ‘/disable/ s/yes/no/‘ /etc/xinetd.d/telnet/etc/init.d/xinetd start

4. Add a regular user
   The default does not support root direct login After upgrade, you need to log in with a normal user, and then su switch to root

   useradd xx -G  wheelpasswd xx

OpenSSL upgrade

tar zxvf openssl-1.0.2n.tar.gzcd openssl-1.0.2n./config --prefix=/usr/local/openssl shared zlib && make && make installmv /usr/bin/openssl /usr/bin/openssl.bak  mv /usr/include/openssl /usr/include/openssl.bak ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl  ln -s /usr/local/openssl/include/openssl /usr/include/openssl  echo "/usr/local/openssl/lib" >>/etc/ld.so.conf  ldconfig -v

View version

 openssl version -aOpenSSL 1.0.2n  7 Dec 2017built on: reproducible build, date unspecifiedplatform: linux-x86_64options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASMOPENSSLDIR: "/usr/local/openssl/ssl"

OpenSSH upgrade

Tar zxvf openssh-7.6p1.tar.gzcd openssh-7.6p1./configure--prefix=/usr--sysconfdir=/etc/ssh--with-md5-passwords-- With-pam--with-ssl-dir=/usr/local/openssl/&& makerpm-e ' rpm-qa|grep openssh '--nodepsmake install &&                     Install-v-m755 contrib/ssh-copy-id/usr/bin &&install-v-m644 Contrib/ssh-copy-id.1 /usr/share/man/man1 &&install-v-m755-d/usr/share/doc/openssh-7.6p1 &&install-v-M  644 INSTALL LICENCE Overview readme*/usr/share/doc/openssh-7.6p1echo "Permitrootlogin No" >> /etc/ssh/sshd_configecho "Challengeresponseauthentication No" >>/ETC/SSH/SSHD_CONFIGCP contrib/redhat/ Sshd.pam/etc/pam.d/sed ' [email protected]/[email protected]/[email protected] '/etc/pam.d/login >/etc/pam.d/sshd && chmod 644/etc/pam.d/sshd && echo "Usepam yes" >>/ETC/SSH/SSHD_CONFIGCP con Trib/redhat/sshd.init/etc/init.d/sshdchmod +x/etc/iNit.d/sshd chkconfig--add sshdchkconfig sshd on/etc/init.d/sshd start 

View version

ssh -VOpenSSH_7.6p1, OpenSSL 1.0.2n  7 Dec 2017

CENTOS6 Upgrade OpenSSH 7.6,openssl 1.0.1n