OpenSSH smooth upgrade-solves the OpenSSH Vulnerability

OpenSSH smooth upgrade-solves the OpenSSH Vulnerability
I. Environment Description 1) Operating System: CentOS 6.5 64-bit 2) version before Openssl upgrade: openssl 0.9.8e 3) version after Openssl upgrade: openssl 1.0.1j (source code installation) 4) openssh upgrade version: openssh-4.3p2-41.el5 5) Openssh upgrade version: openssh_6.7p1 (source code installation) 6) secureCrt 2. Install Dropbear instead of OpenSSH to install dropbear, so that you can still log on to the system when the sshd fails to be started. Can also be replaced with other tools, such as telnet 1) download dropbear installation package https://matt.ucc.asn.au/dropbear/releases/dropbear-2014.66.tar.bz2 2) Check installation dependency package rpm-qa zlib * gcc make 3) compile and install dropbear # tar jxf dropbear-2014.66.tar.bz2 # cd dropbear-2014.66 #. /configure # make & make install check whether the generated file is correct: 4) generate a certificate #/usr/local/bin/dropbearkey-t dss-f/etc/dropbear/dropbear_dss_host_key (note: the system does not have the/etc/dropbear directory by default and needs to be created by itself) #/usr/local/bin/dropbearke Y-t rsa-s 4096-f/etc/dropbear/dropbear_rsa_host_key5) Start dropbear #/usr/local/sbin/dropbear-p 2222 // listen to port 2222 to check whether the startup is successful: 3. Upgrade OpenSSL to openssl-1.0.1j and remove older versions 1) Prepare to download openssl-1.0.1j http://www.openssl.org/source/openssl-1.0.1j.tar.gz before upgrade 2) delete the old version # rpm-e 'rpm-qa | grep openssl '-- allmatches -- nodeps 3) to install openssl. Remember to add the -- shared option, otherwise, the newly installed openssl library cannot be found during openssh compilation, and an error is reported: The openssl header does not match the library version. (Note: Here LZ has been entangled for a long time, if you follow the steps. /config -- prefix =/usr -- shared still reports the error: the openssl header and library version do not match, probably because the installed Openssl is also installed in the source code and is not deleted, you need to manually search for ssl-related files. run find/-name ssl 2. rename the results in the/usr/lib/usr/lib64/lib64/lib directories in the search results one by one. Do not delete the results one by one. This is a stupid method, and no good method has been found yet .) #. /Config -- prefix =/usr -- shared # make test # make install after the openssl version is installed correctly # openssl version-a 4. Upgrade sshd to the OpenSSH-6.7 and delete the old version ssh 1) check whether the package is missing before Upgrade # rpm-qa | egrep "gcc | make | perl | pam-devel" if you have configured yum, you can directly install these packages using yum, in this way, you can check whether the device is installed. Yum-y install gcc * make perl pam pam-devel2download openssh-6.7p1.tar.gz http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz backup ssh: # mv/etc/ssh. bak # openssl version-a3) Build and install the new version of openssh # tar zxf openssh-6.7p1.tar.gz & cd openssh-6.7p1 #. /configure -- prefix =/usr -- sysconfdir =/etc/ssh -- with-pam -- with-zlib -- with-md5-passwords # make uninstall the old version of openssh first, then make install # rpm -Qa | grep openssh # rpm-e 'rpm-qa | grep openssh 'Openssh-askpass is used to enter a password in the graphic interface. You do not need to install it. # make install 4) check whether to upgrade to the new version. 5) copy the startup script to/etc/init. d # cp/root/openssh-6.7p1/contrib/RedHat/sshd. init/etc/init. d/sshd add to start automatically # chkconfig -- add sshd6) start sshd and use start or reload. Do not restart. restart will disconnect directly, but will not start the sshd service. In this case, you need to enter the machine through other channels and then start the sshd service. 4. Delete dropbear. The terminal software re-opens a tag, Here Dropbear is used to prevent the upgrade from being successful, used to replace openssh to connect to the server. When port 2222 is enabled (the port at dropbear startup can be set to another), The xshell connection method is ssh 192.168.0.1 2222 (192.168.0.1 is the ip address of the server to be connected) delete the dropbear Installation File and kill the process # rm-rf/etc/dropbear/usr/local/sbin/dropbear/usr/local/bin/dropbear *