Linux upgrade OpenSSH and Problems summary __linux

Source: Internet
Author: User
Tags hmac md5 openssl openssl version sha1

the need to upgrade the OpenSSH to OPENSSH_7.1P2 as a result of third party monitoring software scanning Linux SSH vulnerabilities


System version:

[Root@db ~]# Uname-a
Linux db 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 22:19:54 EST 2013 x86_64 x86_64 x86_64 gnu/linux
[Root@db ~]# Cat/etc/redhat-release
Red Hat Enterprise Linux Server release 6.5 (Santiago)


Upgrade Step:

1, verify the existing version

[Root@db 1]# Yum Install Pam-devel

[Root@db 1]# pwd
/home/1
[Root@db 1]# ls
OPENSSH-7.1P2 Openssl-1.1.0-pre3 zlib-1.2.8
[Root@db 1]# Ssh-v
openssh_5.3p1, OpenSSL 1.0.0-fips <<<--current SSH version
[Root@db 1]# OpenSSL version
OpenSSL 1.0.1e-fips Feb 2013
[Root@db 1]# rpm-q zlib
Zlib-1.2.3-29.el6.x86_64
[Root@db 1]# Rpm-qa | grep OpenSSL
Openssl-1.0.1e-15.el6.x86_64
[Root@db 1]# Rpm-qa | grep OpenSSH
Openssh-5.3p1-94.el6.x86_64
Openssh-clients-5.3p1-94.el6.x86_64
Openssh-server-5.3p1-94.el6.x86_64
Openssh-askpass-5.3p1-94.el6.x86_64

2, uninstall the existing version
[Root@db 1]# rpm-e ' Rpm-qa | grep OpenSSH '
error:failed dependencies:
Openssh-clients is needed by (installed) Python-meh-0.12.1-3.el6.noarch
[Root@db 1]# rpm-e ' Rpm-qa | grep OpenSSL '--nodeps
[Root@db 1]# rpm-e firstboot-1.110.15-1.el6.x86_64
[Root@db 1]# rpm-e Python-meh-0.12.1-3.el6.noarch
[Root@db 1]# rpm-e ' Rpm-qa | grep OpenSSH '
[Root@db 1]# Yum Install Firstboot
There was a problem importing one of the Python modules
Required to run Yum. The error leading to this problem is:


Libssl.so.10:cannot open Shared object file:no such file or directory


Please install a package which provides this module, or
Verify that's the module is installed correctly.


It ' s possible that the above module doesn ' t match the
Current version of Python, which is:
2.6.6 (r266:84292, Sep 4 2013, 07:46:00)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-3)]


If you are cannot solve this problem yourself
The Yum FAQ at:
Http://yum.baseurl.org/wiki/Faq


3. Installation zlib
[Root@db 1]# CD zlib-1.2.8/
[Root@db zlib-1.2.8]# ls
[Root@db zlib-1.2.8]#./configure--prefix=/usr/local/zlib
[Root@db zlib-1.2.8]# make && make install
[Root@db zlib-1.2.8]# CD ... /openssl-1.1.0-pre3/
[Root@db openssl-1.1.0-pre3]#./config--prefix=/usr/local/openssl
[Root@db openssl-1.1.0-pre3]# make && make install


4. Installation OpenSSH
[Root@db openssl-1.1.0-pre3]# CD ... /openssh-7.1p2/
[Root@db openssh-7.1p2]#./configure--prefix=/usr/local/openssh--sysconfdir=/etc/ssh--with-pam--with-ssl-dir=/ Usr/local/openssl--with-md5-passwords--mandir=/usr/share/man--with-zlib=/usr/local/zlib
Checking for gcc ... gcc
...
Configure:error: * * * OpenSSL headers missing-please Install a/check config.log * * *


[Root@db openssh-7.1p2]# Rpm-qa |grep Pam
Pam-1.1.1-17.el6.x86_64
Pam-devel-1.1.1-17.el6.x86_64
Pam_krb5-2.3.11-9.el6.x86_64
Pam_passwdqc-1.0.5-6.el6.x86_64
pam-devel-1.1.1-17.el6.i686
Fprintd-pam-0.1-21.git04fd09cfa.el6.x86_64
pam-1.1.1-17.el6.i686
Gnome-keyring-pam-2.28.2-8.el6_3.x86_64
[Root@db openssh-7.1p2]#./configure--prefix=/usr/local/openssh--sysconfdir=/etc/ssh--with-pam--with-ssl-dir=/ Usr/local/openssl--with-md5-passwords--mandir=/usr/share/man--with-zlib=/usr/local/zlib ^C


[Root@db openssh-7.1p2]# rpm-ivh/media/rhel/packages/openssl-1.0.1e-15.el6.x86_64.rpm
Preparing ... ########################################### [100%]
1:openssl ########################################### [100%]


[Root@db openssh-7.1p2]# RPM-IVH openssl-1.0.1e-15.el6.x86_64.rpm
[Root@db openssh-7.1p2]#./configure--prefix=/usr/local/openssh--sysconfdir=/etc/ssh--with-pam--with-ssl-dir=/ Usr/local/openssl--with-md5-passwords--mandir=/usr/share/man--with-zlib=/usr/local/zlib
Checking for gcc ... gcc
...
Configure:error: * * * OpenSSL headers missing-please Install a/check config.log * * *
[Root@db openssh-7.1p2]# OpenSSL version-a
OpenSSL 1.0.1e-fips Feb 2013
Built On:fri Sep 10:09:12 EDT 2013
Platform:linux-x86_64
Options:bn (64,64) md2 (int) RC4 (16x,int) des (idx,cisc,16,int) idea (int) blowfish (IDX)
Compiler:gcc-fpic-dopenssl_pic-dzlib-dopenssl_threads-d_reentrant-ddso_dlfcn-dhave_dlfcn_h-dkrb5_mit-m64-dl_en Dian-dtermio-wall-o2-g-pipe-wall-wp,-d_fortify_source=2-fexceptions-fstack-protector--param=ssp-buffer-size=4- M64-mtune=generic-wa,--NOEXECSTACK-DPURIFY-DOPENSSL_IA32_SSE2-DOPENSSL_BN_ASM_MONT-DOPENSSL_BN_ASM_MONT5- Dopenssl_bn_asm_gf2m-dsha1_asm-dsha256_asm-dsha512_asm-dmd5_asm-daes_asm-dvpaes_asm-dbsaes_asm-dwhirlpool_asm- Dghash_asm
Openssldir: "/etc/pki/tls"
Engines:rdrand Dynamic
[Root@db openssh-7.1p2]#
[root@db openssh-7.1p2]# rpm-qa |grep gcc
Gcc-4.4.7-4.el6.x86_64
Gcc-c++-4.4.7-4.el6.x86_64
Libgcc-4.4.7-4.el6.x86_64
libgcc-4.4.7-4.el6.i686
[Root@db openssh-7.1p2]# Rpm-qa |grep openssl-devel
[Root@db openssh-7.1p2]# cd/media/rhel/packages/
[Root@db packages]# RPM-IVH openssl-devel-1.0.1e-15.el6.x86_64.rpm
error:failed dependencies:
Krb5-devel is needed by openssl-devel-1.0.1e-15.el6.x86_64
Zlib-devel is needed by openssl-devel-1.0.1e-15.el6.x86_64
[Root@db packages]# RPM-IVH krb5-devel-1.10.3-10.el6_4.6.x86_64.rpm
error:failed dependencies:
Keyutils-libs-devel is needed by krb5-devel-1.10.3-10.el6_4.6.x86_64
Libcom_err-devel is needed by krb5-devel-1.10.3-10.el6_4.6.x86_64
Libselinux-devel is needed by krb5-devel-1.10.3-10.el6_4.6.x86_64
[Root@db packages]# RPM-IVH Keyutils-libs-devel
Error:open of Keyutils-libs-devel failed:no such file or directory
[Root@db packages]# RPM-IVH keyutils-libs-devel-1.4-4.el6.x86_64.rpm
Preparing ... ########################################### [100%]
1:keyutils-libs-devel ########################################### [100%]
[Root@db packages]# RPM-IVH libcom_err-devel-1.41.12-18.el6.x86_64.rpm
Preparing ... ########################################### [100%]
1:libcom_err-devel ########################################### [100%]
[Root@db packages]# RPM-IVH libselinux-devel-2.0.94-5.3.el6_4.1.x86_64.rpm
error:failed dependencies:
Libsepol-devel >= 2.0.32-1 is needed by libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
Pkgconfig (Libsepol) is needed by libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
[Root@db packages]# Yum Install Libsepol-devel



[Root@db packages]# cd/home/1/openssh-7.1p2/
[Root@db openssh-7.1p2]#./configure--prefix=/usr/local/openssh--sysconfdir=/etc/ssh--with-pam--with-ssl-dir=/ Usr/local/openssl--with-md5-passwords--mandir=/usr/share/man--with-zlib=/usr/local/zlib


[Root@db openssh-7.1p2]# make && make install


5. Set up SSH service
[Root@db openssh-7.1p2]# cp-p contrib/redhat/sshd.init/etc/init.d/sshd
[Root@db openssh-7.1p2]# chmod u+x/etc/init.d/sshd
[Root@db openssh-7.1p2]# chkconfig--add sshd

[Root@db 1]# Cp/usr/local/openssh/sbin/sshd/usr/sbin/sshd
[root@db 1]# service sshd start
/etc/init.d/sshd:line:/usr/bin/ssh-keygen:no such file or directory
Starting sshd:[OK]
[Root@db 1]# Find/-name SSH
/etc/ssh
/usr/local/openssh/bin/ssh
/home/1/openssh-7.1p2/ssh
[Root@db 1]#/usr/local/openssh/bin/ssh-v
OPENSSH_7.1P2, OpenSSL 1.0.1e-fips Feb 2013
[Root@db 1]# cp/usr/local/openssh/bin/ssh/usr/bin/


6, verify the upgraded version and restart the test service
[Root@db 1]# Ssh-v
OPENSSH_7.1P2, OpenSSL 1.0.1e-fips Feb 2013
[Root@db 1]#
[Root@db 1]#
[root@db 1]# Service sshd restart
Stopping sshd:[OK]
/etc/init.d/sshd:line:/usr/bin/ssh-keygen:no such file or directory
Starting sshd:[OK]


[Root@db ~]# Cd/usr/local/openssh/bin
[Root@db bin]# ls
SCP sftp slogin ssh ssh-add ssh-agent ssh-keygen ssh-keyscan
[Root@db bin]# CP ssh-keygen/usr/bin/
[root@db bin]# Service sshd restart
Stopping sshd:[OK]
Starting sshd:[OK]
[Root@db bin]#
[Root@db bin]# Ssh-v
OPENSSH_7.1P2, OpenSSL 1.0.1e-fips Feb 2013

7, set to allow the root user remote login
[Root@db ~]# Cat/etc/ssh/sshd_config
# Authentication:
...
#LoginGraceTime 2m
Permitrootlogin Yes




8, SECURECRT can not upload the file solution:
The/etc/ssh/sshd_config in the
subsystem Sftp/usr/libexec/openssh/sftp-server
To
subsystem SFTP INTERNAL-SFTP
After restarting the sshd, SFTP is working properly.



9, after the upgrade of the problem

Connection is normal using the SECURECRT SSH protocol, but the operating system cannot be connected remotely using other tools:




Workaround: ================================================================= Reference Online solution is as follows: Modify sshd configuration file/etc/ssh/sshd_ Config

To add to the configuration file:

Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256, Arcfour,blowfish-cbc,cast128-cbc

MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

Kexalgorithms DIFFIE-HELLMAN-GROUP1-SHA1,DIFFIE-HELLMAN-GROUP14-SHA1,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1, diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

The cause of this problem is the SSH upgrade, for security, the default no longer use some of the original encryption algorithm, we manually add it.

(Add three lines or add the last line, restart services are the following error) but the restart service error is as follows: [root@db ~]# service sshd restart stopping sshd:[OK] starting sshd:unsupported KE X algorithm "ecdh-sha2-nistp521"/etc/ssh/sshd_config line 137:bad SSH2 kexalgorithms ' Diffie-hellman-group1-sha1, DIFFIE-HELLMAN-GROUP14-SHA1,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA256, ECDH-SHA2-NISTP256,ECDH-SHA2-NISTP384,ECDH-SHA2-NISTP521,DIFFIE-HELLMAN-GROUP1-SHA1, Curve25519-sha256@libssh.org '. [FAILED] [Root@db ~]#
=================================================================
Modified as follows: Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256, Arcfour,blowfish-cbc,cast128-cbc
MACs HMAC-MD5,HMAC-SHA1, umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Kexalgorithms DIFFIE-HELLMAN-GROUP1-SHA1,DIFFIE-HELLMAN-GROUP14-SHA1,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1, DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA256,ECDH-SHA2-NISTP256,ECDH-SHA2-NISTP384,DIFFIE-HELLMAN-GROUP1-SHA1, curve25519-sha256@libssh.org (remove ecdh-sha2-nistp521 in this row)
Start the SSHD service:


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.